rpms/java-25-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI java-25-openjdk-25.0.1.0.8-6.el10

Browse Source
This commit is contained in:
eabdullin 2026-01-05 12:05:30 +00:00
parent f4b2e144e5
commit 94d175ddcc
8 changed files with 529 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
nssadapter-0.1.0.tar.xz
openjdk-25.0.1+8.tar.xz
tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

70
TestSecurityProperties.java
View File

@ -21,15 +21,32 @@ import java.security.Security;
import java.util.Properties;
public class TestSecurityProperties {
private static final String JAVA_HOME = System.getProperty("java.home");
// JDK 11
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
private static final String JDK_PROPS_FILE_JDK_11 = JAVA_HOME + "/conf/security/java.security";
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String JDK_PROPS_FILE_JDK_8 = JAVA_HOME + "/lib/security/java.security";
// JDK 25
// Omit fips.properties files since they are not relevant to this test.
// Omit JAVA_HOME + "/conf/security/redhat/crypto-policies.properties" which simply includes
// true/crypto-policies.properties in case redhat.crypto-policies is left undefined.
private static final String[] JDK_PROPS_FILES_JDK_25_ENABLED = {
JAVA_HOME + "/conf/security/redhat/true/crypto-policies.properties",
"/etc/crypto-policies/back-ends/java.config"
};
private static final String[] JDK_PROPS_FILES_JDK_25_DISABLED = {
JAVA_HOME + "/conf/security/redhat/false/crypto-policies.properties"
};
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
private static final String javaVersion = System.getProperty("java.version");
// float for java 1.8
private static final float JAVA_FEATURE = Float.parseFloat(System.getProperty("java.specification.version"));
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
@ -40,18 +57,24 @@ public class TestSecurityProperties {
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
loadProperties(jdkProps, enabled);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
for (Object key : jdkProps.keySet()) {
String sKey = (String) key;
if (JAVA_FEATURE >= 25 && sKey.equals("include")) {
// Avoid the following exception on 25: IllegalArgumentException: Key 'include' is
// reserved and cannot be used as a Security property name. Hard-code the includes
// in JDK_PROPS_FILES_JDK_25_ENABLED and JDK_PROPS_FILES_JDK_25_DISABLED instead.
continue;
}
System.out.println(MSG_PREFIX + "Checking " + sKey);
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!jdkSecVal.equals(securityVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
@ -60,17 +83,26 @@ public class TestSecurityProperties {
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
private static void loadPropertiesFile(Properties props, String propsFile) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadProperties(Properties props, boolean enabled) {
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
loadPropertiesFile(props, propsFile);
if (JAVA_FEATURE >= 25) {
for (String file : enabled ? JDK_PROPS_FILES_JDK_25_ENABLED : JDK_PROPS_FILES_JDK_25_DISABLED) {
System.out.println(MSG_PREFIX + "Loading " + file);
loadPropertiesFile(props, file);
}
}
}
@ -83,3 +115,17 @@ public class TestSecurityProperties {
}
}
/*
* Local Variables:
* compile-command: "\
* /usr/lib/jvm/java-25-openjdk/bin/javac TestSecurityProperties.java \
* && (/usr/lib/jvm/java-25-openjdk/bin/java TestSecurityProperties false ; [[ $? == 1 ]]) \
* && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true TestSecurityProperties false ; [[ $? == 1 ]]) \
* && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties true ; [[ $? == 1 ]]) \
* && /usr/lib/jvm/java-25-openjdk/bin/java TestSecurityProperties true \
* && /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true TestSecurityProperties true \
* && /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties false" \
* fill-column: 124
* End:
*/

