diff --git a/.gitignore b/.gitignore index 013fe09..8e6cb15 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 8f03300..458b439 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -71e5a111b66d7a8e4234d35117e0fd663d39f9ce SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz +10817d699dd7c85b03cfbd8eb820e00b19ddcae7 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index b87597c..a6788c4 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -84,6 +84,8 @@ Live versions of these release notes can be found at: - JDK-8297804: (tz) Update Timezone Data to 2022g - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8300178: JDK-8286496 causes build failure on older GCC + - JDK-8300225: JDK-8288516 causes build failure on Windows + VS2010 Notes on individual issues: =========================== diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch new file mode 100644 index 0000000..818e27a --- /dev/null +++ b/SOURCES/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch @@ -0,0 +1,193 @@ +diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +index e7b4763db53..0005e56f528 100644 +--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import sun.security.action.*; ++import sun.security.tools.KeyStoreUtil; + import sun.security.validator.TrustStoreUtil; + + /** +@@ -68,7 +69,7 @@ final class TrustStoreManager { + * The preference of the default trusted KeyStore is: + * javax.net.ssl.trustStore + * jssecacerts +- * cacerts ++ * cacerts (system and local) + */ + private static final class TrustStoreDescriptor { + private static final String fileSep = File.separator; +@@ -76,7 +77,8 @@ final class TrustStoreManager { + GetPropertyAction.privilegedGetProperty("java.home") + + fileSep + "lib" + fileSep + "security"; + private static final String defaultStore = +- defaultStorePath + fileSep + "cacerts"; ++ AccessController.doPrivileged((PrivilegedAction) () -> ++ KeyStoreUtil.getCacertsKeyStorePath()); + private static final String jsseDefaultStore = + defaultStorePath + fileSep + "jssecacerts"; + +@@ -139,6 +141,10 @@ final class TrustStoreManager { + String storePropPassword = System.getProperty( + "javax.net.ssl.trustStorePassword", ""); + ++ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { ++ SSLLogger.fine("Default store: " + defaultStore); ++ } ++ + String temporaryName = ""; + File temporaryFile = null; + long temporaryTime = 0L; +@@ -160,7 +166,7 @@ final class TrustStoreManager { + SSLLogger.isOn("trustmanager")) { + SSLLogger.fine( + "Inaccessible trust store: " + +- storePropName); ++ fileName); + } + } + } else { +diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +index fcc77786da1..3a4388964cc 100644 +--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +@@ -41,6 +41,8 @@ import java.text.Collator; + import java.util.Locale; + import java.util.ResourceBundle; + ++import sun.security.util.SecurityProperties; ++ + /** + *

This class provides several utilities to KeyStore. + * +@@ -54,6 +56,8 @@ public class KeyStoreUtil { + + private static final String JKS = "jks"; + ++ private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts"; ++ + /** + * Returns true if the certificate is self-signed, false otherwise. + */ +@@ -96,16 +100,30 @@ public class KeyStoreUtil { + } + } + ++ /** ++ * Returns the path to the cacerts DB ++ */ ++ public static String getCacertsKeyStorePath() ++ { ++ // Check system DB first, preferring system property over security one ++ String systemDB = SecurityProperties ++ .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP); ++ if (systemDB != null && !"".equals(systemDB) && ++ (new File(systemDB)).isFile()) { ++ return systemDB; ++ } ++ String sep = File.separator; ++ return System.getProperty("java.home") + sep ++ + "lib" + sep + "security" + sep + "cacerts"; ++ } ++ + /** + * Returns the keystore with the configured CA certificates. + */ + public static KeyStore getCacertsKeyStore() + throws Exception + { +- String sep = File.separator; +- File file = new File(System.getProperty("java.home") + sep +- + "lib" + sep + "security" + sep +- + "cacerts"); ++ File file = new File(getCacertsKeyStorePath()); + if (!file.exists()) { + return null; + } +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index 681a24b905d..ecb8bc43a6c 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -294,6 +294,12 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using an empty value ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index 789c19a8cba..2546fdec9b2 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -307,6 +307,12 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using an empty value ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index d4da666af3b..1a20027c02b 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -297,6 +297,12 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using an empty value ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index 