From b426381567e577d2a18ca5e4a4ec884bc9737245 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 22 Aug 2023 02:44:22 +0100 Subject: [PATCH] Update to jdk-21.0.0+35 Update system crypto policy & FIPS patch from new fips-21u tree Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal Drop fakefeaturever now it is no longer needed Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball Use upstream release URL for OpenJDK source Re-enable tzdata tests now we are on the latest JDK and things are back in sync Install jaxp.properties introduced by JDK-8303530 Install lible.so introduced by JDK-8306983 Related: RHEL-12998 Resolves: RHEL-41087 --- .gitignore | 1 + ...3d95b5.patch => fips-21u-75ffdc48eda.patch | 1255 +++++++++++++---- generate_source_tarball.sh | 76 +- java-21-openjdk-portable.specfile | 77 +- java-21-openjdk.spec | 111 +- sources | 2 +- 6 files changed, 1126 insertions(+), 396 deletions(-) rename fips-20u-fd3de3d95b5.patch => fips-21u-75ffdc48eda.patch (77%) diff --git a/.gitignore b/.gitignore index 522e355..680b3ee 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /openjdk-jdk20u-jdk-20+36.tar.xz /openjdk-jdk20u-jdk-20.0.1+9.tar.xz /openjdk-jdk20u-jdk-20.0.2+9.tar.xz +/openjdk-jdk21u-jdk-21+35.tar.xz diff --git a/fips-20u-fd3de3d95b5.patch b/fips-21u-75ffdc48eda.patch similarity index 77% rename from fips-20u-fd3de3d95b5.patch rename to fips-21u-75ffdc48eda.patch index c36a5b6..8413fe1 100644 --- a/fips-20u-fd3de3d95b5.patch +++ b/fips-21u-75ffdc48eda.patch @@ -1,9 +1,33 @@ +diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 +index 5f4b22bb27f..1ca9f5b8ffe 100644 +--- a/make/autoconf/build-aux/pkg.m4 ++++ b/make/autoconf/build-aux/pkg.m4 +@@ -179,3 +179,19 @@ else + ifelse([$3], , :, [$3]) + fi[]dnl + ])# PKG_CHECK_MODULES ++ ++dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, ++dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) ++dnl ------------------------------------------- ++dnl Since: 0.28 ++dnl ++dnl Retrieves the value of the pkg-config variable for the given module. ++AC_DEFUN([PKG_CHECK_VAR], ++[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl ++AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl ++ ++_PKG_CONFIG([$1], [variable="][$3]["], [$2]) ++AS_VAR_COPY([$1], [pkg_cv_][$1]) ++ ++AS_VAR_IF([$1], [""], [$5], [$4])dnl ++])dnl PKG_CHECK_VAR diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 new file mode 100644 -index 00000000000..b2b1c1787da +index 00000000000..f48fc7f7e80 --- /dev/null +++ b/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,84 @@ +@@ -0,0 +1,87 @@ +# +# Copyright (c) 2021, Red Hat, Inc. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -38,8 +62,10 @@ index 00000000000..b2b1c1787da + # + # Check for the NSS library + # ++ AC_MSG_CHECKING([for NSS library directory]) ++ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) + -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) + + # default is not available + DEFAULT_SYSCONF_NSS=no @@ -87,9 +113,10 @@ index 00000000000..b2b1c1787da + fi + fi + AC_SUBST(USE_SYSCONF_NSS) ++ AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index 7a1d8d80bb2..1807cb71073 100644 +index a1fc81564b1..ebad69d9dcf 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -35,6 +35,7 @@ m4_include([lib-std.m4]) @@ -100,31 +127,54 @@ index 7a1d8d80bb2..1807cb71073 100644 ################################################################################ # Determine which libraries are needed for this configuration -@@ -107,6 +108,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], +@@ -134,6 +135,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], LIB_SETUP_X11 LIB_TESTS_SETUP_GTEST + LIB_SETUP_SYSCONF_LIBS BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then + BASIC_JDKLIB_LIBS_TARGET="" diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index 9448cb9b7e8..8d3d931e951 100644 +index 0f85917814e..9419562b654 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -859,6 +859,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -867,6 +867,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ +NSS_LIBS:=@NSS_LIBS@ +NSS_CFLAGS:=@NSS_CFLAGS@ ++NSS_LIBDIR:=@NSS_LIBDIR@ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk +index 9e5cfe2d0fc..434ade8e182 100644 +--- a/make/modules/java.base/Gendata.gmk ++++ b/make/modules/java.base/Gendata.gmk +@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST + TARGETS += $(GENDATA_JAVA_SECURITY) + + ################################################################################ ++ ++GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in ++GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg ++ ++$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) ++ $(call LogInfo, Generating nss.fips.cfg) ++ $(call MakeTargetDir) ++ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ ++ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ ++ ) ++ ++TARGETS += $(GENDATA_NSS_FIPS_CFG) ++ ++################################################################################ diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 3b782577258..f515b0ba241 100644 +index 1e0f66726d0..59fe923f2c5 100644 --- a/make/modules/java.base/Lib.gmk +++ b/make/modules/java.base/Lib.gmk @@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) @@ -158,7 +208,7 @@ index 3b782577258..f515b0ba241 100644 # Create the symbols file for static builds. diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index 38836d2701e..d967010b848 100644 +index 10093137151..b023c63ae58 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -31,6 +31,7 @@ import java.security.SecureRandom; @@ -169,7 +219,7 @@ index 38836d2701e..d967010b848 100644 import static sun.security.util.SecurityConstants.PROVIDER_VER; import static sun.security.util.SecurityProviderConstants.*; -@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; +@@ -82,6 +83,10 @@ import static sun.security.util.SecurityProviderConstants.*; public final class SunJCE extends Provider { @@ -180,7 +230,7 @@ index 38836d2701e..d967010b848 100644 @java.io.Serial private static final long serialVersionUID = 6812507587804302833L; -@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { +@@ -147,298 +152,299 @@ public final class SunJCE extends Provider { void putEntries() { // reuse attribute map and reset before each reuse HashMap attrs = new HashMap<>(3); @@ -388,6 +438,13 @@ index 38836d2701e..d967010b848 100644 - ps("Cipher", "PBEWithHmacSHA512AndAES_128", - "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); - +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); +- +- - ps("Cipher", "PBEWithHmacSHA1AndAES_256", - "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); - @@ -403,6 +460,12 @@ index 38836d2701e..d967010b848 100644 - ps("Cipher", "PBEWithHmacSHA512AndAES_256", - "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); - +- ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); +- - /* - * Key(pair) Generator engines - */ @@ -668,6 +731,12 @@ index 38836d2701e..d967010b848 100644 + ps("Cipher", "PBEWithHmacSHA512AndAES_128", + "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); + ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_128"); ++ + ps("Cipher", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); + @@ -683,6 +752,12 @@ index 38836d2701e..d967010b848 100644 + ps("Cipher", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); + ++ ps("Cipher", "PBEWithHmacSHA512/224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512/256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512_256AndAES_256"); ++ + /* + * Key(pair) Generator engines + */ @@ -747,7 +822,7 @@ index 38836d2701e..d967010b848 100644 /* * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { +@@ -447,15 +453,17 @@ public final class SunJCE extends Provider { "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", null); @@ -774,9 +849,22 @@ index 38836d2701e..d967010b848 100644 /* * Algorithm Parameter engines -@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { - ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); +@@ -625,10 +633,10 @@ public final class SunJCE extends Provider { + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_224AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_128"); + + ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +@@ -651,136 +659,137 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512/256AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512_256AndAES_256"); - // PBKDF2 - psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", @@ -790,6 +878,10 @@ index 38836d2701e..d967010b848 100644 - "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); - ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", - "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); - - /* - * MAC @@ -854,6 +946,11 @@ index 38836d2701e..d967010b848 100644 - "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); - ps("Mac", "PBEWithHmacSHA512", - "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); +- ps("Mac", "PBEWithHmacSHA512/256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); +- - ps("Mac", "SslMacMD5", - "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); - ps("Mac", "SslMacSHA1", @@ -866,6 +963,15 @@ index 38836d2701e..d967010b848 100644 - "com.sun.crypto.provider.JceKeyStore"); - - /* +- * KEMs +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + +- "|java.security.interfaces.XECKey"); +- ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); +- +- /* - * SSL/TLS mechanisms - * - * These are strictly internal implementations and may @@ -903,6 +1009,10 @@ index 38836d2701e..d967010b848 100644 + "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); + ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512/256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512_256"); + + /* + * MAC @@ -955,7 +1065,6 @@ index 38836d2701e..d967010b848 100644 + "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", + null, attrs); + -+ + // PBMAC1 + ps("Mac", "PBEWithHmacSHA1", + "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); @@ -967,6 +1076,11 @@ index 38836d2701e..d967010b848 100644 + "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); + ps("Mac", "PBEWithHmacSHA512", + "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512/256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512_256", null, attrs); ++ + ps("Mac", "SslMacMD5", + "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); + ps("Mac", "SslMacSHA1", @@ -979,6 +1093,15 @@ index 38836d2701e..d967010b848 100644 + "com.sun.crypto.provider.JceKeyStore"); + + /* ++ * KEMs ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("SupportedKeyClasses", "java.security.interfaces.ECKey" + ++ "|java.security.interfaces.XECKey"); ++ ps("KEM", "DHKEM", "com.sun.crypto.provider.DHKEM", null, attrs); ++ ++ /* + * SSL/TLS mechanisms + * + * These are strictly internal implementations and may @@ -1008,7 +1131,7 @@ index 38836d2701e..d967010b848 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index 257dc172ee2..35cea6c54e7 100644 +index 671529f71a1..af632936921 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -34,6 +34,7 @@ import java.net.URL; @@ -1406,7 +1529,7 @@ index 00000000000..3f3caac64dc + boolean isPlainKeySupportEnabled(); +} diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index cf76aa9ff94..9ecb14db126 100644 +index 919d758a6e3..b1e5fbaf84a 100644 --- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java @@ -43,6 +43,7 @@ import java.io.PrintStream; @@ -1417,15 +1540,15 @@ index cf76aa9ff94..9ecb14db126 100644 import java.security.Signature; /** A repository of "shared secrets", which are a mechanism for -@@ -89,6 +90,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; +@@ -90,6 +91,7 @@ public class SharedSecrets { private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; + private static JavaTemplateAccess javaTemplateAccess; + private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { javaUtilCollectionAccess = juca; -@@ -521,4 +523,15 @@ public class SharedSecrets { +@@ -537,4 +539,15 @@ public class SharedSecrets { MethodHandles.lookup().ensureInitialized(c); } catch (IllegalAccessException e) {} } @@ -1442,10 +1565,10 @@ index cf76aa9ff94..9ecb14db126 100644 + } } diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index d985dec174f..a5b9cbf7fbc 100644 +index 06b141dcf22..e8cbf7f15d7 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java -@@ -163,6 +163,7 @@ module java.base { +@@ -158,6 +158,7 @@ module java.base { java.naming, java.rmi, jdk.charsets, @@ -1454,7 +1577,7 @@ index d985dec174f..a5b9cbf7fbc 100644 jdk.jlink, jdk.jfr, diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 0d4ae1019e1..e839866a28c 100644 +index f036a411f1d..1e9de933bd9 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -38,6 +38,7 @@ import java.util.HashMap; @@ -1476,7 +1599,7 @@ index 0d4ae1019e1..e839866a28c 100644 // the default algo used by SecureRandom class for new SecureRandom() calls public static final String DEF_SECURE_RANDOM_ALGO; -@@ -102,99 +107,101 @@ public final class SunEntries { +@@ -102,89 +107,92 @@ public final class SunEntries { // common attribute map HashMap attrs = new HashMap<>(3); @@ -1540,8 +1663,6 @@ index 0d4ae1019e1..e839866a28c 100644 - "sun.security.provider.DSA$SHA3_384withDSA", attrs); - addWithAlias(p, "Signature", "SHA3-512withDSA", - "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); + if (!systemFipsEnabled) { + /* + * SecureRandom engines @@ -1564,32 +1685,7 @@ index 0d4ae1019e1..e839866a28c 100644 + add(p, "SecureRandom", "SHA1PRNG", + "sun.security.provider.SecureRandom", attrs); -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only +- attrs.remove("KeySize"); + /* + * Signature engines + */ @@ -1652,16 +1748,39 @@ index 0d4ae1019e1..e839866a28c 100644 + "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); + add(p, "Signature", "SHA3-512withDSAinP1363Format", + "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ } + + attrs.clear(); + attrs.put("ImplementedIn", "Software"); +@@ -196,9 +204,11 @@ public final class SunEntries { + attrs.put("ImplementedIn", "Software"); + attrs.put("KeySize", "2048"); // for DSA KPG and APG only - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ if (!systemFipsEnabled) { + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); @@ -1669,7 +1788,7 @@ index 0d4ae1019e1..e839866a28c 100644 /* * Algorithm Parameter Generator engines -@@ -209,42 +216,44 @@ public final class SunEntries { +@@ -213,44 +223,46 @@ public final class SunEntries { addWithAlias(p, "AlgorithmParameters", "DSA", "sun.security.provider.DSAParameters", attrs); @@ -1678,6 +1797,8 @@ index 0d4ae1019e1..e839866a28c 100644 - */ - addWithAlias(p, "KeyFactory", "DSA", - "sun.security.provider.DSAKeyFactory", attrs); +- addWithAlias(p, "KeyFactory", "HSS/LMS", +- "sun.security.provider.HSS$KeyFactoryImpl", attrs); - - /* - * Digest engines @@ -1694,6 +1815,8 @@ index 0d4ae1019e1..e839866a28c 100644 + */ + addWithAlias(p, "KeyFactory", "DSA", + "sun.security.provider.DSAKeyFactory", attrs); ++ addWithAlias(p, "KeyFactory", "HSS/LMS", ++ "sun.security.provider.HSS$KeyFactoryImpl", attrs); - addWithAlias(p, "MessageDigest", "SHA-224", - "sun.security.provider.SHA2$SHA224", attrs); @@ -1750,7 +1873,7 @@ index 0d4ae1019e1..e839866a28c 100644 /* * Certificates diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index 539ef1e8ee8..7662684797e 100644 +index 539ef1e8ee8..435f57e3ff2 100644 --- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java @@ -27,6 +27,7 @@ package sun.security.rsa; @@ -1772,19 +1895,7 @@ index 539ef1e8ee8..7662684797e 100644 private void add(Provider p, String type, String algo, String cn, List aliases, HashMap attrs) { services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ } - +@@ -63,42 +68,49 @@ public final class SunRsaSignEntries { add(p, "KeyFactory", "RSA", "sun.security.rsa.RSAKeyFactory$Legacy", getAliases("PKCS1"), null); @@ -1867,139 +1978,11 @@ index 539ef1e8ee8..7662684797e 100644 addA(p, "AlgorithmParameters", "RSASSA-PSS", "sun.security.rsa.PSSParameters", null); } -diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index a9f97c76cb9..3571778367f 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -32,6 +32,7 @@ import java.security.cert.*; - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -530,22 +531,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { - private static final List serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -836,12 +855,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index 894e26dfad8..8b16378b96b 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 8156eea7e11..6a7f6eeafcc 100644 +index 5149edba0e5..8227d650a03 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security -@@ -85,6 +85,16 @@ security.provider.tbd=Apple +@@ -85,6 +85,17 @@ security.provider.tbd=Apple #endif security.provider.tbd=SunPKCS11 @@ -2012,23 +1995,60 @@ index 8156eea7e11..6a7f6eeafcc 100644 +fips.provider.4=SunJSSE +fips.provider.5=SunJCE +fips.provider.6=SunRsaSign ++fips.provider.7=XMLDSig + # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. -@@ -295,6 +305,11 @@ policy.ignoreIdentityScope=false +@@ -295,6 +306,47 @@ policy.ignoreIdentityScope=false # keystore.type=pkcs12 +# +# Default keystore type used when global crypto-policies are set to FIPS. +# -+fips.keystore.type=PKCS11 ++fips.keystore.type=pkcs12 ++ ++# ++# Location of the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# The syntax for this property is identical to the 'nssSecmodDirectory' ++# attribute available in the SunPKCS11 NSS configuration file. Use the ++# 'sql:' prefix to refer to an SQLite DB. ++# ++# If the system property fips.nssdb.path is also specified, it supersedes ++# the security property value defined here. ++# ++# Note: the default value for this property points to an NSS DB that might be ++# readable by multiple operating system users and unsuitable to store keys. ++# ++fips.nssdb.path=sql:/etc/pki/nssdb ++ ++# ++# PIN for the NSS DB keystore (PKCS11) in FIPS mode. ++# ++# Values must take any of the following forms: ++# 1) pin: ++# Value: clear text PIN value. ++# 2) env: ++# Value: environment variable containing the PIN value. ++# 3) file: ++# Value: path to a file containing the PIN value in its first ++# line. ++# ++# If the system property fips.nssdb.pin is also specified, it supersedes ++# the security property value defined here. ++# ++# When used as a system property, UTF-8 encoded values are valid. When ++# used as a security property (such as in this file), encode non-Basic ++# Latin Unicode characters with \uXXXX. ++# ++fips.nssdb.pin=pin: + # # Controls compatibility mode for JKS and PKCS12 keystore types. # -@@ -332,6 +347,13 @@ package.definition=sun.misc.,\ +@@ -332,6 +384,13 @@ package.definition=sun.misc.,\ # security.overridePropertiesFile=true @@ -2042,11 +2062,25 @@ index 8156eea7e11..6a7f6eeafcc 100644 # # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. +diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in +new file mode 100644 +index 00000000000..55bbba98b7a +--- /dev/null ++++ b/src/java.base/share/conf/security/nss.fips.cfg.in +@@ -0,0 +1,8 @@ ++name = NSS-FIPS ++nssLibraryDirectory = @NSS_LIBDIR@ ++nssSecmodDirectory = ${fips.nssdb.path} ++nssDbMode = readWrite ++nssModule = fips ++ ++attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } ++ diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index 2a01c06250a..aea4620b1ab 100644 +index 86d45147709..22fd8675503 100644 --- a/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy -@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.charsets" { +@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.charsets" { grant codeBase "jrt:/jdk.crypto.ec" { permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; @@ -2054,6 +2088,15 @@ index 2a01c06250a..aea4620b1ab 100644 permission java.lang.RuntimePermission "loadLibrary.sunec"; permission java.security.SecurityPermission "putProviderProperty.SunEC"; permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -150,6 +151,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; ++ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; ++ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; + permission java.security.SecurityPermission "putProviderProperty.*"; + permission java.security.SecurityPermission "clearProviderProperties.*"; + permission java.security.SecurityPermission "removeProviderProperty.*"; diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c new file mode 100644 index 00000000000..ddf9befe5bc @@ -2298,10 +2341,10 @@ index 00000000000..ddf9befe5bc +#endif diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 -index 00000000000..52a403107c3 +index 00000000000..48d6d656a28 --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,461 @@ +@@ -0,0 +1,457 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -2376,9 +2419,6 @@ index 00000000000..52a403107c3 + private static volatile Provider sunECProvider = null; + private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + -+ private static volatile KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) + throws PKCS11Exception { + long keyID = -1; @@ -2623,8 +2663,7 @@ index 00000000000..52a403107c3 + CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, + CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); + RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( -+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey -+ ); ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); + CK_ATTRIBUTE attr; + if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { + attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); @@ -2763,8 +2802,164 @@ index 00000000000..52a403107c3 + } + } +} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +new file mode 100644 +index 00000000000..f8d505ca815 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java +@@ -0,0 +1,149 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.io.BufferedReader; ++import java.io.ByteArrayInputStream; ++import java.io.InputStream; ++import java.io.InputStreamReader; ++import java.io.IOException; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.nio.file.Paths; ++import java.nio.file.StandardOpenOption; ++import java.security.ProviderException; ++ ++import javax.security.auth.callback.Callback; ++import javax.security.auth.callback.CallbackHandler; ++import javax.security.auth.callback.PasswordCallback; ++import javax.security.auth.callback.UnsupportedCallbackException; ++ ++import sun.security.util.Debug; ++import sun.security.util.SecurityProperties; ++ ++final class FIPSTokenLoginHandler implements CallbackHandler { ++ ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ ++ private static final Debug debug = Debug.getInstance("sunpkcs11"); ++ ++ public void handle(Callback[] callbacks) ++ throws IOException, UnsupportedCallbackException { ++ if (!(callbacks[0] instanceof PasswordCallback)) { ++ throw new UnsupportedCallbackException(callbacks[0]); ++ } ++ PasswordCallback pc = (PasswordCallback)callbacks[0]; ++ pc.setPassword(getFipsNssdbPin()); ++ } ++ ++ private static char[] getFipsNssdbPin() throws ProviderException { ++ if (debug != null) { ++ debug.println("FIPS: Reading NSS DB PIN for token..."); ++ } ++ String pinProp = SecurityProperties ++ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); ++ if (pinProp != null && !pinProp.isEmpty()) { ++ String[] pinPropParts = pinProp.split(":", 2); ++ if (pinPropParts.length < 2) { ++ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + ++ " property value."); ++ } ++ String prefix = pinPropParts[0].toLowerCase(); ++ String value = pinPropParts[1]; ++ String pin = null; ++ if (prefix.equals("env")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' environment variable."); ++ } ++ pin = System.getenv(value); ++ } else if (prefix.equals("file")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the '" + value + ++ "' file."); ++ } ++ pin = getPinFromFile(Paths.get(value)); ++ } else if (prefix.equals("pin")) { ++ if (debug != null) { ++ debug.println("FIPS: PIN value from the " + ++ FIPS_NSSDB_PIN_PROP + " property."); ++ } ++ pin = value; ++ } else { ++ throw new ProviderException("Unsupported prefix for " + ++ FIPS_NSSDB_PIN_PROP + "."); ++ } ++ if (pin != null && !pin.isEmpty()) { ++ if (debug != null) { ++ debug.println("FIPS: non-empty PIN."); ++ } ++ /* ++ * C_Login in libj2pkcs11 