Add java-25-openjdk-crypto-adapter subpackage

- Update library setting in create-redhat-properties-files.bash Resolves: RHEL-132520
2025-11-26 16:47:25 -05:00 · 2025-11-26 16:47:25 -05:00 · b7cd857474
commit b7cd857474
parent f91aefcafd
2 changed files with 75 additions and 11 deletions
--- a/create-redhat-properties-files.bash
+++ b/create-redhat-properties-files.bash
@ -23,28 +23,30 @@
 #
 # Usage:
 #
-# bash create-redhat-properties-files.bash <target directory>
+# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
 #
 # Example usage in spec file:
 #
-# bash -x create-redhat-properties-files.bash ${imagepath}/conf/security
+# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
+#     %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
 #
 # When you make changes to the file set here, also update the %files
 # section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
 # in TestSecurityProperties.java.

-[[ $# == 1 ]] || exit 1
+[[ $# == 2 ]] || exit 1

 SECURITY="${1}"
+NSSADAPTER="${2}"
 VENDOR="${SECURITY}"/redhat
 install --directory --mode=755 "${VENDOR}"
 install --directory --mode=755 "${VENDOR}"/true
 install --directory --mode=755 "${VENDOR}"/false

 # /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
-install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<'EOF'
+install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
 name = FIPS
-library = ${java.home}/lib/libnssadapter.so
+library = ${NSSADAPTER}
 slot = 3
 nssUseSecmod = false
 attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@ -379,7 +379,7 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        8
-%global rpmrelease      1
+%global rpmrelease      2
 # Settings used by the portable build
 %global portablerelease 1
 # Portable suffix differs between RHEL and CentOS
@ -848,7 +848,6 @@ fi
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnssadapter.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
 # Some architectures don't have the serviceability agent
@ -1112,6 +1111,11 @@ fi
 %endif
 }

+%define files_crypto_adapter() %{expand:
+%dir %{_libdir}/%{sdkdir -- %{?1}}
+%{_libdir}/%{sdkdir -- %{?1}}/libnssadapter.so
+}
+
 # not-duplicated requires/provides/obsoletes for normal/debug packages
 %define java_rpo() %{expand:
 Requires: fontconfig%{?_isa}
@ -1161,8 +1165,6 @@ Requires: lksctp-tools%{?_isa}
 Requires: cups-libs
 # for system security properties
 Requires: crypto-policies
-# for FIPS PKCS11 provider
-Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # Postun requires alternatives to uninstall tool alternatives
@ -1172,6 +1174,8 @@ Requires(postun): %{alternatives_requires}
 %if 0%{?rhel} >= 8 || 0%{?fedora} > 0
 Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
 %endif
+# for libnssadapter.so
+Requires: %{name}-crypto-adapter%{?1}%{?_isa} = %{epoch}:%{version}-%{release}

 # Standard JPackage base provides
 Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
@ -1873,6 +1877,46 @@ Requires(postun): %{alternatives_requires}
 The %{origin_nice} %{featurever} API documentation compressed in a single archive.
 %endif

+# java-25-openjdk-crypto-adapter
+%if %{include_normal_build}
+%package crypto-adapter
+Summary: %{origin_nice} %{featurever} Cryptography Adapter Library
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+# java-25-openjdk-crypto-adapter does not need an "rpo" function since
+# its specific nss and nss-softokn library requirements are
+# automatically generated by RPM.
+
+%description crypto-adapter
+The %{origin_nice} %{featurever} cryptography adapter library.
+%endif
+
+%if %{include_debug_build}
+%package crypto-adapter-slowdebug
+Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%description crypto-adapter-slowdebug
+The %{origin_nice} %{featurever} cryptography adapter library.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package crypto-adapter-fastdebug
+Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%description crypto-adapter-fastdebug
+The %{origin_nice} %{featurever} cryptography adapter library.
+%{fastdebug_warning}
+%endif
+
 %prep

 echo "Preparing %{oj_vendor_version}"
@ -1992,11 +2036,12 @@ done

 function customisejdk() {
    local imagepath=${1}
+    local suffix=${2}

    if [ -d ${imagepath} ] ; then
        # Install crypto-policies FIPS configuration files and append
        # include line to java.security
-        bash -x %{SOURCE32} ${imagepath}/conf/security
+        bash -x %{SOURCE32} ${imagepath}/conf/security %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so

        # Use system-wide tzdata
        rm ${imagepath}/lib/tzdb.dat
@ -2069,7 +2114,7 @@ for suffix in %{build_loop} ; do
 %endif

  # Final setup on the main image
-  customisejdk ${installdir}
+  customisejdk ${installdir} ${suffix}

  # Print release information
  cat ${installdir}/release
@ -2277,6 +2322,9 @@ install -D -p -m 755 ${miscdir}/%{alt_java_name} $RPM_BUILD_ROOT%{jrebindir -- $
  done
 %endif

+  install -d -m 755 $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}}
+  mv $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/libnssadapter.so $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}}
+
  # Remove empty cacerts database
  rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
  # Install cacerts symlink needed by some apps which hard-code the path
@ -2523,6 +2571,9 @@ exit 0
 %endif

 %if %{include_normal_build}
+%files crypto-adapter
+%{files_crypto_adapter %{nil}}
+
 %files headless
 %{files_jre_headless %{nil}}

@ -2554,6 +2605,9 @@ exit 0
 %endif

 %if %{include_debug_build}
+%files crypto-adapter-slowdebug
+%{files_crypto_adapter -- %{debug_suffix_unquoted}}
+
 %files slowdebug
 %{files_jre -- %{debug_suffix_unquoted}}

@ -2579,6 +2633,9 @@ exit 0
 %endif

 %if %{include_fastdebug_build}
+%files crypto-adapter-fastdebug
+%{files_crypto_adapter --  %{fastdebug_suffix_unquoted}}
+
 %files fastdebug
 %{files_jre -- %{fastdebug_suffix_unquoted}}

@ -2605,6 +2662,11 @@ exit 0
 %endif

 %changelog
+* Mon Dec 08 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-2
+- Add java-25-openjdk-crypto-adapter subpackage
+- Update library setting in create-redhat-properties-files.bash
+- Resolves: RHEL-132520
+
 * Fri Nov 28 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
 - Pass ourflags and ourldflags into the nssadapter build using CFLAGS & LDFLAGS
 - Patch the nssadapter build to recognise LDFLAGS