166
create-redhat-properties-files.bash Normal file
View File

@ -0,0 +1,166 @@
#!/bin/bash
#
# Create Red Hat OpenJDK security properties directory hierarchy.
#
# Copyright (C) 2025 IBM Corporation. All rights reserved.
#
# Written by:
# Francisco Ferrari Bihurriet <fferrari@redhat.com>
# Thomas Fitzsimmons <fitzsim@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Usage:
#
# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
#
# Example usage in spec file:
#
# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
# %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
#
# When you make changes to the file set here, also update the %files
# section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
# in TestSecurityProperties.java.
[[ $# == 2 ]] || exit 1
SECURITY="${1}"
NSSADAPTER="${2}"
VENDOR="${SECURITY}"/redhat
install --directory --mode=755 "${VENDOR}"
install --directory --mode=755 "${VENDOR}"/true
install --directory --mode=755 "${VENDOR}"/false
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
name = FIPS
library = ${NSSADAPTER}
slot = 3
nssUseSecmod = false
attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF'
# Empty on purpose, for ${redhat.crypto-policies}=false
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF'
#
# Apply the system-wide crypto policy
#
include /etc/crypto-policies/back-ends/java.config
#
# Apply the FIPS-specific security properties, if needed
#
include ../${__redhat_fips__}/fips.properties
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
#
# Default choice for the crypto-policies setup
#
include true/crypto-policies.properties
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties
install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
# Empty on purpose, for when FIPS is disabled.
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties
install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
#
# Enable the downstream-patch RedHatFIPSFilter code
#
__redhat_fips_filter__=true
#
# FIPS mode Security Providers List
#
security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg
security.provider.2=SUN
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunRsaSign
security.provider.7=XMLDSig
security.provider.8=
# ^ empty on purpose, to finish the Providers List
#
# FIPS mode default keystore type
#
keystore.type=pkcs12
EOF
cat >> "${SECURITY}"/java.security <<'EOF'
#
# System-wide crypto-policies and FIPS setup
#
# The following crypto-policies setup automatically detects when the system
# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
# ignore the system and disable its FIPS setup, just disable the usage of
# the system crypto-policies, by any of the methods described below.
#
# The redhat.crypto-policies system property is a boolean switch that
# controls the usage on a per-run basis. For example, pass
# -Dredhat.crypto-policies=false to disable the system crypto-policies.
#
# This setup consists of the following files in $JAVA_HOME/conf/security:
#
# 'redhat/false/crypto-policies.properties' (policies usage disabled file)
# Empty file, applied when the boolean switch is passed as false.
#
# 'redhat/true/crypto-policies.properties' (policies usage enabled file)
# Performs the crypto-policies and FIPS setup, applied when the boolean
# switch is passed as true.
#
# 'redhat/crypto-policies.properties' (policies usage default file)
# Determines the default choice by including one of the previous files,
# applied when the boolean switch is not passed.
# The system crypto-policies usage is enabled by default:
# include true/crypto-policies.properties
#
# To enable or disable the usage of the crypto-policies on a per-deployment
# basis, edit the policies usage default file, changing the included file.
# For example, execute the following command to persistently disable the
# crypto-policies:
# sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties
# Applications can still override this on a per-run basis, for example by
# passing -Dredhat.crypto-policies=true.
#
# To disable the redhat.crypto-policies boolean switch, modify the following
# include directive as follows. Replace ${redhat.crypto-policies} by true to
# force-apply the system crypto-policies:
# include redhat/true/crypto-policies.properties
# Remove or comment out the include directive to force-disable the setup:
# #include redhat/${redhat.crypto-policies}/crypto-policies.properties
#
include redhat/${redhat.crypto-policies}/crypto-policies.properties
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# WARNING: anything placed after this include directive will apply on top
# of the described setup. Adding properties below this section is strongly
# discouraged, as it poses a risk of overriding the system crypto-policies
# or invalidating the FIPS deployment.
EOF
# Local Variables:
# compile-command: "shellcheck create-redhat-properties-files.bash"
# End:

92
fips-25u-df044414ef4.patch Normal file
View File

@ -0,0 +1,92 @@
diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
index de2845fb550..b1e416b90f4 100644
--- a/src/java.base/share/classes/java/security/Provider.java
+++ b/src/java.base/share/classes/java/security/Provider.java
@@ -1203,6 +1203,39 @@ public Set<Service> getServices() {
return serviceSet;
}
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ private static final class RedHatFIPSFilter {
+ static final boolean IS_ON = Boolean.parseBoolean(
+ Security.getProperty("__redhat_fips_filter__"));
+ private static final Set<String> ANY_SERVICE_TYPE = Set.of();
+ private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
+ "SunPKCS11-FIPS", ANY_SERVICE_TYPE,
+ "SUN", Set.of(
+ "AlgorithmParameterGenerator",
+ "AlgorithmParameters", "CertificateFactory",
+ "CertPathBuilder", "CertPathValidator", "CertStore",
+ "Configuration", "KeyStore"),
+ "SunEC", Set.of(
+ "AlgorithmParameters", "KeyFactory"),
+ "SunJSSE", ANY_SERVICE_TYPE,
+ "SunJCE", Set.of(
+ "AlgorithmParameters",
+ "AlgorithmParameterGenerator", "KeyFactory",
+ "SecretKeyFactory"),
+ "SunRsaSign", Set.of(
+ "KeyFactory", "AlgorithmParameters"),
+ "XMLDSig", ANY_SERVICE_TYPE
+ );
+
+ static boolean isAllowed(String provName, String serviceType) {
+ Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
+ return allowedServiceTypes != null &&
+ (allowedServiceTypes == ANY_SERVICE_TYPE ||
+ allowedServiceTypes.contains(serviceType));
+ }
+ }
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+
/**
* Add a service. If a service of the same type with the same algorithm
* name exists, and it was added using {@link #putService putService()},
@@ -1231,6 +1264,15 @@ protected void putService(Service s) {
("service.getProvider() must match this Provider object");
}
String type = s.getType();
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
+ if (debug != null) {
+ debug.println("The previous " + name + ".putService() call " +
+ "was skipped by " + RedHatFIPSFilter.class.getName());
+ }
+ return;
+ }
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
String algorithm = s.getAlgorithm();
ServiceKey key = new ServiceKey(type, algorithm, true);
implRemoveService(serviceMap.get(key));
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
index 6969fe8a8e1..4501d5971c4 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
}
private static void initialize() {
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ /* This 'include'-directives-only magic property is an internal */
+ /* implementation detail that could (and probably will!) change. */
+ /* Red Hat customers should NOT rely on this for their own use. */
+ String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
+ boolean fipsModeOn;
+ try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
+ fipsModeOn = is.read() == '1';
+ } catch (IOException ioe) {
+ fipsModeOn = false;
+ if (sdebug != null) {
+ sdebug.println("Failed to read FIPS kernel file: " + ioe);
+ }
+ }
+ String fipsMagicPropName = "__redhat_fips__";
+ System.setProperty(fipsMagicPropName, "" + fipsModeOn);
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
SecPropLoader.loadAll();
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ System.clearProperty(fipsMagicPropName);
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
initialSecurityProperties = (Properties) props.clone();
if (sdebug != null) {
for (String key : props.stringPropertyNames()) {

23
java-25-openjdk-portable.specfile
View File

@ -226,7 +226,7 @@
# other targets since this target is configured to use in-tree
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
# and possibly others
%global static_libs_target static-libs-image
%global static_libs_target static-libs-graal-image
%else
%global static_libs_target %{nil}
%endif
@ -376,7 +376,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 9203d50836c
%global fipsver df044414ef4
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
@ -391,7 +391,7 @@
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
%global rpmrelease 1
%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -430,7 +430,7 @@
%global fullversion %{compatiblename}-%{version}-%{release}
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs
%global static_libs_image static-libs-graal
# output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
@ -640,7 +640,7 @@ Source18: TestTranslations.java
############################################
# Crypto policy and FIPS support patches
# Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
@ -674,7 +674,7 @@ Source18: TestTranslations.java
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
# RH1940064: Enable XML Signature provider in FIPS mode
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch
Patch1001: fips-%{featurever}u-%{fipsver}.patch
#############################################
#
@ -1003,8 +1003,7 @@ sh %{SOURCE12} %{top_level_dir_name}
# rpmbuild.
pushd %{top_level_dir_name}
# Add crypto policy and FIPS support
# Disabled until 25
#%patch -P1001 -p1
%patch -P1001 -p1
popd # openjdk
echo "Generating %{alt_java_name} man page"
@ -1967,6 +1966,14 @@ done
%endif
%changelog
* Tue Dec 02 2025 Severin Gehwolf <sgehwolf@redhat.com> - 1:25.0.1.0.8-2
- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a
- Resolves: OPENJDK-4197
* Tue Dec 02 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
- Incorporate new FIPS patch for 25u
- Resolves: OPENJDK-4184
* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
- Update to jdk-25.0.1+8 (GA)
- Update release notes to 25.0.1+8