receives the PIN in a char[] and ++ * discards the upper byte of each char, before passing ++ * the value to the NSS Software Token. However, the ++ * NSS Software Token accepts any UTF-8 PIN value. Thus, ++ * expand the PIN here to account for later truncation. ++ */ ++ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ return pinChar; ++ } ++ } ++ if (debug != null) { ++ debug.println("FIPS: empty PIN."); ++ } ++ return null; ++ } ++ ++ /* ++ * This method extracts the token PIN from the first line of a password ++ * file in the same way as NSS modutil. See for example the -newpwfile ++ * argument used to change the password for an NSS DB. ++ */ ++ private static String getPinFromFile(Path f) throws ProviderException { ++ try (InputStream is = ++ Files.newInputStream(f, StandardOpenOption.READ)) { ++ /* ++ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, ++ * reads up to 4096 bytes. In addition, the NSS Software Token ++ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN ++ * in nss/lib/softoken/pkcs11i.h). ++ */ ++ BufferedReader in = ++ new BufferedReader(new InputStreamReader( ++ new ByteArrayInputStream(is.readNBytes(4096)), ++ StandardCharsets.UTF_8)); ++ return in.readLine(); ++ } catch (IOException ioe) { ++ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + ++ " from the '" + f + "' file.", ioe); ++ } ++ } ++} +\ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index af6fbeba48a..a20278cb683 100644 +index 6b26297b1b4..7ee5e07756c 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -2786,7 +2981,7 @@ index af6fbeba48a..a20278cb683 100644 private static final String PUBLIC = "public"; private static final String PRIVATE = "private"; private static final String SECRET = "secret"; -@@ -391,8 +396,10 @@ abstract class P11Key implements Key, Length { +@@ -401,8 +406,10 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); @@ -2799,7 +2994,7 @@ index af6fbeba48a..a20278cb683 100644 return switch (algorithm) { case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, -@@ -444,7 +451,8 @@ abstract class P11Key implements Key, Length { +@@ -454,7 +461,8 @@ abstract class P11Key implements Key, Length { public String getFormat() { token.ensureValid(); @@ -2809,13 +3004,13 @@ index af6fbeba48a..a20278cb683 100644 return null; } else { return "RAW"; -@@ -1575,4 +1583,3 @@ final class SessionKeyRef extends PhantomReference { +@@ -1624,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { this.clear(); } } - diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 04a1a70ed23..a5c9b5fddf4 100644 +index 5cd6828d293..bae49c4e8a9 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -2828,7 +3023,7 @@ index 04a1a70ed23..a5c9b5fddf4 100644 import java.util.*; import java.security.*; -@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; +@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; import com.sun.crypto.provider.ChaCha20Poly1305Parameters; @@ -2836,7 +3031,12 @@ index 04a1a70ed23..a5c9b5fddf4 100644 import jdk.internal.misc.InnocuousThread; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; -@@ -65,6 +69,37 @@ public final class SunPKCS11 extends AuthProvider { + import static sun.security.util.SecurityConstants.PROVIDER_VER; ++import sun.security.util.SecurityProperties; + import static sun.security.util.SecurityProviderConstants.getAliases; + + import sun.security.pkcs11.Secmod.*; +@@ -65,6 +70,39 @@ public final class SunPKCS11 extends AuthProvider { @Serial private static final long serialVersionUID = -1354835039035306505L; @@ -2870,11 +3070,43 @@ index 04a1a70ed23..a5c9b5fddf4 100644 + fipsImportKey = fipsImportKeyTmp; + fipsExportKey = fipsExportKeyTmp; + } ++ ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; + static final Debug debug = Debug.getInstance("sunpkcs11"); // the PKCS11 object through which we make the native calls @SuppressWarnings("serial") // Type of field is not Serializable; -@@ -325,9 +360,19 @@ public final class SunPKCS11 extends AuthProvider { +@@ -123,6 +161,29 @@ public final class SunPKCS11 extends AuthProvider { + return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { + @Override + public SunPKCS11 run() throws Exception { ++ if (systemFipsEnabled) { ++ /* ++ * The nssSecmodDirectory attribute in the SunPKCS11 ++ * NSS configuration file takes the value of the ++ * fips.nssdb.path System property after expansion. ++ * Security properties expansion is unsupported. ++ */ ++ String nssdbPath = ++ SecurityProperties.privilegedGetOverridable( ++ FIPS_NSSDB_PATH_PROP); ++ if (System.getSecurityManager() != null) { ++ AccessController.doPrivileged( ++ (PrivilegedAction) () -> { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, ++ nssdbPath); ++ return null; ++ }); ++ } else { ++ System.setProperty( ++ FIPS_NSSDB_PATH_PROP, nssdbPath); ++ } ++ } + return new SunPKCS11(new Config(newConfigName)); + } + }); +@@ -325,9 +386,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -2896,7 +3128,7 @@ index 04a1a70ed23..a5c9b5fddf4 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -342,8 +387,9 @@ public final class SunPKCS11 extends AuthProvider { +@@ -342,8 +413,9 @@ public final class SunPKCS11 extends AuthProvider { } else { initArgs.flags = 0; } @@ -2908,31 +3140,116 @@ index 04a1a70ed23..a5c9b5fddf4 100644 } p11 = tmpPKCS11; -@@ -383,6 +429,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); +@@ -1389,11 +1461,52 @@ public final class SunPKCS11 extends AuthProvider { + } + + @Override ++ @SuppressWarnings("removal") + public Object newInstance(Object param) + throws NoSuchAlgorithmException { + if (!token.isValid()) { + throw new NoSuchAlgorithmException("Token has been removed"); } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; ++ if (systemFipsEnabled && !token.fipsLoggedIn && ++ !getType().equals("KeyStore")) { ++ /* ++ * The NSS Software Token in FIPS 140-2 mode requires a ++ * user login for most operations. See sftk_fipsCheck ++ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore ++ * service, let the caller perform the login with ++ * KeyStore::load. Keytool, for example, does this to pass a ++ * PIN from either the -srcstorepass or -deststorepass ++ * argument. In case of a non-KeyStore service, perform the ++ * login now with the PIN available in the fips.nssdb.pin ++ * property. ++ */ + try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); ++ if (System.getSecurityManager() != null) { ++ try { ++ AccessController.doPrivileged( ++ (PrivilegedExceptionAction) () -> { ++ token.ensureLoggedIn(null); ++ return null; ++ }); ++ } catch (PrivilegedActionException pae) { ++ Exception e = pae.getException(); ++ if (e instanceof LoginException le) { ++ throw le; ++ } else if (e instanceof PKCS11Exception p11e) { ++ throw p11e; ++ } else { ++ throw new RuntimeException(e); ++ } ++ } ++ } else { ++ token.ensureLoggedIn(null); + } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); ++ } catch (PKCS11Exception | LoginException e) { ++ throw new ProviderException("FIPS: error during the Token" + ++ " login required for the " + getType() + ++ " service.", e); + } + } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException + try { + return newInstance0(param); + } catch (PKCS11Exception e) { +@@ -1750,6 +1863,9 @@ public final class SunPKCS11 extends AuthProvider { + try { + session = token.getOpSession(); + p11.C_Logout(session.id()); ++ if (systemFipsEnabled) { ++ token.fipsLoggedIn = false; ++ } + if (debug != null) { + debug.println("logout succeeded"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +index 3378409ca1c..7602a92a252 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +@@ -33,6 +33,7 @@ import java.lang.ref.*; + import java.security.*; + import javax.security.auth.login.LoginException; + ++import jdk.internal.access.SharedSecrets; + import sun.security.jca.JCAUtil; + + import sun.security.pkcs11.wrapper.