Portable build

create-redhat-properties-files.bash

@@ -23,28 +23,30 @@
 #
 # Usage:
 #
-# bash create-redhat-properties-files.bash <target directory>
+# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
 #
 # Example usage in spec file:
 #
-# bash -x create-redhat-properties-files.bash ${imagepath}/conf/security
+# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
+#     %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
 #
 # When you make changes to the file set here, also update the %files
 # section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
 # in TestSecurityProperties.java.
 
-[[ $# == 1 ]] || exit 1
+[[ $# == 2 ]] || exit 1
 
 SECURITY="${1}"
+NSSADAPTER="${2}"
 VENDOR="${SECURITY}"/redhat
 install --directory --mode=755 "${VENDOR}"
 install --directory --mode=755 "${VENDOR}"/true
 install --directory --mode=755 "${VENDOR}"/false
 
 # /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
-install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<'EOF'
+install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
 name = FIPS
-library = ${java.home}/lib/libnssadapter.so
+library = ${NSSADAPTER}
 slot = 3
 nssUseSecmod = false
 attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
@@ -107,16 +109,6 @@ security.provider.8=
 keystore.type=pkcs12
 EOF
 
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/fips.properties
-# For now, this prevents an include cycle on JDKs that do not support
-# ${__redhat_fips__}.  In the future the goal is for it be overwritten
-# (based on /proc/sys/crypto/fips_enabled) at FIPS configuration time
-# (by fips-mode-setup or by grubby), at RPM install time by a
-# post-install hook, and/or during boot by a systemd oneshot service.
-install --mode 644 /dev/stdin "${VENDOR}"/fips.properties <<'EOF'
-include false/fips.properties
-EOF
-
 cat >> "${SECURITY}"/java.security <<'EOF'
 
 #

fips-25u-df044414ef4.patch

@@ -0,0 +1,92 @@
+diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
+index de2845fb550..b1e416b90f4 100644
+--- a/src/java.base/share/classes/java/security/Provider.java
++++ b/src/java.base/share/classes/java/security/Provider.java
+@@ -1203,6 +1203,39 @@ public Set<Service> getServices() {
+         return serviceSet;
+     }
+ 
++    /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
++    private static final class RedHatFIPSFilter {
++        static final boolean IS_ON = Boolean.parseBoolean(
++                Security.getProperty("__redhat_fips_filter__"));
++        private static final Set<String> ANY_SERVICE_TYPE = Set.of();
++        private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
++                "SunPKCS11-FIPS", ANY_SERVICE_TYPE,
++                "SUN", Set.of(
++                        "AlgorithmParameterGenerator",
++                        "AlgorithmParameters", "CertificateFactory",
++                        "CertPathBuilder", "CertPathValidator", "CertStore",
++                        "Configuration", "KeyStore"),
++                "SunEC", Set.of(
++                        "AlgorithmParameters", "KeyFactory"),
++                "SunJSSE", ANY_SERVICE_TYPE,
++                "SunJCE", Set.of(
++                        "AlgorithmParameters",
++                        "AlgorithmParameterGenerator", "KeyFactory",
++                        "SecretKeyFactory"),
++                "SunRsaSign", Set.of(
++                        "KeyFactory", "AlgorithmParameters"),
++                "XMLDSig", ANY_SERVICE_TYPE
++        );
++
++        static boolean isAllowed(String provName, String serviceType) {
++            Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
++            return allowedServiceTypes != null &&
++                    (allowedServiceTypes == ANY_SERVICE_TYPE ||
++                            allowedServiceTypes.contains(serviceType));
++        }
++    }
++    /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
++
+     /**
+      * Add a service. If a service of the same type with the same algorithm
+      * name exists, and it was added using {@link #putService putService()},
+@@ -1231,6 +1264,15 @@ protected void putService(Service s) {
+                     ("service.getProvider() must match this Provider object");
+         }
+         String type = s.getType();
++        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
++        if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
++            if (debug != null) {
++                debug.println("The previous " + name + ".putService() call " +
++                        "was skipped by " + RedHatFIPSFilter.class.getName());
++            }
++            return;
++        }
++        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+         String algorithm = s.getAlgorithm();
+         ServiceKey key = new ServiceKey(type, algorithm, true);
+         implRemoveService(serviceMap.get(key));
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index 6969fe8a8e1..4501d5971c4 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
+     }
+ 
+     private static void initialize() {
++        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
++        /*   This 'include'-directives-only magic property is an internal     */
++        /*   implementation detail that could (and probably will!) change.    */
++        /*   Red Hat customers should NOT rely on this for their own use.     */
++        String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
++        boolean fipsModeOn;
++        try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
++            fipsModeOn = is.read() == '1';
++        } catch (IOException ioe) {
++            fipsModeOn = false;
++            if (sdebug != null) {
++                sdebug.println("Failed to read FIPS kernel file: " + ioe);
++            }
++        }
++        String fipsMagicPropName = "__redhat_fips__";
++        System.setProperty(fipsMagicPropName, "" + fipsModeOn);
++        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+         SecPropLoader.loadAll();
++        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
++        System.clearProperty(fipsMagicPropName);
++        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+         initialSecurityProperties = (Properties) props.clone();
+         if (sdebug != null) {
+             for (String key : props.stringPropertyNames()) {