204
java-25-openjdk.spec
View File

@ -204,27 +204,6 @@
%endif
%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
# other targets since this target is configured to use in-tree
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
# and possibly others
%global static_libs_target static-libs-image
%else
%global static_libs_target %{nil}
%endif
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
%global debug_symbols internal
# unlike portables,the rpms have to use static_libs_target very dynamically
%global bootstrap_targets images
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
# Target to use to just build HotSpot
%global hotspot_target hotspot
# debugedit tool for rewriting ELF file paths
%if 0%{?rhel} >= 10
# From RHEL 10, the tool is in its own package installed in the usual location
@ -234,15 +213,6 @@
%global debugedit %{_rpmconfigdir}/debugedit
%endif
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
%global ourldflags %{__global_ldflags}
# In some cases, the arch used by the JDK does
# not match _arch.
# Also, in some cases, the machine name used by SystemTap
@ -352,9 +322,12 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the crypto policy & FIPS support patches
%global fipsver 9203d50836c
%global fipsver df044414ef4
# Define nssadapter variables
%global nssadapter_version 0.1.0
%global nssadapter_name nssadapter-%{nssadapter_version}
# Define whether the crypto policy is expected to be active when testing
%global crypto_policy_active false
%global crypto_policy_active true
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
@ -376,9 +349,9 @@
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
%global rpmrelease 2
%global rpmrelease 6
# Settings used by the portable build
%global portablerelease 1
%global portablerelease 2
# Portable suffix differs between RHEL and CentOS
%if 0%{?centos} == 0
%global portablerhel %{?pkgos:7_9}%{!?pkgos:8}
@ -429,9 +402,6 @@
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs
# output dir stub
%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
@ -904,6 +874,21 @@ fi
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
%{etcjavadir -- %{?1}}/conf/security/policy/README.txt
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
%dir %{etcjavadir -- %{?1}}/conf/security/redhat
%dir %{etcjavadir -- %{?1}}/conf/security/redhat/false
%dir %{etcjavadir -- %{?1}}/conf/security/redhat/true
# config-noreplace in case the system administrator wants to adjust
# the FIPS configuration
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/SunPKCS11-FIPS.cfg
# config-noreplace in case the system administrator wants to change
# the default for crypto-policies usage
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/crypto-policies.properties
# The system administrator is never expected to change these files -- they
# are implementation details -- so leave them as not config-noreplace
%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/crypto-policies.properties
%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/crypto-policies.properties
%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/fips.properties
%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/fips.properties
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
# This is a config template, thus not config-noreplace
%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
@ -1066,7 +1051,6 @@ fi
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/%{vm_variant}/lib*.a
}
%define files_javadoc() %{expand:
@ -1092,6 +1076,11 @@ fi
%endif
}
%define files_crypto_adapter() %{expand:
%dir %{_libdir}/%{sdkdir -- %{?1}}
%{_libdir}/%{sdkdir -- %{?1}}/libnssadapter.so
}
# not-duplicated requires/provides/obsoletes for normal/debug packages
%define java_rpo() %{expand:
Requires: fontconfig%{?_isa}
@ -1141,8 +1130,6 @@ Requires: lksctp-tools%{?_isa}
Requires: cups-libs
# for system security properties
Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# Postun requires alternatives to uninstall tool alternatives
@ -1152,6 +1139,8 @@ Requires(postun): %{alternatives_requires}
%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
%endif
# for libnssadapter.so
Requires: %{name}-crypto-adapter%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# Standard JPackage base provides
Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
@ -1355,6 +1344,12 @@ Source29: 0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch
# Use update repository on RHEL rather than GA (OPENJDK-3589)
Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
# FIPS support sources.
# For libnssadapter.so (RHEL-128413)
Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/%{nssadapter_name}.tar.xz
# Create OpenJDK's crypto-policies hierarchy (RHEL-128409)
Source32: create-redhat-properties-files.bash
# Setup variables to reference correct sources
%global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz
%global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz
@ -1373,7 +1368,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
# Crypto policy and FIPS support patches
# Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
@ -1407,7 +1402,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
# RH1940064: Enable XML Signature provider in FIPS mode
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch
Patch1001: fips-%{featurever}u-%{fipsver}.patch
#############################################
#
@ -1433,6 +1428,13 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
# Currently empty
#############################################
#
# NSS adapter patches
#
#############################################
Patch2001: nssadapter-ldflags.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: alsa-lib-devel
@ -1490,6 +1492,10 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
# libnssadapter.so build requirements
BuildRequires: nss-devel
BuildRequires: nss-softokn-devel
%if %{system_libs}
BuildRequires: freetype-devel
BuildRequires: giflib-devel
@ -1836,6 +1842,46 @@ Requires(postun): %{alternatives_requires}
The %{origin_nice} %{featurever} API documentation compressed in a single archive.
%endif
# java-25-openjdk-crypto-adapter
%if %{include_normal_build}
%package crypto-adapter
Summary: %{origin_nice} %{featurever} Cryptography Adapter Library
%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