*; +@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; + */ + final class Token implements Serializable { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + // need to be serializable to allow SecureRandom to be serialized + @Serial + private static final long serialVersionUID = 2541527649100571747L; +@@ -125,6 +129,10 @@ final class Token implements Serializable { + // flag indicating whether we are logged in + private volatile boolean loggedIn; + ++ // Flag indicating the login status for the NSS Software Token in FIPS mode. ++ // This Token is never asynchronously removed. Used from SunPKCS11. ++ volatile boolean fipsLoggedIn; ++ + // time we last checked login status + private long lastLoginCheck; + +@@ -242,7 +250,12 @@ final class Token implements Serializable { + // call provider.login() if not + void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { + if (!isLoggedIn(session)) { +- provider.login(null, null); ++ if (systemFipsEnabled) { ++ provider.login(null, new FIPSTokenLoginHandler()); ++ fipsLoggedIn = true; ++ } else { ++ provider.login(null, null); ++ } + } + } + diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java index 4b06daaf264..55e14945469 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -3209,7 +3526,7 @@ index 920422376f8..6aa308fa5f8 100644 * Constructor taking the error code (the CKR_* constants in PKCS#11) and * extra info for error message. diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 3cfb74c8115..0e333d8ba74 100644 +index 7f8c4dba002..e65b11fc3ee 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java @@ -34,6 +34,7 @@ import java.security.ProviderException; @@ -3231,7 +3548,7 @@ index 3cfb74c8115..0e333d8ba74 100644 private static class ProviderServiceA extends ProviderService { ProviderServiceA(Provider p, String type, String algo, String cn, HashMap attrs) { -@@ -243,83 +248,85 @@ public final class SunEC extends Provider { +@@ -240,83 +245,85 @@ public final class SunEC extends Provider { putXDHEntries(); putEdDSAEntries(); @@ -3394,7 +3711,7 @@ index 3cfb74c8115..0e333d8ba74 100644 } private void putXDHEntries() { -@@ -336,23 +343,25 @@ public final class SunEC extends Provider { +@@ -333,23 +340,25 @@ public final class SunEC extends Provider { "X448", "sun.security.ec.XDHKeyFactory.X448", ATTRS)); @@ -3437,7 +3754,7 @@ index 3cfb74c8115..0e333d8ba74 100644 } private void putEdDSAEntries() { -@@ -367,21 +376,23 @@ public final class SunEC extends Provider { +@@ -364,21 +373,23 @@ public final class SunEC extends Provider { putService(new ProviderServiceA(this, "KeyFactory", "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); @@ -3476,3 +3793,441 @@ index 3cfb74c8115..0e333d8ba74 100644 } } +diff --git a/test/jdk/sun/security/pkcs11/fips/NssdbPin.java b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +new file mode 100644 +index 00000000000..ce01c655eb8 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/NssdbPin.java +@@ -0,0 +1,349 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.lang.reflect.Method; ++import java.nio.charset.StandardCharsets; ++import java.nio.file.Files; ++import java.nio.file.Path; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Security; ++import java.util.Arrays; ++import java.util.function.Consumer; ++import java.util.List; ++import javax.crypto.Cipher; ++import javax.crypto.spec.SecretKeySpec; ++ ++import jdk.test.lib.process.Proc; ++import jdk.test.lib.util.FileUtils; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @summary ++ * Test that the fips.nssdb.path and fips.nssdb.pin properties can be used ++ * for a successful login into an NSS DB. Some additional unitary testing ++ * is then performed. This test depends on NSS modutil and must be run in ++ * FIPS mode (the SunPKCS11-NSS-FIPS security provider has to be available). ++ * @modules jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @library /test/lib ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=600 NssdbPin ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class NssdbPin { ++ ++ // Public properties and names ++ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; ++ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; ++ private static final String FIPS_PROVIDER_NAME = "SunPKCS11-NSS-FIPS"; ++ private static final String NSSDB_TOKEN_NAME = ++ "NSS FIPS 140-2 Certificate DB"; ++ ++ // Data to be tested ++ private static final String[] PINS_TO_TEST = ++ new String[] { ++ "", ++ "1234567890abcdef1234567890ABCDEF\uA4F7" ++ }; ++ private static enum PropType { SYSTEM, SECURITY } ++ private static enum LoginType { IMPLICIT, EXPLICIT } ++ ++ // Internal test fields ++ private static final boolean DEBUG = true; ++ private static class TestContext { ++ String pin; ++ PropType propType; ++ Path workspace; ++ String nssdbPath; ++ Path nssdbPinFile; ++ LoginType loginType; ++ TestContext(String pin, Path workspace) { ++ this.pin = pin; ++ this.workspace = workspace; ++ this.nssdbPath = "sql:" + workspace; ++ this.loginType = LoginType.IMPLICIT; ++ } ++ } ++ ++ public static void main(String[] args) throws Throwable { ++ if (args.length == 3) { ++ // Executed by a child process. ++ mainChild(args[0], args[1], LoginType.valueOf(args[2])); ++ } else if (args.length == 0) { ++ // Executed by the parent process. ++ mainLauncher(); ++ // Test defaults ++ mainChild("sql:/etc/pki/nssdb", "", LoginType.IMPLICIT); ++ System.out.println("TEST PASS - OK"); ++ } else { ++ throw new Exception("Unexpected number of arguments."); ++ } ++ } ++ ++ private static void mainChild(String expectedPath, String expectedPin, ++ LoginType loginType) throws Throwable { ++ if (DEBUG) { ++ for (String prop : Arrays.asList(FIPS_NSSDB_PATH_PROP, ++ FIPS_NSSDB_PIN_PROP)) { ++ System.out.println(prop + " (System): " + ++ System.getProperty(prop)); ++ System.out.println(prop + " (Security): " + ++ Security.getProperty(prop)); ++ } ++ } ++ ++ /* ++ * Functional cross-test against an NSS DB generated by modutil ++ * with the same PIN. Check that we can perform a crypto operation ++ * that requires a login. The login might be explicit or implicit. ++ */ ++ Provider p = Security.getProvider(FIPS_PROVIDER_NAME); ++ if (DEBUG) { ++ System.out.println(FIPS_PROVIDER_NAME + ": " + p); ++ } ++ if (p == null) { ++ throw new Exception(FIPS_PROVIDER_NAME + " initialization failed."); ++ } ++ if (DEBUG) { ++ System.out.println("Login type: " + loginType); ++ } ++ if (loginType == LoginType.EXPLICIT) { ++ // Do the expansion to account for truncation, so C_Login in ++ // the NSS Software Token gets a UTF-8 encoded PIN. ++ byte[] pinUtf8 = expectedPin.getBytes(StandardCharsets.UTF_8); ++ char[] pinChar = new char[pinUtf8.length]; ++ for (int i = 0; i < pinChar.length; i++) { ++ pinChar[i] = (char)(pinUtf8[i] & 0xFF); ++ } ++ KeyStore.getInstance("PKCS11", p).load(null, pinChar); ++ if (DEBUG) { ++ System.out.println("Explicit login succeeded."); ++ } ++ } ++ if (DEBUG) { ++ System.out.println("Trying a crypto operation..."); ++ } ++ final int blockSize = 16; ++ Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", p); ++ cipher.init(Cipher.ENCRYPT_MODE, ++ new SecretKeySpec(new byte[blockSize], "AES")); ++ if (cipher.doFinal(new byte[blockSize]).length != blockSize) { ++ throw new Exception("Could not perform a crypto operation."); ++ } ++ if (DEBUG) { ++ if (loginType == LoginType.IMPLICIT) { ++ System.out.println("Implicit login succeeded."); ++ } ++ System.out.println("Crypto operation after login succeeded."); ++ } ++ ++ if (loginType == LoginType.IMPLICIT) { ++ /* ++ * Additional unitary testing. Expected to succeed at this point. ++ */ ++ if (DEBUG) { ++ System.out.println("Trying unitary test..."); ++ } ++ String sysPathProp = System.getProperty(FIPS_NSSDB_PATH_PROP); ++ if (DEBUG) { ++ System.out.println("Path value (as a System property): " + ++ sysPathProp); ++ } ++ if (!expectedPath.equals(sysPathProp)) { ++ throw new Exception("Path is different than expected: " + ++ sysPathProp + " (actual) vs " + expectedPath + ++ " (expected)."); ++ } ++ Class c = Class ++ .forName("sun.security.pkcs11.FIPSTokenLoginHandler"); ++ Method m = c.getDeclaredMethod("getFipsNssdbPin"); ++ m.setAccessible(true); ++ String pin = null; ++ char[] pinChar = (char[]) m.invoke(c); ++ if (pinChar != null) { ++ byte[] pinUtf8 = new byte[pinChar.length]; ++ for (int i = 0; i < pinUtf8.length; i++) { ++ pinUtf8[i] = (byte) pinChar[i]; ++ } ++ pin = new