From 94d175ddcc824e48792bbf0f3a2c54a12a2be701 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 5 Jan 2026 12:05:30 +0000 Subject: [PATCH] import UBI java-25-openjdk-25.0.1.0.8-6.el10 --- .gitignore | 1 + TestSecurityProperties.java | 70 ++++++++-- create-redhat-properties-files.bash | 166 ++++++++++++++++++++++ fips-25u-df044414ef4.patch | 92 +++++++++++++ java-25-openjdk-portable.specfile | 23 ++-- java-25-openjdk.spec | 204 +++++++++++++++++++++------- nssadapter-ldflags.patch | 41 ++++++ sources | 1 + 8 files changed, 529 insertions(+), 69 deletions(-) create mode 100644 create-redhat-properties-files.bash create mode 100644 fips-25u-df044414ef4.patch create mode 100644 nssadapter-ldflags.patch diff --git a/.gitignore b/.gitignore index f9cd553..2459d83 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ +nssadapter-0.1.0.tar.xz openjdk-25.0.1+8.tar.xz tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java index 2507ceb..a6e586e 100644 --- a/TestSecurityProperties.java +++ b/TestSecurityProperties.java @@ -21,15 +21,32 @@ import java.security.Security; import java.util.Properties; public class TestSecurityProperties { + private static final String JAVA_HOME = System.getProperty("java.home"); // JDK 11 - private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + private static final String JDK_PROPS_FILE_JDK_11 = JAVA_HOME + "/conf/security/java.security"; // JDK 8 - private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + private static final String JDK_PROPS_FILE_JDK_8 = JAVA_HOME + "/lib/security/java.security"; + // JDK 25 + // Omit fips.properties files since they are not relevant to this test. + // Omit JAVA_HOME + "/conf/security/redhat/crypto-policies.properties" which simply includes + // true/crypto-policies.properties in case redhat.crypto-policies is left undefined. + private static final String[] JDK_PROPS_FILES_JDK_25_ENABLED = { + JAVA_HOME + "/conf/security/redhat/true/crypto-policies.properties", + "/etc/crypto-policies/back-ends/java.config" + }; + private static final String[] JDK_PROPS_FILES_JDK_25_DISABLED = { + JAVA_HOME + "/conf/security/redhat/false/crypto-policies.properties" + }; private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; private static final String MSG_PREFIX = "DEBUG: "; + private static final String javaVersion = System.getProperty("java.version"); + + // float for java 1.8 + private static final float JAVA_FEATURE = Float.parseFloat(System.getProperty("java.specification.version")); + public static void main(String[] args) { if (args.length == 0) { System.err.println("TestSecurityProperties "); @@ -40,18 +57,24 @@ public class TestSecurityProperties { boolean enabled = Boolean.valueOf(args[0]); System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); Properties jdkProps = new Properties(); - loadProperties(jdkProps); + loadProperties(jdkProps, enabled); if (enabled) { loadPolicy(jdkProps); } - for (Object key: jdkProps.keySet()) { - String sKey = (String)key; + for (Object key : jdkProps.keySet()) { + String sKey = (String) key; + if (JAVA_FEATURE >= 25 && sKey.equals("include")) { + // Avoid the following exception on 25: IllegalArgumentException: Key 'include' is + // reserved and cannot be used as a Security property name. Hard-code the includes + // in JDK_PROPS_FILES_JDK_25_ENABLED and JDK_PROPS_FILES_JDK_25_DISABLED instead. + continue; + } System.out.println(MSG_PREFIX + "Checking " + sKey); String securityVal = Security.getProperty(sKey); String jdkSecVal = jdkProps.getProperty(sKey); if (!jdkSecVal.equals(securityVal)) { String msg = "Expected value '" + jdkSecVal + "' for key '" + - sKey + "'" + " but got value '" + securityVal + "'"; + sKey + "'" + " but got value '" + securityVal + "'"; throw new RuntimeException("Test failed! " + msg); } else { System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); @@ -60,17 +83,26 @@ public class TestSecurityProperties { System.out.println("TestSecurityProperties PASSED!"); } - private static void loadProperties(Properties props) { - String javaVersion = System.getProperty("java.version"); + private static void loadPropertiesFile(Properties props, String propsFile) { + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadProperties(Properties props, boolean enabled) { System.out.println(MSG_PREFIX + "Java version is " + javaVersion); String propsFile = JDK_PROPS_FILE_JDK_11; if (javaVersion.startsWith("1.8.0")) { propsFile = JDK_PROPS_FILE_JDK_8; } - try (FileInputStream fin = new FileInputStream(propsFile)) { - props.load(fin); - } catch (Exception e) { - throw new RuntimeException("Test failed!", e); + loadPropertiesFile(props, propsFile); + if (JAVA_FEATURE >= 25) { + for (String file : enabled ? JDK_PROPS_FILES_JDK_25_ENABLED : JDK_PROPS_FILES_JDK_25_DISABLED) { + System.out.println(MSG_PREFIX + "Loading " + file); + loadPropertiesFile(props, file); + } } } @@ -83,3 +115,17 @@ public class TestSecurityProperties { } } + +/* + * Local Variables: + * compile-command: "\ + * /usr/lib/jvm/java-25-openjdk/bin/javac TestSecurityProperties.java \ + * && (/usr/lib/jvm/java-25-openjdk/bin/java TestSecurityProperties false ; [[ $? == 1 ]]) \ + * && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true TestSecurityProperties false ; [[ $? == 1 ]]) \ + * && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties true ; [[ $? == 1 ]]) \ + * && /usr/lib/jvm/java-25-openjdk/bin/java TestSecurityProperties true \ + * && /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true TestSecurityProperties true \ + * && /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties false" \ + * fill-column: 124 + * End: + */ diff --git a/create-redhat-properties-files.bash b/create-redhat-properties-files.bash new file mode 100644 index 0000000..7b02edf --- /dev/null +++ b/create-redhat-properties-files.bash @@ -0,0 +1,166 @@ +#!/bin/bash +# +# Create Red Hat OpenJDK security properties directory hierarchy. +# +# Copyright (C) 2025 IBM Corporation. All rights reserved. +# +# Written by: +# Francisco Ferrari Bihurriet +# Thomas Fitzsimmons +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# +# Usage: +# +# bash create-redhat-properties-files.bash +# +# Example usage in spec file: +# +# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \ +# %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so +# +# When you make changes to the file set here, also update the %files +# section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables +# in TestSecurityProperties.java. + +[[ $# == 2 ]] || exit 1 + +SECURITY="${1}" +NSSADAPTER="${2}" +VENDOR="${SECURITY}"/redhat +install --directory --mode=755 "${VENDOR}" +install --directory --mode=755 "${VENDOR}"/true +install --directory --mode=755 "${VENDOR}"/false + +# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg +install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <> "${SECURITY}"/java.security <<'EOF' + +# +# System-wide crypto-policies and FIPS setup +# +# The following crypto-policies setup automatically detects when the system +# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to +# ignore the system and disable its FIPS setup, just disable the usage of +# the system crypto-policies, by any of the methods described below. +# +# The redhat.crypto-policies system property is a boolean switch that +# controls the usage on a per-run basis. For example, pass +# -Dredhat.crypto-policies=false to disable the system crypto-policies. +# +# This setup consists of the following files in $JAVA_HOME/conf/security: +# +# 'redhat/false/crypto-policies.properties' (policies usage disabled file) +# Empty file, applied when the boolean switch is passed as false. +# +# 'redhat/true/crypto-policies.properties' (policies usage enabled file) +# Performs the crypto-policies and FIPS setup, applied when the boolean +# switch is passed as true. +# +# 'redhat/crypto-policies.properties' (policies usage default file) +# Determines the default choice by including one of the previous files, +# applied when the boolean switch is not passed. +# The system crypto-policies usage is enabled by default: +# include true/crypto-policies.properties +# +# To enable or disable the usage of the crypto-policies on a per-deployment +# basis, edit the policies usage default file, changing the included file. +# For example, execute the following command to persistently disable the +# crypto-policies: +# sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties +# Applications can still override this on a per-run basis, for example by +# passing -Dredhat.crypto-policies=true. +# +# To disable the redhat.crypto-policies boolean switch, modify the following +# include directive as follows. Replace ${redhat.crypto-policies} by true to +# force-apply the