java-25-openjdk-portable.specfile

@@ -226,7 +226,7 @@
 # other targets since this target is configured to use in-tree
 # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
 # and possibly others
-%global static_libs_target static-libs-image
+%global static_libs_target static-libs-graal-image
 %else
 %global static_libs_target %{nil}
 %endif
@@ -376,7 +376,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 9203d50836c
+%global fipsver df044414ef4
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 %global javaver         %{featurever}
@@ -391,7 +391,7 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        8
-%global rpmrelease      1
+%global rpmrelease      2
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -430,7 +430,7 @@
 %global fullversion     %{compatiblename}-%{version}-%{release}
 # images directories from upstream build
 %global jdkimage                jdk
-%global static_libs_image       static-libs
+%global static_libs_image       static-libs-graal
 # output dir stub
 %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
 %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
@@ -640,7 +640,7 @@ Source18: TestTranslations.java
 ############################################
 # Crypto policy and FIPS support patches
 # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
-# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
+# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
 # PR3183, RH1340845: Follow system wide crypto policy
@@ -674,7 +674,7 @@ Source18: TestTranslations.java
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
 # RH1940064: Enable XML Signature provider in FIPS mode
 # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
-# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch
+Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
 #
@@ -1003,8 +1003,7 @@ sh %{SOURCE12} %{top_level_dir_name}
 # rpmbuild.
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
-# Disabled until 25
+%patch -P1001 -p1
-#%patch -P1001 -p1
 popd # openjdk
 
 echo "Generating %{alt_java_name} man page"
@@ -1967,6 +1966,17 @@ done
 %endif
 
 %changelog
+* Wed Dec 10 2025 eabdullin <eabdullin@almalinux.org> - 1:25.0.1.0.8-2
+- Portable build
+
+* Tue Dec 02 2025 Severin Gehwolf <sgehwolf@redhat.com> - 1:25.0.1.0.8-2
+- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a
+- Resolves: OPENJDK-4197
+
+* Tue Dec 02 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
+- Incorporate new FIPS patch for 25u
+- Resolves: OPENJDK-4184
+
 * Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
 - Update to jdk-25.0.1+8 (GA)
 - Update release notes to 25.0.1+8

java-25-openjdk.spec

@@ -0,0 +1 @@
+java-25-openjdk-portable.specfile

nssadapter-ldflags.patch

@@ -0,0 +1,41 @@
+diff --git a/Makefile b/Makefile
+index 5175f21..571748a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -13,12 +13,12 @@ DEVEL_PKGS    = nss nss-softokn
+ LIB_DIR       = $(shell pkg-config --variable=libdir nss-softokn)
+ SHARED_LIBS   = pthread softokn3 nss3
+ STATIC_LIBS   = freebl
+-SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL       \
+-                $(addprefix -l,$(SHARED_LIBS))                                 \
++SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden                              \
+                 $(strip $(shell pkg-config --cflags $(DEVEL_PKGS)))            \
+                 -Wpedantic -Wall -Wextra -Wconversion -Werror
+ DBG_CFLAGS    = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \
+                 -O0 -g
++SHR_LDFLAGS   = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS))
+ 
+ # https://clang.llvm.org/docs/ClangFormatStyleOptions.html
+ CLANG_FORMAT_STYLE = {                                                         \
+@@ -53,10 +53,12 @@ endif
+ 
+ .PHONY: release ## Build the library in RELEASE mode (default)
+ release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS)
++release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
+ release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT)
+ 
+ .PHONY: debug ## Build the library in DEBUG mode
+ debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS)
++debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
+ debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL)
+ debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT)
+ 
+@@ -73,7 +75,7 @@ $(BIN_DIR):
+ 
+ $(OUTPUT): $(BIN_DIR) $(SRC_FILES)
+ 	@$(CREATE_DBG_SENTINEL_IF_NEEDED)
+-	$(CC) $(BLD_CFLAGS) $(filter %.c, $+)                                      \
++	$(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \
+ 	      $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@
+ 
+