String(pinUtf8, StandardCharsets.UTF_8); ++ } ++ if (!expectedPin.isEmpty() && !expectedPin.equals(pin) || ++ expectedPin.isEmpty() && pin != null) { ++ throw new Exception("PIN is different than expected: '" + pin + ++ "' (actual) vs '" + expectedPin + "' (expected)."); ++ } ++ if (DEBUG) { ++ System.out.println("PIN value: " + pin); ++ System.out.println("Unitary test succeeded."); ++ } ++ } ++ } ++ ++ private static void mainLauncher() throws Throwable { ++ for (String pin : PINS_TO_TEST) { ++ Path workspace = Files.createTempDirectory(null); ++ try { ++ TestContext ctx = new TestContext(pin, workspace); ++ createNSSDB(ctx); ++ { ++ ctx.loginType = LoginType.IMPLICIT; ++ for (PropType propType : PropType.values()) { ++ ctx.propType = propType; ++ pinLauncher(ctx); ++ envLauncher(ctx); ++ fileLauncher(ctx); ++ } ++ } ++ explicitLoginLauncher(ctx); ++ } finally { ++ FileUtils.deleteFileTreeWithRetry(workspace); ++ } ++ } ++ } ++ ++ private static void pinLauncher(TestContext ctx) throws Throwable { ++ launchTest(p -> {}, "pin:" + ctx.pin, ctx); ++ } ++ ++ private static void envLauncher(TestContext ctx) throws Throwable { ++ final String NSSDB_PIN_ENV_VAR = "NSSDB_PIN_ENV_VAR"; ++ launchTest(p -> p.env(NSSDB_PIN_ENV_VAR, ctx.pin), ++ "env:" + NSSDB_PIN_ENV_VAR, ctx); ++ } ++ ++ private static void fileLauncher(TestContext ctx) throws Throwable { ++ // The file containing the PIN (ctx.nssdbPinFile) was created by the ++ // generatePinFile method, called from createNSSDB. ++ launchTest(p -> {}, "file:" + ctx.nssdbPinFile, ctx); ++ } ++ ++ private static void explicitLoginLauncher(TestContext ctx) ++ throws Throwable { ++ ctx.loginType = LoginType.EXPLICIT; ++ ctx.propType = PropType.SYSTEM; ++ launchTest(p -> {}, "Invalid PIN, must be ignored", ctx); ++ } ++ ++ private static void launchTest(Consumer procCb, String pinPropVal, ++ TestContext ctx) throws Throwable { ++ if (DEBUG) { ++ System.out.println("Launching JVM with " + FIPS_NSSDB_PATH_PROP + ++ "=" + ctx.nssdbPath + " and " + FIPS_NSSDB_PIN_PROP + ++ "=" + pinPropVal); ++ } ++ Proc p = Proc.create(NssdbPin.class.getName()) ++ .args(ctx.nssdbPath, ctx.pin, ctx.loginType.name()); ++ if (ctx.propType == PropType.SYSTEM) { ++ p.prop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ p.prop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ // Make sure that Security properties defaults are not used. ++ p.secprop(FIPS_NSSDB_PATH_PROP, ""); ++ p.secprop(FIPS_NSSDB_PIN_PROP, ""); ++ } else if (ctx.propType == PropType.SECURITY) { ++ p.secprop(FIPS_NSSDB_PATH_PROP, ctx.nssdbPath); ++ pinPropVal = escapeForPropsFile(pinPropVal); ++ p.secprop(FIPS_NSSDB_PIN_PROP, pinPropVal); ++ } else { ++ throw new Exception("Unsupported property type."); ++ } ++ if (DEBUG) { ++ p.inheritIO(); ++ p.prop("java.security.debug", "sunpkcs11"); ++ p.debug(NssdbPin.class.getName()); ++ ++ // Need the launched process to connect to a debugger? ++ //System.setProperty("test.vm.opts", "-Xdebug -Xrunjdwp:" + ++ // "transport=dt_socket,address=localhost:8000,suspend=y"); ++ } else { ++ p.nodump(); ++ } ++ procCb.accept(p); ++ p.start().waitFor(0); ++ } ++ ++ private static String escapeForPropsFile(String str) throws Throwable { ++ StringBuffer sb = new StringBuffer(); ++ for (int i = 0; i < str.length(); i++) { ++ int cp = str.codePointAt(i); ++ if (Character.UnicodeBlock.of(cp) ++ == Character.UnicodeBlock.BASIC_LATIN) { ++ sb.append(Character.toChars(cp)); ++ } else { ++ sb.append("\\u").append(String.format("%04X", cp)); ++ } ++ } ++ return sb.toString(); ++ } ++ ++ private static void createNSSDB(TestContext ctx) throws Throwable { ++ ProcessBuilder pb = getModutilPB(ctx, "-create"); ++ if (DEBUG) { ++ System.out.println("Creating an NSS DB in " + ctx.workspace + ++ "..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB creation failed."); ++ } ++ generatePinFile(ctx); ++ pb = getModutilPB(ctx, "-changepw", NSSDB_TOKEN_NAME, ++ "-newpwfile", ctx.nssdbPinFile.toString()); ++ if (DEBUG) { ++ System.out.println("NSS DB created."); ++ System.out.println("Changing NSS DB PIN..."); ++ System.out.println("cmd: " + String.join(" ", pb.command())); ++ } ++ if (pb.start().waitFor() != 0) { ++ throw new Exception("NSS DB PIN change failed."); ++ } ++ if (DEBUG) { ++ System.out.println("NSS DB PIN changed."); ++ } ++ } ++ ++ private static ProcessBuilder getModutilPB(TestContext ctx, String... args) ++ throws Throwable { ++ ProcessBuilder pb = new ProcessBuilder("modutil", "-force"); ++ List pbCommand = pb.command(); ++ if (args != null) { ++ pbCommand.addAll(Arrays.asList(args)); ++ } ++ pbCommand.add("-dbdir"); ++ pbCommand.add(ctx.nssdbPath); ++ if (DEBUG) { ++ pb.inheritIO(); ++ } else { ++ pb.redirectError(ProcessBuilder.Redirect.INHERIT); ++ } ++ return pb; ++ } ++ ++ private static void generatePinFile(TestContext ctx) throws Throwable { ++ ctx.nssdbPinFile = Files.createTempFile(ctx.workspace, null, null); ++ Files.writeString(ctx.nssdbPinFile, ctx.pin + System.lineSeparator() + ++ "2nd line with garbage"); ++ } ++} +diff --git a/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +new file mode 100644 +index 00000000000..87f1ad04505 +--- /dev/null ++++ b/test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java +@@ -0,0 +1,77 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++import java.security.Provider; ++import java.security.Security; ++ ++/* ++ * @test ++ * @bug 9999999 ++ * @requires (jdk.version.major >= 8) ++ * @run main/othervm/timeout=30 VerifyMissingAttributes ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++public final class VerifyMissingAttributes { ++ ++ private static final String[] svcAlgImplementedIn = { ++ "AlgorithmParameterGenerator.DSA", ++ "AlgorithmParameters.DSA", ++ "CertificateFactory.X.509", ++ "KeyStore.JKS", ++ "KeyStore.CaseExactJKS", ++ "KeyStore.DKS", ++ "CertStore.Collection", ++ "CertStore.com.sun.security.IndexedCollection" ++ }; ++ ++ public static void main(String[] args) throws Throwable { ++ Provider sunProvider = Security.getProvider("SUN"); ++ for (String svcAlg : svcAlgImplementedIn) { ++ String filter = svcAlg + " ImplementedIn:Software"; ++ doQuery(sunProvider, filter); ++ } ++ if (Double.parseDouble( ++ System.getProperty("java.specification.version")) >= 17) { ++ String filter = "KeyFactory.RSASSA-PSS SupportedKeyClasses:" + ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"; ++ doQuery(Security.getProvider("SunRsaSign"), filter); ++ } ++ System.out.println("TEST PASS - OK"); ++ } ++ ++ private static void doQuery(Provider expectedProvider, String filter) ++ throws Exception { ++ if (expectedProvider == null) { ++ throw new Exception("Provider not found."); ++ } ++ Provider[] providers = Security.getProviders(filter); ++ if (providers == null || providers.length != 1 || ++ providers[0] != expectedProvider) { ++ throw new Exception("Failure retrieving the provider with this" + ++ " query: " + filter); ++ } ++ } ++} diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index e56ba89..d19008a 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -4,7 +4,6 @@ # Example: # When used from local repo set REPO_ROOT pointing to file:// with your repo # If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL -# If you want to use a local copy of patch PR3788, set the path to it in the PR3788 variable # # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=openjdk @@ -26,19 +25,11 @@ # level folder, name is created, based on parameter # -if [ ! "x$PR3823" = "x" ] ; then - if [ ! -f "$PR3823" ] ; then - echo "You have specified PR3823 as $PR3823 but it does not exist. Exiting" - exit 1 - fi -fi - set -e OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz # Corresponding IcedTea version -ICEDTEA_VERSION=15.0 if [ "x$1" = "xhelp" ] ; then echo -e "Behaviour may be specified by setting the following variables:\n" @@ -48,8 +39,7 @@ if [ "x$1" = "xhelp" ] ; then echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" - echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" - echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)" + echo "TO_COMPRESS - what part of clone to pack (default is ${VERSION})" echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" exit 1; fi @@ -126,7 +116,7 @@ if [ "x$REPO_ROOT" = "x" ] ; then fi; if [ "x$TO_COMPRESS" = "x" ] ; then - TO_COMPRESS="openjdk" + TO_COMPRESS="${VERSION}" echo "No targets to be compressed specified, ; default to ${TO_COMPRESS}" fi; @@ -138,65 +128,35 @@ else mkdir "${FILE_NAME_ROOT}" pushd "${FILE_NAME_ROOT}" echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" - git clone -b ${VERSION} ${REPO_ROOT} openjdk + git clone -b ${VERSION} ${REPO_ROOT} ${VERSION} popd fi pushd "${FILE_NAME_ROOT}" - if [ -d openjdk/src ]; then - pushd openjdk - echo "Removing EC source code we don't build" - CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl - rm -vf ${CRYPTO_PATH}/ec2.h - rm -vf ${CRYPTO_PATH}/ec2_163.c - rm -vf ${CRYPTO_PATH}/ec2_193.c - rm -vf ${CRYPTO_PATH}/ec2_233.c - rm -vf ${CRYPTO_PATH}/ec2_aff.c - rm -vf ${CRYPTO_PATH}/ec2_mont.c - rm -vf ${CRYPTO_PATH}/ecp_192.c - rm -vf ${CRYPTO_PATH}/ecp_224.c - - echo "Syncing EC list with NSS" - if [ "x$PR3823" = "x" ] ; then - # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch - # Do not push it or publish it - echo "PR3823 not found. Downloading..." - wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch - echo "Applying ${PWD}/pr3823.patch" - patch -Np1 < pr3823.patch - rm pr3823.patch - else - echo "Applying ${PR3823}" - patch -Np1 < $PR3823 - fi; - find . -name '*.orig' -exec rm -vf '{}' ';' - popd - fi - # Generate .src-rev so build has knowledge of the revision the tarball was created from mkdir build pushd build - sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK} + sh ${PWD}/../${VERSION}/configure --with-boot-jdk=${BOOT_JDK} make store-source-revision popd rm -rf build # Remove commit checks - echo "Removing $(find openjdk -name '.jcheck' -print)" - find openjdk -name '.jcheck' -print0 | xargs -0 rm -r + echo "Removing $(find ${VERSION} -name '.jcheck' -print)" + find ${VERSION} -name '.jcheck' -print0 | xargs -0 rm -r # Remove history and GHA - echo "find openjdk -name '.hgtags'" - find openjdk -name '.hgtags' -exec rm -v '{}' '+' - echo "find openjdk -name '.hgignore'" - find openjdk -name '.hgignore' -exec rm -v '{}' '+' - echo "find openjdk -name '.gitattributes'" - find openjdk -name '.gitattributes' -exec rm -v '{}' '+' - echo "find openjdk -name '.gitignore'" - find openjdk -name '.gitignore' -exec rm -v '{}' '+' - echo "find openjdk -name '.git'" - find openjdk -name '.git' -exec rm -rv '{}' '+' - echo "find openjdk -name '.github'" - find openjdk -name '.github' -exec rm -rv '{}' '+' + echo "find ${VERSION} -name '.hgtags'" + find ${VERSION} -name '.hgtags' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.hgignore'" + find ${VERSION} -name '.hgignore' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.gitattributes'" + find ${VERSION} -name '.gitattributes' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.gitignore'" + find ${VERSION} -name '.gitignore' -exec rm -v '{}' '+' + echo "find ${VERSION} -name '.git'" + find ${VERSION} -name '.git' -exec rm -rv '{}' '+' + echo "find ${VERSION} -name '.github'" + find ${VERSION} -name '.github' -exec rm -rv '{}' '+' echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then diff --git a/java-21-openjdk-portable.specfile b/java-21-openjdk-portable.specfile index 5a6abf5..4489c1c 100644 --- a/java-21-openjdk-portable.specfile +++ b/java-21-openjdk-portable.specfile @@ -315,15 +315,14 @@ %endif # New Version-String scheme-style defines -%global featurever 20 -%global fakefeaturever 21 +%global featurever 21 %global interimver 0 -%global updatever 2 +%global updatever 0 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver %{fakefeaturever} +%global buildjdkver 20 # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -334,7 +333,7 @@ %global lts_designator_zip "" %endif # JDK to use for bootstrapping -%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +%global bootjdk /usr/lib/jvm/java-%{featurever}-openjdk # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so # This will only work where the bootstrap JDK is the same major version # as the JDK being built @@ -368,14 +367,21 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver fd3de3d95b5 +%global fipsver 75ffdc48eda +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK -%global top_level_dir_name %{origin} +%global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 +%global buildver 35 %global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit @@ -390,15 +396,6 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -# Force 21 until we are actually ready to build that JDK version -%global javaver %{fakefeaturever} - -# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames -%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) - -# The tag used to create the OpenJDK tarball -%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): @@ -420,15 +417,15 @@ %endif # parametrized macros are order-sensitive -%global compatiblename java-%{fakefeaturever}-%{origin} +%global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:build/jdk%{fakefeaturever}.build%{?1}} -%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}} -%define packageoutputdir() %{expand:packages/jdk%{fakefeaturever}.packages%{?1}} +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -581,9 +578,8 @@ Group: Development/Languages License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA URL: http://openjdk.java.net/ - # The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -636,8 +632,8 @@ Patch600: rh1750419-redhat_alt_java.patch Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips-20u tree at https://github.com/rh-openjdk/jdk/tree/fips-20u -# as follows: git diff %%{vcstag} src make test > fips-20u-$(git show -s --format=%h HEAD).patch +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -661,7 +657,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2104724: Avoid import/export of DH private keys # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode # Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] # RH2020290: Support TLS 1.3 in FIPS mode # Add nss.fips.cfg support to OpenJDK tree # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode @@ -670,8 +666,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2134669: Add missing attributes when registering services in FIPS mode. # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode -# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized -Patch1001: fips-20u-%{fipsver}.patch +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -730,7 +726,7 @@ BuildRequires: tar BuildRequires: unzip # Not needed for portables # BuildRequires: javapackages-filesystem -BuildRequires: java-%{buildjdkver}-openjdk-devel +BuildRequires: java-%{featurever}-openjdk-devel # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -972,9 +968,9 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +%patch600 -p1 popd # openjdk -%patch600 # The OpenJDK version file includes the current # upstream version information. For some reason, @@ -1447,21 +1443,18 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els # tzdb.dat used by this test is not where the test expects it, so this is # disabled for flatpak builds) # Disable test until we are on the latest JDK -%if %{buildjdkver} == %{featurever} $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR %endif -%endif %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} ls -l $STATIC_LIBS_HOME ls -l $STATIC_LIBS_HOME/lib -# they are here, but grep do not find the remainders -#readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c -#readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c %endif # Release builds strip the debug symbols into external .debuginfo files @@ -1678,6 +1671,20 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update release notes to 21.0.0+35 +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Hardcode buildjdkver while the build JDK is not yet 21 +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync + +* Mon Aug 21 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 + * Wed Aug 16 2023 Andrew Hughes - 1:20.0.2.0.9-1 - Update