system crypto-policies: +# include redhat/true/crypto-policies.properties +# Remove or comment out the include directive to force-disable the setup: +# #include redhat/${redhat.crypto-policies}/crypto-policies.properties +# +include redhat/${redhat.crypto-policies}/crypto-policies.properties +# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +# WARNING: anything placed after this include directive will apply on top +# of the described setup. Adding properties below this section is strongly +# discouraged, as it poses a risk of overriding the system crypto-policies +# or invalidating the FIPS deployment. +EOF + +# Local Variables: +# compile-command: "shellcheck create-redhat-properties-files.bash" +# End: diff --git a/fips-25u-df044414ef4.patch b/fips-25u-df044414ef4.patch new file mode 100644 index 0000000..8b210e6 --- /dev/null +++ b/fips-25u-df044414ef4.patch @@ -0,0 +1,92 @@ +diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java +index de2845fb550..b1e416b90f4 100644 +--- a/src/java.base/share/classes/java/security/Provider.java ++++ b/src/java.base/share/classes/java/security/Provider.java +@@ -1203,6 +1203,39 @@ public Set getServices() { + return serviceSet; + } + ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ private static final class RedHatFIPSFilter { ++ static final boolean IS_ON = Boolean.parseBoolean( ++ Security.getProperty("__redhat_fips_filter__")); ++ private static final Set ANY_SERVICE_TYPE = Set.of(); ++ private static final Map> ALLOW_LIST = Map.of( ++ "SunPKCS11-FIPS", ANY_SERVICE_TYPE, ++ "SUN", Set.of( ++ "AlgorithmParameterGenerator", ++ "AlgorithmParameters", "CertificateFactory", ++ "CertPathBuilder", "CertPathValidator", "CertStore", ++ "Configuration", "KeyStore"), ++ "SunEC", Set.of( ++ "AlgorithmParameters", "KeyFactory"), ++ "SunJSSE", ANY_SERVICE_TYPE, ++ "SunJCE", Set.of( ++ "AlgorithmParameters", ++ "AlgorithmParameterGenerator", "KeyFactory", ++ "SecretKeyFactory"), ++ "SunRsaSign", Set.of( ++ "KeyFactory", "AlgorithmParameters"), ++ "XMLDSig", ANY_SERVICE_TYPE ++ ); ++ ++ static boolean isAllowed(String provName, String serviceType) { ++ Set allowedServiceTypes = ALLOW_LIST.get(provName); ++ return allowedServiceTypes != null && ++ (allowedServiceTypes == ANY_SERVICE_TYPE || ++ allowedServiceTypes.contains(serviceType)); ++ } ++ } ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ ++ + /** + * Add a service. If a service of the same type with the same algorithm + * name exists, and it was added using {@link #putService putService()}, +@@ -1231,6 +1264,15 @@ protected void putService(Service s) { + ("service.getProvider() must match this Provider object"); + } + String type = s.getType(); ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) { ++ if (debug != null) { ++ debug.println("The previous " + name + ".putService() call " + ++ "was skipped by " + RedHatFIPSFilter.class.getName()); ++ } ++ return; ++ } ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + String algorithm = s.getAlgorithm(); + ServiceKey key = new ServiceKey(type, algorithm, true); + implRemoveService(serviceMap.get(key)); +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index 6969fe8a8e1..4501d5971c4 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -323,7 +323,27 @@ public Properties getInitialProperties() { + } + + private static void initialize() { ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ /* This 'include'-directives-only magic property is an internal */ ++ /* implementation detail that could (and probably will!) change. */ ++ /* Red Hat customers should NOT rely on this for their own use. */ ++ String fipsKernelFlag = "/proc/sys/crypto/fips_enabled"; ++ boolean fipsModeOn; ++ try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) { ++ fipsModeOn = is.read() == '1'; ++ } catch (IOException ioe) { ++ fipsModeOn = false; ++ if (sdebug != null) { ++ sdebug.println("Failed to read FIPS kernel file: " + ioe); ++ } ++ } ++ String fipsMagicPropName = "__redhat_fips__"; ++ System.setProperty(fipsMagicPropName, "" + fipsModeOn); ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + SecPropLoader.loadAll(); ++ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */ ++ System.clearProperty(fipsMagicPropName); ++ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { diff --git a/java-25-openjdk-portable.specfile b/java-25-openjdk-portable.specfile index 