300132384a1..6299e0a3c7b 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -295,6 +295,12 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using an empty value ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index 64db5a5cd1e..823994f3466 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -297,6 +297,12 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using an empty value ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch deleted file mode 100644 index 1b88f2a..0000000 --- a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch +++ /dev/null @@ -1,263 +0,0 @@ -diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -index e7b4763db53..e8ec8467e6a 100644 ---- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.cert.*; - import java.util.*; - import sun.security.action.*; -+import sun.security.tools.KeyStoreUtil; - import sun.security.validator.TrustStoreUtil; - - /** -@@ -68,7 +69,7 @@ final class TrustStoreManager { - * The preference of the default trusted KeyStore is: - * javax.net.ssl.trustStore - * jssecacerts -- * cacerts -+ * cacerts (system and local) - */ - private static final class TrustStoreDescriptor { - private static final String fileSep = File.separator; -@@ -76,7 +77,7 @@ final class TrustStoreManager { - GetPropertyAction.privilegedGetProperty("java.home") + - fileSep + "lib" + fileSep + "security"; - private static final String defaultStore = -- defaultStorePath + fileSep + "cacerts"; -+ KeyStoreUtil.getCacertsKeyStoreFile().getPath(); - private static final String jsseDefaultStore = - defaultStorePath + fileSep + "jssecacerts"; - -@@ -139,6 +140,10 @@ final class TrustStoreManager { - String storePropPassword = System.getProperty( - "javax.net.ssl.trustStorePassword", ""); - -+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { -+ SSLLogger.fine("Default store: " + defaultStore); -+ } -+ - String temporaryName = ""; - File temporaryFile = null; - long temporaryTime = 0L; -@@ -146,21 +151,22 @@ final class TrustStoreManager { - String[] fileNames = - new String[] {storePropName, defaultStore}; - for (String fileName : fileNames) { -- File f = new File(fileName); -- if (f.isFile() && f.canRead()) { -- temporaryName = fileName;; -- temporaryFile = f; -- temporaryTime = f.lastModified(); -- -- break; -- } -- -- // Not break, the file is inaccessible. -- if (SSLLogger.isOn && -+ if (fileName != null && !"".equals(fileName)) { -+ File f = new File(fileName); -+ if (f.isFile() && f.canRead()) { -+ temporaryName = fileName;; -+ temporaryFile = f; -+ temporaryTime = f.lastModified(); -+ -+ break; -+ } -+ // Not break, the file is inaccessible. -+ if (SSLLogger.isOn && - SSLLogger.isOn("trustmanager")) { -- SSLLogger.fine( -- "Inaccessible trust store: " + -- storePropName); -+ SSLLogger.fine( -+ "Inaccessible trust store: " + -+ fileName); -+ } - } - } - } else { -diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -index fcc77786da1..f554f83a8b4 100644 ---- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -@@ -33,7 +33,10 @@ import java.io.InputStreamReader; - - import java.net.URL; - -+import java.security.AccessController; - import java.security.KeyStore; -+import java.security.PrivilegedAction; -+import java.security.Security; - - import java.security.cert.X509Certificate; - import java.text.Collator; -@@ -54,6 +57,33 @@ public class KeyStoreUtil { - - private static final String JKS = "jks"; - -+ private static final String PROP_NAME = "security.systemCACerts"; -+ -+ /** -+ * Returns the value of the security property propName, which can be overridden -+ * by a system property of the same name -+ * -+ * @param propName the name of the system or security property -+ * @return the value of the system or security property -+ */ -+ @SuppressWarnings("removal") -+ public static String privilegedGetOverridable(String propName) { -+ if (System.getSecurityManager() == null) { -+ return getOverridableProperty(propName); -+ } else { -+ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName)); -+ } -+ } -+ -+ private static String getOverridableProperty(String propName) { -+ String val = System.getProperty(propName); -+ if (val == null) { -+ return Security.getProperty(propName); -+ } else { -+ return val; -+ } -+ } -+ - /** - * Returns true if the certificate is self-signed, false otherwise. - */ -@@ -96,20 +126,38 @@ public class KeyStoreUtil { - } - } - -+ /** -+ * Returns the path to the cacerts DB -+ */ -+ public static File getCacertsKeyStoreFile() -+ { -+ String sep = File.separator; -+ File file = null; -+ /* Check system cacerts DB first, preferring system property over security property */ -+ String systemDB = privilegedGetOverridable(PROP_NAME); -+ if (systemDB != null && !"".equals(systemDB)) { -+ file = new File(systemDB); -+ } -+ if (file == null || !file.exists()) { -+ file = new File(System.getProperty("java.home") + sep -+ + "lib" + sep + "security" + sep -+ + "cacerts"); -+ } -+ if (file.exists()) { -+ return file; -+ } -+ return null; -+ } -+ - /** - * Returns the keystore with the configured CA certificates. - */ - public static KeyStore getCacertsKeyStore() - throws Exception - { -- String sep = File.separator; -- File file = new File(System.getProperty("java.home") + sep -- + "lib" + sep + "security" + sep -- + "cacerts"); -- if (!file.exists()) { -- return null; -- } - KeyStore caks = null; -+ File file = getCacertsKeyStoreFile(); -+ if (file == null) { return null; } - try (FileInputStream fis = new FileInputStream(file)) { - caks = KeyStore.getInstance(JKS); - caks.load(fis, null); -diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index bfe0c593adb..093bc09bf95 100644 ---- a/jdk/src/share/lib/security/java.security-aix -+++ b/jdk/src/share/lib/security/java.security-aix -@@ -294,6 +294,13 @@ security.overridePropertiesFile=true - # - security.useSystemPropertiesFile=false - -+# -+# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true -+# -+security.systemCACerts=${java.home}/lib/security/cacerts -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index 9d1c8fe8a8e..16c9281cc1f 100644 ---- a/jdk/src/share/lib/security/java.security-linux -+++ b/jdk/src/share/lib/security/java.security-linux -@@ -307,6 +307,13 @@ security.overridePropertiesFile=true - # - security.useSystemPropertiesFile=false - -+# -+# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true -+# -+security.systemCACerts=${java.home}/lib/security/cacerts -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index 19047c61097..43e034cdeaf 100644 ---- a/jdk/src/share/lib/security/java.security-macosx -+++ b/jdk/src/share/lib/security/java.security-macosx -@@ -297,6 +297,13 @@ security.overridePropertiesFile=true - # - security.useSystemPropertiesFile=false - -+# -+# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true -+# -+security.systemCACerts=${java.home}/lib/security/cacerts -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index 7eda556ae13..325937e97fb 100644 ---- a/jdk/src/share/lib/security/java.security-solaris -+++ b/jdk/src/share/lib/security/java.security-solaris -@@ -295,6 +295,13 @@ security.overridePropertiesFile=true - # - security.useSystemPropertiesFile=false - -+# -+# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true -+# -+security.systemCACerts=${java.home}/lib/security/cacerts -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index dfa1a669aa9..92ef777e065 100644 ---- a/jdk/src/share/lib/security/java.security-windows -+++ b/jdk/src/share/lib/security/java.security-windows -@@ -297,6 +297,13 @@ security.overridePropertiesFile=true - # - security.useSystemPropertiesFile=false - -+# -+# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true -+# -+security.systemCACerts=${java.home}/lib/security/cacerts -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 36389b4..53abe58 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -313,7 +313,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u362-b08 +%global openjdk_revision jdk8u362-b09 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -323,6 +323,8 @@ %global icedteaver 3.15.0 # Define current Git revision for the FIPS support patches %global fipsver 6d1aade0648 +# Define current Git revision for the cacerts patch +%global cacertsver 8139f2361c2 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) @@ -1354,7 +1356,7 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch Patch1003: rh1582504-rsa_default_for_keytool.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips +# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk8u/tree/fips # as follows: git diff %%{openjdk_revision} common jdk > fips-8u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: @@ -1393,8 +1395,10 @@ Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_t # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts # RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds -# Must be applied after crypto policy patch as it also changes java.security -Patch539: pr2888-rh2055274-support_system_cacerts.patch +# Must be applied after the FIPS patch as it also changes java.security +# Patch is generated from the cacerts tree at https://github.com/rh-openjdk/jdk8u/tree/cacerts +# as follows: git diff fips > pr2888-rh2055274-support_system_cacerts-$(git show -s --format=%h HEAD).patch +Patch539: pr2888-rh2055274-support_system_cacerts-%{cacertsver}.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build @@ -2690,6 +2694,12 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jan 24 2023 Andrew Hughes - 1:1.8.0.362.b09-3 +- Update cacerts patch to fix OPENJDK-1433 SecurityManager issue +- Update to shenandoah-jdk8u352-b09 (GA) +- Update release notes for shenandoah-8u352-b09. +- Resolves: rhbz#2162715 + * Fri Jan 13 2023 Andrew Hughes - 1:1.8.0.362.b08-3 - Update to shenandoah-jdk8u352-b08 (GA) - Update release notes for shenandoah-8u352-b08.