diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch index 7987abb..58d77b3 100644 --- a/SOURCES/rh1655466-global_crypto_and_fips.patch +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -176,7 +176,7 @@ new file mode 100644 + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (fipsEnabled) { + Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); + String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); diff --git a/SOURCES/rh1760838-fips_default_keystore_type.patch b/SOURCES/rh1760838-fips_default_keystore_type.patch new file mode 100644 index 0000000..bedc8ea --- /dev/null +++ b/SOURCES/rh1760838-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300 +@@ -179,6 +179,11 @@ + keystore.type=jks + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for the JKS keystore type. + # + # When set to 'true', the JKS keystore type supports loading diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 69293eb..e5aa2a9 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -4,18 +4,17 @@ # # Examples: # -# Produce release *and* slowdebug builds on x86_64 (default): +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): # $ rpmbuild -ba java-1.8.0-openjdk.spec # -# Produce only release builds (no slowdebug builds) on x86_64: -# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: -# $ fedpkg mockbuild --without slowdebug -# -# Only produce a debug build on x86_64: -# $ fedpkg local --without release +# $ rhpkg mockbuild --without slowdebug --without fastdebug # +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. %bcond_without slowdebug # Enable release builds by default on relevant arches. @@ -32,13 +31,16 @@ # See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" # (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) %global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug # quoted one for shell operations %global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" %global normal_suffix "" -# if you want only debug build but providing java build only normal build but set normalbuild_parameter -%global debug_warning This package has full debug on. Install only in need and remove asap. +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. %global debug_on with full debug on +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global for_fastdebug_on with minimal debug on %global for_debug for packages with debug on %if %{with release} @@ -48,9 +50,9 @@ %endif %if %{include_normal_build} -%global build_loop1 %{normal_suffix} +%global normal_build %{normal_suffix} %else -%global build_loop1 %{nil} +%global normal_build %{nil} %endif %global aarch64 aarch64 arm64 armv8 @@ -60,6 +62,7 @@ %global multilib_arches %{power64} sparc64 x86_64 %global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} +%global fastdebug_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -76,17 +79,32 @@ %global include_debug_build 0 %endif +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%endif + %if %{include_debug_build} -%global build_loop2 %{debug_suffix} +%global slowdebug_build %{debug_suffix} %else -%global build_loop2 %{nil} +%global slowdebug_build %{nil} %endif -# if you disable both builds, then the build fails -%global build_loop %{build_loop1} %{build_loop2} -# note: that order: normal_suffix debug_suffix, in case of both enabled -# is expected in one single case at the end of the build -%global rev_build_loop %{build_loop2} %{build_loop1} +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable both builds, then the build fails +# Note that the debug build requires the normal build for docs +%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} +# Test slowdebug first as it provides the best diagnostics +%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %ifarch %{jit_arches} %global bootstrap_build 1 @@ -228,7 +246,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 4 +%global rpmrelease 7 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1100,6 +1118,8 @@ Patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_availab Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1760838: No ciphersuites available for SSLSocket in FIPS mode +Patch1002: rh1760838-fips_default_keystore_type.patch ############################################# # @@ -1297,6 +1317,17 @@ The %{origin_nice} runtime environment %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} Runtime Environment %{majorver} %{fastdebug_on} +Group: Development/Languages + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} runtime environment. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package headless Summary: %{origin_nice} Headless Runtime Environment %{majorver} @@ -1320,6 +1351,18 @@ The %{origin_nice} runtime environment %{majorver} without audio and video suppo %{debug_warning} %endif +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package devel Summary: %{origin_nice} Development Environment %{majorver} @@ -1343,6 +1386,18 @@ The %{origin_nice} development tools %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} Development Environment %{majorver} %{fastdebug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} development tools %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package demo Summary: %{origin_nice} Demos %{majorver} @@ -1366,6 +1421,18 @@ The %{origin_nice} demos %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} Demos %{majorver} %{fastdebug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} demos %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package src Summary: %{origin_nice} Source Bundle %{majorver} @@ -1390,6 +1457,18 @@ The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. %endif +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} Source Bundle %{majorver} %{for_fastdebug} +Group: Development/Languages + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The java-%{origin}-src-fastdebug sub-package contains the complete %{origin_nice} %{majorver} + class library source code for use by IDE indexers and debuggers. Debugging %{for_fastdebug}. +%endif + %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{majorver} API documentation @@ -1402,9 +1481,7 @@ BuildArch: noarch %description javadoc The %{origin_nice} %{majorver} API documentation. -%endif -%if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{majorver} API documentation compressed in single archive Group: Documentation @@ -1415,10 +1492,8 @@ BuildArch: noarch %{java_javadoc_rpo %{nil}} %description javadoc-zip -The %{origin_nice} %{majorver} API documentation compressed in single archive. -%endif +The %{origin_nice} %{majorver} API documentation compressed in a single archive. -%if %{include_normal_build} %package accessibility Summary: %{origin_nice} %{majorver} accessibility connector @@ -1445,6 +1520,16 @@ Summary: %{origin_nice} %{majorver} accessibility connector %{for_debug} See normal java-%{version}-openjdk-accessibility description. %endif +%if %{include_fastdebug_build} +%package accessibility-fastdebug +Summary: %{origin_nice} %{majorver} accessibility connector %{for_fastdebug} + +%{java_accessibility_rpo -- %{fastdebug_suffix_unquoted}} + +%description accessibility-fastdebug +See normal java-%{version}-openjdk-accessibility description. +%endif + %prep # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( @@ -1457,19 +1542,29 @@ See normal java-%{version}-openjdk-accessibility description. if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else - echo "include_normal_build is %{include_normal_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" exit 11 fi if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then echo "include_debug_build is %{include_debug_build}" else - echo "include_debug_build is %{include_debug_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" exit 12 fi -if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then - echo "You have disabled both include_debug_build and include_normal_build. That is a no go." +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" exit 13 fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,debug). That is a no go." + exit 14 +fi +if [ %{include_normal_build} -eq 0 ] ; then + echo "You have disabled the normal build, but this is required to provide docs for the debug build." + exit 15 +fi echo "Update version: %{updatever}" echo "Build number: %{buildver}" @@ -1543,6 +1638,7 @@ sh %{SOURCE12} %patch539 %patch1000 %patch1001 +%patch1002 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1557,6 +1653,9 @@ tar --strip-components=1 -x -I xz -f %{SOURCE8} %if %{include_debug_build} cp -r tapset tapset%{debug_suffix} %endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif for suffix in %{build_loop} ; do @@ -1888,7 +1987,7 @@ if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a %{buildoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - built_doc_archive=`echo "jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip" | sed s/slowdebug/debug/` + built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip cp -a %{buildoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip fi @@ -2079,6 +2178,33 @@ require "copy_jdk_configs.lua" %endif +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + %if %{include_normal_build} %files # main package builds always @@ -2107,9 +2233,8 @@ require "copy_jdk_configs.lua" %files javadoc %{files_javadoc %{nil}} -# this puts huge file to /usr/share -# unluckily ti is really a documentation file -# and unluckily it really is architecture-dependent, as eg. aot and grail are now x86_64 only +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only # same for debug variant %files javadoc-zip %{files_javadoc_zip %{nil}} @@ -2138,7 +2263,40 @@ require "copy_jdk_configs.lua" %{files_accessibility -- %{debug_suffix_unquoted}} %endif +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug -f %{name}-demo.files-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%files accessibility-fastdebug +%{files_accessibility -- %{fastdebug_suffix_unquoted}} +%endif + %changelog +* Tue Jun 02 2020 Andrew John Hughes - 1:1.8.0.252.b09-7 +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Resolves: rhbz#1655466 + +* Mon Jun 01 2020 Andrew John Hughes - 1:1.8.0.252.b09-6 +- Use appropriate keystore types when in FIPS mode. +- Resolves: rhbz#1760838 + +* Fri May 22 2020 Andrew John Hughes - 1:1.8.0.252.b09-5 +- Add support for fastdebug builds on x86_64 only. +- Drop redundant slowdebug/debug sed invocation on the docs zip filename as it is only now built for non-debug. +- Resolves: rhbz#1836067 + * Wed Apr 22 2020 Andrew John Hughes - 1:1.8.0.252.b09-4 - Bump release number for RHEL 8.3.0. - Resolves: rhbz#1810557