0b18950..1d11f45 100644 --- a/java-25-openjdk-portable.specfile +++ b/java-25-openjdk-portable.specfile @@ -226,7 +226,7 @@ # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others -%global static_libs_target static-libs-image +%global static_libs_target static-libs-graal-image %else %global static_libs_target %{nil} %endif @@ -376,7 +376,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 9203d50836c +%global fipsver df044414ef4 # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -391,7 +391,7 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 1 +%global rpmrelease 2 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -430,7 +430,7 @@ %global fullversion %{compatiblename}-%{version}-%{release} # images directories from upstream build %global jdkimage jdk -%global static_libs_image static-libs +%global static_libs_image static-libs-graal # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} @@ -640,7 +640,7 @@ Source18: TestTranslations.java ############################################ # Crypto policy and FIPS support patches # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u -# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -674,7 +674,7 @@ Source18: TestTranslations.java # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] -# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -1003,8 +1003,7 @@ sh %{SOURCE12} %{top_level_dir_name} # rpmbuild. pushd %{top_level_dir_name} # Add crypto policy and FIPS support -# Disabled until 25 -#%patch -P1001 -p1 +%patch -P1001 -p1 popd # openjdk echo "Generating %{alt_java_name} man page" @@ -1967,6 +1966,14 @@ done %endif %changelog +* Tue Dec 02 2025 Severin Gehwolf - 1:25.0.1.0.8-2 +- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a +- Resolves: OPENJDK-4197 + +* Tue Dec 02 2025 Andrew Hughes - 1:25.0.1.0.8-2 +- Incorporate new FIPS patch for 25u +- Resolves: OPENJDK-4184 + * Mon Nov 10 2025 Andrew Hughes - 1:25.0.1.0.8-1 - Update to jdk-25.0.1+8 (GA) - Update release notes to 25.0.1+8 diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index d0ded82..7c23a48 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -204,27 +204,6 @@ %endif %endif -%if %{include_staticlibs} -# Extra target for producing the static-libraries. Separate from -# other targets since this target is configured to use in-tree -# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib -# and possibly others -%global static_libs_target static-libs-image -%else -%global static_libs_target %{nil} -%endif - -# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM -%global debug_symbols internal - -# unlike portables,the rpms have to use static_libs_target very dynamically -%global bootstrap_targets images -%global release_targets images docs-zip -# No docs nor bootcycle for debug builds -%global debug_targets images -# Target to use to just build HotSpot -%global hotspot_target hotspot - # debugedit tool for rewriting ELF file paths %if 0%{?rhel} >= 10 # From RHEL 10, the tool is in its own package installed in the usual location @@ -234,15 +213,6 @@ %global debugedit %{_rpmconfigdir}/debugedit %endif -# Filter out flags from the optflags macro that cause problems with the OpenJDK build -# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 -# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) -# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings -# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ -%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') -%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') -%global ourldflags %{__global_ldflags} - # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap @@ -352,9 +322,12 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the crypto policy & FIPS support patches -%global fipsver 9203d50836c +%global fipsver df044414ef4 +# Define nssadapter variables +%global nssadapter_version 0.1.0 +%global nssadapter_name nssadapter-%{nssadapter_version} # Define whether the crypto policy is expected to be active when testing -%global crypto_policy_active false +%global crypto_policy_active true # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -376,9 +349,9 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 2 +%global rpmrelease 6 # Settings used by the portable build -%global portablerelease 1 +%global portablerelease 2 # Portable suffix differs between RHEL and CentOS %if 0%{?centos} == 0 %global portablerhel %{?pkgos:7_9}%{!?pkgos:8} @@ -429,9 +402,6 @@ # parametrized macros are order-sensitive %global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} -# images directories from upstream build -%global jdkimage jdk -%global static_libs_image static-libs # output dir stub %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch @@ -904,6 +874,21 @@ fi %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy %{etcjavadir -- %{?1}}/conf/security/policy/README.txt %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%dir %{etcjavadir -- %{?1}}/conf/security/redhat +%dir %{etcjavadir -- %{?1}}/conf/security/redhat/false +%dir %{etcjavadir -- %{?1}}/conf/security/redhat/true +# config-noreplace in case the system administrator wants to adjust +# the FIPS configuration +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/SunPKCS11-FIPS.cfg +# config-noreplace in case the system administrator wants to change +# the default for crypto-policies usage +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/redhat/crypto-policies.properties +# The system administrator is never expected to change these files -- they +# are implementation details -- so leave them as not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/crypto-policies.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/crypto-policies.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/false/fips.properties +%config %{etcjavadir -- %{?1}}/conf/security/redhat/true/fips.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # This is a config template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -1066,7 +1051,6 @@ fi %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/%{vm_variant}/lib*.a } %define files_javadoc() %{expand: @@ -1092,6 +1076,11 @@ fi %endif } +%define files_crypto_adapter() %{expand: +%dir %{_libdir}/%{sdkdir -- %{?1}} +%{_libdir}/%{sdkdir -- %{?1}}/libnssadapter.so +} + # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: Requires: fontconfig%{?_isa} @@ -1141,8 +1130,6 @@ Requires: lksctp-tools%{?_isa} Requires: cups-libs # for system security properties Requires: crypto-policies -# for FIPS PKCS11 provider -Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1152,6 +1139,8 @@ Requires(postun): %{alternatives_requires} %if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} %endif +# for libnssadapter.so +Requires: %{name}-crypto-adapter%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Standard JPackage base provides Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} @@ -1355,6 +1344,12 @@ Source29: 0007-Tools.gmk-Exclude-systemtap-sdt-devel-on-s390x-ppc64.patch # Use update repository on RHEL rather than GA (OPENJDK-3589) Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch +# FIPS support sources. +# For libnssadapter.so (RHEL-128413) +Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/%{nssadapter_name}.tar.xz +# Create OpenJDK's crypto-policies hierarchy (RHEL-128409) +Source32: create-redhat-properties-files.bash + # Setup variables to reference correct sources %global releasezip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz %global staticlibzip %{_jvmdir}/%{name}-%{version}-%{prelease}.portable.static-libs.%{_arch}.tar.xz @@ -1373,7 +1368,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # Crypto policy and FIPS support patches # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u -# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch +# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -1407,7 +1402,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] -# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -1433,6 +1428,13 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch # Currently empty +############################################# +# +# NSS adapter patches +# +############################################# +Patch2001: nssadapter-ldflags.