Group: Development/Languages
%endif
# java-25-openjdk-crypto-adapter does not need an "rpo" function since
# its specific nss and nss-softokn library requirements are
# automatically generated by RPM.
%description crypto-adapter
The %{origin_nice} %{featurever} cryptography adapter library.
%endif
%if %{include_debug_build}
%package crypto-adapter-slowdebug
Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{debug_on}
%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
Group: Development/Languages
%endif
%description crypto-adapter-slowdebug
The %{origin_nice} %{featurever} cryptography adapter library.
%{debug_warning}
%endif
%if %{include_fastdebug_build}
%package crypto-adapter-fastdebug
Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{fastdebug_on}
%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
Group: Development/Languages
%endif
%description crypto-adapter-fastdebug
The %{origin_nice} %{featurever} cryptography adapter library.
%{fastdebug_warning}
%endif
%prep
echo "Preparing %{oj_vendor_version}"
@ -1873,6 +1919,8 @@ fi
export XZ_OPT="-T0"
%setup -q -c -n %{uniquesuffix ""} -T -a 0
# Prepare libnssadapter.so source code
tar -xJf %{SOURCE31}
# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
prioritylength=`expr length %{priority}`
if [ $prioritylength -ne 8 ] ; then
@ -1903,10 +1951,14 @@ sh %{SOURCE12} %{top_level_dir_name}
# rpmbuild.
pushd %{top_level_dir_name}
# Add crypto policy and FIPS support
# Disabled until 25
#%patch -P1001 -p1
%patch -P1001 -p1
popd # openjdk
# Patch NSS adapter
pushd %{nssadapter_name}
%patch -P2001 -p1
popd # nssadapter
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
@ -1948,11 +2000,12 @@ done
function customisejdk() {
local imagepath=${1}
local suffix=${2}
if [ -d ${imagepath} ] ; then
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security
# Install crypto-policies FIPS configuration files and append
# include line to java.security
bash -x %{SOURCE32} ${imagepath}/conf/security %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
@ -1977,12 +2030,16 @@ for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
jdkzip=%{releasezip}
staticlibzip=%{staticlibzip}
make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}"
elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then
jdkzip=%{fastdebugzip}
staticlibzip=%{fastdebugstaticlibzip}
make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}"
else # slowdebug
jdkzip=%{slowdebugzip}
staticlibzip=%{slowdebugstaticlibzip}
# Disable _FORTIFY_SOURCE to allow for no optimization
make -C %{nssadapter_name} CFLAGS="%{build_cflags} -O0 -Wp,-U_FORTIFY_SOURCE" LDFLAGS="%{build_ldflags}"
fi
installdir=%{installoutputdir -- ${suffix}}
@ -1992,6 +2049,10 @@ for suffix in %{build_loop} ; do
tar -xJf ${staticlibzip}
mv java-%{featurever}-openjdk* ${installdir}
# Install and clean libnssadapter.so
install -m 755 %{nssadapter_name}/bin/libnssadapter.so ${installdir}/lib
make -C %{nssadapter_name} clean
# Fix build paths in ELF files so it looks like we built them
portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}"
for file in $(find ${installdir} -type f) ; do
@ -2017,7 +2078,7 @@ for suffix in %{build_loop} ; do
%endif
# Final setup on the main image
customisejdk ${installdir}
customisejdk ${installdir} ${suffix}
# Print release information
cat ${installdir}/release
@ -2057,7 +2118,7 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} %{crypto_policy_active}
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
$JAVA_HOME/bin/java ${SEC_DEBUG} -Dredhat.crypto-policies=false ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
@ -2225,6 +2286,9 @@ install -D -p -m 755 ${miscdir}/%{alt_java_name} $RPM_BUILD_ROOT%{jrebindir -- $
done
%endif
install -d -m 755 $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}}
mv $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/libnssadapter.so $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}}
# Remove empty cacerts database
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
# Install cacerts symlink needed by some apps which hard-code the path
@ -2471,6 +2535,9 @@ exit 0
%endif
%if %{include_normal_build}
%files crypto-adapter
%{files_crypto_adapter %{nil}}
%files headless
%{files_jre_headless %{nil}}
@ -2502,6 +2569,9 @@ exit 0
%endif
%if %{include_debug_build}
%files crypto-adapter-slowdebug
%{files_crypto_adapter -- %{debug_suffix_unquoted}}
%files slowdebug
%{files_jre -- %{debug_suffix_unquoted}}
@ -2527,6 +2597,9 @@ exit 0
%endif
%if %{include_fastdebug_build}
%files crypto-adapter-fastdebug
%{files_crypto_adapter -- %{fastdebug_suffix_unquoted}}
%files fastdebug
%{files_jre -- %{fastdebug_suffix_unquoted}}
@ -2553,6 +2626,39 @@ exit 0
%endif
%changelog
* Sat Dec 06 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-6
- Sync the copy of the portable specfile with the latest update
- Related: RHEL-133733
- Related: RHEL-133735
* Thu Dec 04 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-6
- Remove /usr/lib/jvm/java-25-openjdk/conf/security/redhat/fips.properties
- Resolves: RHEL-131897
* Thu Dec 04 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-5
- Incorporate new FIPS patch for 25u
- Drop static libjvm.a following adjusted build target for portable build
- Remove redundant (and now outdated) build targets, jdkimage and static_libs_image
- Pass ourflags and ourldflags into the nssadapter build using CFLAGS & LDFLAGS
- Patch the nssadapter build to recognise LDFLAGS
- Remove OpenJDK compiler flag filters and use build_{c,ld}flags directly
- Resolves: RHEL-133733
- Resolves: RHEL-133735
- Resolves: RHEL-133763
* Wed Nov 26 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-4
- Add java-25-openjdk-crypto-adapter subpackage
- Update library setting in create-redhat-properties-files.bash
- Resolves: RHEL-131896
* Mon Nov 24 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-3
- Add libnssadapter.so
- Add FIPS crypto-policies configuration
- Remove obsolete security.useSystemPropertiesFile setup
- Update TestSecurityProperties.java test and calling convention
- Resolves: RHEL-128413
- Resolves: RHEL-128409
* Wed Nov 12 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
- Remove superfluous backslashes that cause two alternative commands to be combined
- Related: RHEL-120553