to jdk-20.0.2+9 - Update release notes to 20.0.2+9 diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec index 0d67fc2..35ccd4e 100644 --- a/java-21-openjdk.spec +++ b/java-21-openjdk.spec @@ -299,10 +299,9 @@ %endif # New Version-String scheme-style defines -%global featurever 20 -%global fakefeaturever 21 +%global featurever 21 %global interimver 0 -%global updatever 2 +%global updatever 0 %global patchver 0 # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. @@ -310,8 +309,8 @@ %global lts_designator "LTS" %global lts_designator_zip -%{lts_designator} %else - %global lts_designator "" - %global lts_designator_zip "" + %global lts_designator "" + %global lts_designator_zip "" %endif # Define vendor information used by OpenJDK @@ -338,14 +337,21 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver fd3de3d95b5 +%global fipsver 75ffdc48eda +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK -%global top_level_dir_name %{origin} +%global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 +%global buildver 35 %global rpmrelease 1 # Settings used by the portable build %global portablerelease 1 @@ -364,15 +370,6 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -# Force 21 until we are actually ready to build that JDK version -%global javaver %{fakefeaturever} - -# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames -%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) - -# The tag used to create the OpenJDK tarball -%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): @@ -394,13 +391,13 @@ %endif # parametrized macros are order-sensitive -%global compatiblename java-%{fakefeaturever}-%{origin} +%global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -410,7 +407,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|lible[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -820,7 +817,7 @@ exit 0 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md -%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{fakefeaturever}-openjdk-portable.specfile +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile %dir %{_sysconfdir}/.java/.systemPrefs %dir %{_sysconfdir}/.java %dir %{_jvmdir}/%{sdkdir -- %{?1}} @@ -865,6 +862,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/lible.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so @@ -921,7 +919,6 @@ exit 0 %{etcjavadir -- %{?1}}/conf/security/policy/README.txt %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security -%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access @@ -929,6 +926,8 @@ exit 0 %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template %config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/jaxp.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties %{_jvmdir}/%{sdkdir -- %{?1}}/conf @@ -1305,9 +1304,8 @@ Group: Development/Languages License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA URL: http://openjdk.java.net/ - # The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1340,7 +1338,7 @@ Source18: TestTranslations.java # Include portable spec and instructions on how to rebuild Source19: README.md -Source20: java-%{fakefeaturever}-openjdk-portable.specfile +Source20: java-%{featurever}-openjdk-portable.specfile # Setup variables to reference correct sources %global releasezip %{_jvmdir}/%{name}-%{version}-%{portablerelease}.portable.unstripped.jdk.%{_arch}.tar.xz @@ -1373,8 +1371,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips-20u tree at https://github.com/rh-openjdk/jdk/tree/fips-20u -# as follows: git diff %%{vcstag} src make test > fips-20u-$(git show -s --format=%h HEAD).patch +# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u +# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -1398,7 +1396,7 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2104724: Avoid import/export of DH private keys # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode # Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] # RH2020290: Support TLS 1.3 in FIPS mode # Add nss.fips.cfg support to OpenJDK tree # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode @@ -1407,8 +1405,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2134669: Add missing attributes when registering services in FIPS mode. # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode -# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized -Patch1001: fips-20u-%{fipsver}.patch +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -1462,19 +1460,19 @@ BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem %if %{include_normal_build} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-static-libs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-static-libs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} %endif %if %{include_fastdebug_build} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-static-libs-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-static-libs-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} %endif %if %{include_debug_build} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-static-libs-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-static-libs-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} %endif -BuildRequires: java-%{fakefeaturever}-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} -BuildRequires: java-%{fakefeaturever}-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-%{featurever}-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1877,9 +1875,9 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +%patch600 -p1 popd # openjdk -%patch600 # The OpenJDK version file includes the current # upstream version information. For some reason, @@ -1963,12 +1961,6 @@ function customisejdk() { # Use system-wide tzdata rm ${imagepath}/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - - # Add temporary empty nss.fips.cfg until full FIPS patches are restored -%if %{fakefeaturever} > %{featurever} - touch ${imagepath}/conf/security/nss.fips.cfg -%endif - fi } @@ -1991,7 +1983,7 @@ for suffix in %{build_loop} ; do tar -xJf ${jdkzip} tar -xJf ${staticlibzip} mkdir -p $(dirname ${installdir}) - mv java-%{fakefeaturever}-openjdk* ${installdir} + mv java-%{featurever}-openjdk* ${installdir} # Fix build paths in ELF files so it looks like we built them portablenvr="%{name}-%{VERSION}-%{portablerelease}.%{portablesuffix}.%{_arch}" @@ -2012,11 +2004,11 @@ done # end of release / debug cycle loop docdir=%{installoutputdir -- "-docs"} tar -xJf %{docszip} -mv java-%{fakefeaturever}-openjdk*.docs.* ${docdir} +mv java-%{featurever}-openjdk*.docs.* ${docdir} miscdir=%{installoutputdir -- "-misc"} tar -xJf %{misczip} -mv java-%{fakefeaturever}-openjdk*.misc.* ${miscdir} +mv java-%{featurever}-openjdk*.misc.* ${miscdir} %check @@ -2064,18 +2056,16 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els # tzdb.dat used by this test is not where the test expects it, so this is # disabled for flatpak builds) # Disable test until we are on the latest JDK -%if %{fakefeaturever} == %{featurever} $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR %endif -%endif %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/lib/static/linux-%{archinstall}/glibc -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c %endif so_suffix="so" @@ -2519,6 +2509,23 @@ cjc.mainProgram(args) %endif %changelog +* Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync +- Install jaxp.properties introduced by JDK-8303530 +- Install lible.so introduced by JDK-8306983 +- Related: RHEL-12998 +- Resolves: RHEL-41087 + +* Mon Aug 21 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 +- Related: RHEL-12998 + * Wed Aug 16 2023 Andrew Hughes - 1:20.0.0.0.36-1 - Update to jdk-20.0.2+9 - Update release notes to 20.0.2+9 diff --git a/sources b/sources index 03fa119..373cdb7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk20u-jdk-20.0.2+9.tar.xz) = 1513a9f43613401055f2638d75cb6338c25c5c068c66e03c5943f47a0a7d41279013a3f455738b92947712e99bb279daa50c488a086354f4e74c6e0c50e2e3c5 +SHA512 (openjdk-jdk21u-jdk-21+35.tar.xz) = 311e954cc8d28a336b85efc05baade8945fe5292ae2d91cc7ff71c6b3a1830b1a4b9fc641f87e68a4b3db175eb5c21a18664457715da9b37720c5d4b3eb67195