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: alsa-lib-devel @@ -1490,6 +1492,10 @@ BuildRequires: systemtap-sdt-devel %endif BuildRequires: make +# libnssadapter.so build requirements +BuildRequires: nss-devel +BuildRequires: nss-softokn-devel + %if %{system_libs} BuildRequires: freetype-devel BuildRequires: giflib-devel @@ -1836,6 +1842,46 @@ Requires(postun): %{alternatives_requires} The %{origin_nice} %{featurever} API documentation compressed in a single archive. %endif +# java-25-openjdk-crypto-adapter +%if %{include_normal_build} +%package crypto-adapter +Summary: %{origin_nice} %{featurever} Cryptography Adapter Library +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +# java-25-openjdk-crypto-adapter does not need an "rpo" function since +# its specific nss and nss-softokn library requirements are +# automatically generated by RPM. + +%description crypto-adapter +The %{origin_nice} %{featurever} cryptography adapter library. +%endif + +%if %{include_debug_build} +%package crypto-adapter-slowdebug +Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%description crypto-adapter-slowdebug +The %{origin_nice} %{featurever} cryptography adapter library. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package crypto-adapter-fastdebug +Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif + +%description crypto-adapter-fastdebug +The %{origin_nice} %{featurever} cryptography adapter library. +%{fastdebug_warning} +%endif + %prep echo "Preparing %{oj_vendor_version}" @@ -1873,6 +1919,8 @@ fi export XZ_OPT="-T0" %setup -q -c -n %{uniquesuffix ""} -T -a 0 +# Prepare libnssadapter.so source code +tar -xJf %{SOURCE31} # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` if [ $prioritylength -ne 8 ] ; then @@ -1903,10 +1951,14 @@ sh %{SOURCE12} %{top_level_dir_name} # rpmbuild. pushd %{top_level_dir_name} # Add crypto policy and FIPS support -# Disabled until 25 -#%patch -P1001 -p1 +%patch -P1001 -p1 popd # openjdk +# Patch NSS adapter +pushd %{nssadapter_name} +%patch -P2001 -p1 +popd # nssadapter + # The OpenJDK version file includes the current # upstream version information. For some reason, # configure does not automatically use the @@ -1948,11 +2000,12 @@ done function customisejdk() { local imagepath=${1} + local suffix=${2} if [ -d ${imagepath} ] ; then - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security + # Install crypto-policies FIPS configuration files and append + # include line to java.security + bash -x %{SOURCE32} ${imagepath}/conf/security %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so # Use system-wide tzdata rm ${imagepath}/lib/tzdb.dat @@ -1977,12 +2030,16 @@ for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then jdkzip=%{releasezip} staticlibzip=%{staticlibzip} + make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then jdkzip=%{fastdebugzip} staticlibzip=%{fastdebugstaticlibzip} + make -C %{nssadapter_name} CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" else # slowdebug jdkzip=%{slowdebugzip} staticlibzip=%{slowdebugstaticlibzip} + # Disable _FORTIFY_SOURCE to allow for no optimization + make -C %{nssadapter_name} CFLAGS="%{build_cflags} -O0 -Wp,-U_FORTIFY_SOURCE" LDFLAGS="%{build_ldflags}" fi installdir=%{installoutputdir -- ${suffix}} @@ -1992,6 +2049,10 @@ for suffix in %{build_loop} ; do tar -xJf ${staticlibzip} mv java-%{featurever}-openjdk* ${installdir} + # Install and clean libnssadapter.so + install -m 755 %{nssadapter_name}/bin/libnssadapter.so ${installdir}/lib + make -C %{nssadapter_name} clean + # Fix build paths in ELF files so it looks like we built them portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}" for file in $(find ${installdir} -type f) ; do @@ -2017,7 +2078,7 @@ for suffix in %{build_loop} ; do %endif # Final setup on the main image - customisejdk ${installdir} + customisejdk ${installdir} ${suffix} # Print release information cat ${installdir}/release @@ -2057,7 +2118,7 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") export SEC_DEBUG="-Djava.security.debug=properties" $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} %{crypto_policy_active} - $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + $JAVA_HOME/bin/java ${SEC_DEBUG} -Dredhat.crypto-policies=false ${PROG} false # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} @@ -2225,6 +2286,9 @@ install -D -p -m 755 ${miscdir}/%{alt_java_name} $RPM_BUILD_ROOT%{jrebindir -- $ done %endif + install -d -m 755 $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}} + mv $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/libnssadapter.so $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}} + # Remove empty cacerts database rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts # Install cacerts symlink needed by some apps which hard-code the path @@ -2471,6 +2535,9 @@ exit 0 %endif %if %{include_normal_build} +%files