41
nssadapter-ldflags.patch Normal file
View File

@ -0,0 +1,41 @@
diff --git a/Makefile b/Makefile
index 5175f21..571748a 100644
--- a/Makefile
+++ b/Makefile
@@ -13,12 +13,12 @@ DEVEL_PKGS = nss nss-softokn
LIB_DIR = $(shell pkg-config --variable=libdir nss-softokn)
SHARED_LIBS = pthread softokn3 nss3
STATIC_LIBS = freebl
-SHR_CFLAGS = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL \
- $(addprefix -l,$(SHARED_LIBS)) \
+SHR_CFLAGS = -shared -fPIC -fvisibility=hidden \
$(strip $(shell pkg-config --cflags $(DEVEL_PKGS))) \
-Wpedantic -Wall -Wextra -Wconversion -Werror
DBG_CFLAGS = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \
-O0 -g
+SHR_LDFLAGS = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS))
# https://clang.llvm.org/docs/ClangFormatStyleOptions.html
CLANG_FORMAT_STYLE = { \
@@ -53,10 +53,12 @@ endif
.PHONY: release ## Build the library in RELEASE mode (default)
release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS)
+release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT)
.PHONY: debug ## Build the library in DEBUG mode
debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS)
+debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL)
debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT)
@@ -73,7 +75,7 @@ $(BIN_DIR):
$(OUTPUT): $(BIN_DIR) $(SRC_FILES)
@$(CREATE_DBG_SENTINEL_IF_NEEDED)
- $(CC) $(BLD_CFLAGS) $(filter %.c, $+) \
+ $(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \
$(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@

1
sources
View File

@ -1,2 +1,3 @@
SHA512 (nssadapter-0.1.0.tar.xz) = 581f49d1a27550e3a2fa0a9d407f43c507627a8439827904d14daaf24e071d9f73884a2abe4cb3d36d26f1af09ef7d20724b2d40c9bac202e0316fac6c1a636b
SHA512 (openjdk-25.0.1+8.tar.xz) = eb84d876f81ca02803283e8294c89b6acbed3753426811c3bcc228615c9618deefc85da4aa702800cac2feb103e628ee8b92292b316e9d7e12a58b6de69c5085
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30