From e46a6299c5c557a0fb7224ac896647d571632aa0 Mon Sep 17 00:00:00 2001
From: Thomas Fitzsimmons <fitzsim@redhat.com>
Date: Wed, 26 Nov 2025 16:47:25 -0500
Subject: [PATCH] Add java-25-openjdk-crypto-adapter subpackage

- Add java-25-openjdk-crypto-adapter subpackage
- Update library setting in create-redhat-properties-files.bash
- Resolves: RHEL-131896
---
 create-redhat-properties-files.bash | 12 +++--
 java-25-openjdk.spec                | 74 ++++++++++++++++++++++++++---
 2 files changed, 75 insertions(+), 11 deletions(-)

diff --git a/create-redhat-properties-files.bash b/create-redhat-properties-files.bash
index 39c7ffc..60264f2 100644
--- a/create-redhat-properties-files.bash
+++ b/create-redhat-properties-files.bash
@@ -23,28 +23,30 @@
 #
 # Usage:
 #
-# bash create-redhat-properties-files.bash <target directory>
+# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
 #
 # Example usage in spec file:
 #
-# bash -x create-redhat-properties-files.bash ${imagepath}/conf/security
+# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
+#     %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
 #
 # When you make changes to the file set here, also update the %files
 # section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
 # in TestSecurityProperties.java.
 
-[[ $# == 1 ]] || exit 1
+[[ $# == 2 ]] || exit 1
 
 SECURITY="${1}"
+NSSADAPTER="${2}"
 VENDOR="${SECURITY}"/redhat
 install --directory --mode=755 "${VENDOR}"
 install --directory --mode=755 "${VENDOR}"/true
 install --directory --mode=755 "${VENDOR}"/false
 
 # /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
-install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<'EOF'
+install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
 name = FIPS
-library = ${java.home}/lib/libnssadapter.so
+library = ${NSSADAPTER}
 slot = 3
 nssUseSecmod = false
 attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec
index 73cbf7e..8052c71 100644
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@@ -378,7 +378,7 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        8
-%global rpmrelease      3
+%global rpmrelease      4
 # Settings used by the portable build
 %global portablerelease 1
 # Portable suffix differs between RHEL and CentOS
@@ -847,7 +847,6 @@ fi
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnssadapter.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
 # Some architectures don't have the serviceability agent
@@ -1111,6 +1110,11 @@ fi
 %endif
 }
 
+%define files_crypto_adapter() %{expand:
+%dir %{_libdir}/%{sdkdir -- %{?1}}
+%{_libdir}/%{sdkdir -- %{?1}}/libnssadapter.so
+}
+
 # not-duplicated requires/provides/obsoletes for normal/debug packages
 %define java_rpo() %{expand:
 Requires: fontconfig%{?_isa}
@@ -1160,8 +1164,6 @@ Requires: lksctp-tools%{?_isa}
 Requires: cups-libs
 # for system security properties
 Requires: crypto-policies
-# for FIPS PKCS11 provider
-Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # Postun requires alternatives to uninstall tool alternatives
@@ -1171,6 +1173,8 @@ Requires(postun): %{alternatives_requires}
 %if 0%{?rhel} >= 8 || 0%{?fedora} > 0
 Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
 %endif
+# for libnssadapter.so
+Requires: %{name}-crypto-adapter%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
 
 # Standard JPackage base provides
 Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
@@ -1865,6 +1869,46 @@ Requires(postun): %{alternatives_requires}
 The %{origin_nice} %{featurever} API documentation compressed in a single archive.
 %endif
 
+# java-25-openjdk-crypto-adapter
+%if %{include_normal_build}
+%package crypto-adapter
+Summary: %{origin_nice} %{featurever} Cryptography Adapter Library
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+# java-25-openjdk-crypto-adapter does not need an "rpo" function since
+# its specific nss and nss-softokn library requirements are
+# automatically generated by RPM.
+
+%description crypto-adapter
+The %{origin_nice} %{featurever} cryptography adapter library.
+%endif
+
+%if %{include_debug_build}
+%package crypto-adapter-slowdebug
+Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%description crypto-adapter-slowdebug
+The %{origin_nice} %{featurever} cryptography adapter library.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package crypto-adapter-fastdebug
+Summary: %{origin_nice} %{featurever} Cryptography Adapter Library %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group:   Development/Languages
+%endif
+
+%description crypto-adapter-fastdebug
+The %{origin_nice} %{featurever} cryptography adapter library.
+%{fastdebug_warning}
+%endif
+
 %prep
 
 echo "Preparing %{oj_vendor_version}"
@@ -1979,11 +2023,12 @@ done
 
 function customisejdk() {
     local imagepath=${1}
+    local suffix=${2}
 
     if [ -d ${imagepath} ] ; then
         # Install crypto-policies FIPS configuration files and append
         # include line to java.security
-        bash -x %{SOURCE32} ${imagepath}/conf/security
+        bash -x %{SOURCE32} ${imagepath}/conf/security %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
 
         # Use system-wide tzdata
         rm ${imagepath}/lib/tzdb.dat
@@ -2056,7 +2101,7 @@ for suffix in %{build_loop} ; do
 %endif
 
   # Final setup on the main image
-  customisejdk ${installdir}
+  customisejdk ${installdir} ${suffix}
 
   # Print release information
   cat ${installdir}/release
@@ -2264,6 +2309,9 @@ install -D -p -m 755 ${miscdir}/%{alt_java_name} $RPM_BUILD_ROOT%{jrebindir -- $
   done
 %endif
 
+  install -d -m 755 $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}}
+  mv $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/libnssadapter.so $RPM_BUILD_ROOT%{_libdir}/%{sdkdir -- ${suffix}}
+
   # Remove empty cacerts database
   rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
   # Install cacerts symlink needed by some apps which hard-code the path
@@ -2510,6 +2558,9 @@ exit 0
 %endif
 
 %if %{include_normal_build}
+%files crypto-adapter
+%{files_crypto_adapter %{nil}}
+
 %files headless
 %{files_jre_headless %{nil}}
 
@@ -2541,6 +2592,9 @@ exit 0
 %endif
 
 %if %{include_debug_build}
+%files crypto-adapter-slowdebug
+%{files_crypto_adapter -- %{debug_suffix_unquoted}}
+
 %files slowdebug
 %{files_jre -- %{debug_suffix_unquoted}}
 
@@ -2566,6 +2620,9 @@ exit 0
 %endif
 
 %if %{include_fastdebug_build}
+%files crypto-adapter-fastdebug
+%{files_crypto_adapter --  %{fastdebug_suffix_unquoted}}
+
 %files fastdebug
 %{files_jre -- %{fastdebug_suffix_unquoted}}
 
@@ -2592,6 +2649,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Nov 26 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-4
+- Add java-25-openjdk-crypto-adapter subpackage
+- Update library setting in create-redhat-properties-files.bash
+- Resolves: RHEL-131896
+
 * Mon Nov 24 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-3
 - Add libnssadapter.so
 - Add FIPS crypto-policies configuration