crypto-adapter +%{files_crypto_adapter %{nil}} + %files headless %{files_jre_headless %{nil}} @@ -2502,6 +2569,9 @@ exit 0 %endif %if %{include_debug_build} +%files crypto-adapter-slowdebug +%{files_crypto_adapter -- %{debug_suffix_unquoted}} + %files slowdebug %{files_jre -- %{debug_suffix_unquoted}} @@ -2527,6 +2597,9 @@ exit 0 %endif %if %{include_fastdebug_build} +%files crypto-adapter-fastdebug +%{files_crypto_adapter -- %{fastdebug_suffix_unquoted}} + %files fastdebug %{files_jre -- %{fastdebug_suffix_unquoted}} @@ -2553,6 +2626,39 @@ exit 0 %endif %changelog +* Sat Dec 06 2025 Andrew Hughes - 1:25.0.1.0.8-6 +- Sync the copy of the portable specfile with the latest update +- Related: RHEL-133733 +- Related: RHEL-133735 + +* Thu Dec 04 2025 Thomas Fitzsimmons - 1:25.0.1.0.8-6 +- Remove /usr/lib/jvm/java-25-openjdk/conf/security/redhat/fips.properties +- Resolves: RHEL-131897 + +* Thu Dec 04 2025 Andrew Hughes - 1:25.0.1.0.8-5 +- Incorporate new FIPS patch for 25u +- Drop static libjvm.a following adjusted build target for portable build +- Remove redundant (and now outdated) build targets, jdkimage and static_libs_image +- Pass ourflags and ourldflags into the nssadapter build using CFLAGS & LDFLAGS +- Patch the nssadapter build to recognise LDFLAGS +- Remove OpenJDK compiler flag filters and use build_{c,ld}flags directly +- Resolves: RHEL-133733 +- Resolves: RHEL-133735 +- Resolves: RHEL-133763 + +* Wed Nov 26 2025 Thomas Fitzsimmons - 1:25.0.1.0.8-4 +- Add java-25-openjdk-crypto-adapter subpackage +- Update library setting in create-redhat-properties-files.bash +- Resolves: RHEL-131896 + +* Mon Nov 24 2025 Thomas Fitzsimmons - 1:25.0.1.0.8-3 +- Add libnssadapter.so +- Add FIPS crypto-policies configuration +- Remove obsolete security.useSystemPropertiesFile setup +- Update TestSecurityProperties.java test and calling convention +- Resolves: RHEL-128413 +- Resolves: RHEL-128409 + * Wed Nov 12 2025 Andrew Hughes - 1:25.0.1.0.8-2 - Remove superfluous backslashes that cause two alternative commands to be combined - Related: RHEL-120553 diff --git a/nssadapter-ldflags.patch b/nssadapter-ldflags.patch new file mode 100644 index 0000000..04171b2 --- /dev/null +++ b/nssadapter-ldflags.patch @@ -0,0 +1,41 @@ +diff --git a/Makefile b/Makefile +index 5175f21..571748a 100644 +--- a/Makefile ++++ b/Makefile +@@ -13,12 +13,12 @@ DEVEL_PKGS = nss nss-softokn + LIB_DIR = $(shell pkg-config --variable=libdir nss-softokn) + SHARED_LIBS = pthread softokn3 nss3 + STATIC_LIBS = freebl +-SHR_CFLAGS = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL \ +- $(addprefix -l,$(SHARED_LIBS)) \ ++SHR_CFLAGS = -shared -fPIC -fvisibility=hidden \ + $(strip $(shell pkg-config --cflags $(DEVEL_PKGS))) \ + -Wpedantic -Wall -Wextra -Wconversion -Werror + DBG_CFLAGS = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \ + -O0 -g ++SHR_LDFLAGS = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS)) + + # https://clang.llvm.org/docs/ClangFormatStyleOptions.html + CLANG_FORMAT_STYLE = { \ +@@ -53,10 +53,12 @@ endif + + .PHONY: release ## Build the library in RELEASE mode (default) + release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS) ++release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS) + release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT) + + .PHONY: debug ## Build the library in DEBUG mode + debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS) ++debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS) + debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL) + debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT) + +@@ -73,7 +75,7 @@ $(BIN_DIR): + + $(OUTPUT): $(BIN_DIR) $(SRC_FILES) + @$(CREATE_DBG_SENTINEL_IF_NEEDED) +- $(CC) $(BLD_CFLAGS) $(filter %.c, $+) \ ++ $(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \ + $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@ + + diff --git a/sources b/sources index 0e19609..59c1c62 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ +SHA512 (nssadapter-0.1.0.tar.xz) = 581f49d1a27550e3a2fa0a9d407f43c507627a8439827904d14daaf24e071d9f73884a2abe4cb3d36d26f1af09ef7d20724b2d40c9bac202e0316fac6c1a636b SHA512 (openjdk-25.0.1+8.tar.xz) = eb84d876f81ca02803283e8294c89b6acbed3753426811c3bcc228615c9618deefc85da4aa702800cac2feb103e628ee8b92292b316e9d7e12a58b6de69c5085 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30