From d1af5abf5467c9461ad023998b10333942b1b728 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2021 21:16:56 +0000 Subject: import java-17-openjdk-17.0.0.0.35-3.el9_b --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e9d062c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/openjdk-jdk17-jdk-17+35.tar.xz +SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata new file mode 100644 index 0000000..5e77c19 --- /dev/null +++ b/.java-17-openjdk.metadata @@ -0,0 +1,2 @@ +a2bffc90da173240cdf0e3ea6971d4ba432b3cfe SOURCES/openjdk-jdk17-jdk-17+35.tar.xz +7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS new file mode 100644 index 0000000..cf7bae0 --- /dev/null +++ b/SOURCES/NEWS @@ -0,0 +1,528 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 17.0.0 (2021-09-14): +=========================================== +The full list of changes in the interim releases from 11u to 17u can be found at: + * https://builds.shipilev.net/backports-monitor/release-notes-12.txt + * https://builds.shipilev.net/backports-monitor/release-notes-13.txt + * https://builds.shipilev.net/backports-monitor/release-notes-14.txt + * https://builds.shipilev.net/backports-monitor/release-notes-15.txt + * https://builds.shipilev.net/backports-monitor/release-notes-16.txt + * https://builds.shipilev.net/backports-monitor/release-notes-17.txt + +Major changes are listed below. Some changes may have been backported +to earlier releases following their first appearance in OpenJDK 12 +through to 17. + +NEW FEATURES +============ + +Language Features +================= + +Switch Expressions +================== +https://openjdk.java.net/jeps/325 +https://openjdk.java.net/jeps/354 +https://openjdk.java.net/jeps/361 + +Extend the `switch` statement so that it can be used as either a +statement or an expression, and that both forms can use either a +"traditional" or "simplified" scoping and control flow behavior. Both +forms can use either traditional `case ... :` labels (with fall +through) or new `case ... ->` labels (with no fall through), with a +further new statement for yielding a value from a `switch` +expression. These changes will simplify everyday coding, and also +prepare the way for the use of pattern matching in `switch`. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 12 & 13 and became final in OpenJDK 14. + +Text Blocks +=========== +https://openjdk.java.net/jeps/355 +https://openjdk.java.net/jeps/368 +https://openjdk.java.net/jeps/378 + +Add text blocks to the Java language. A text block is a multi-line +string literal that avoids the need for most escape sequences, +automatically formats the string in a predictable way, and gives the +developer control over format when desired. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 13 & 14 and became final in OpenJDK 15. + +Pattern Matching for instanceof +=============================== +https://openjdk.java.net/jeps/305 +https://openjdk.java.net/jeps/375 +https://openjdk.java.net/jeps/394 +http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html + +Enhance the Java programming language with pattern matching for the +`instanceof` operator. Pattern matching allows common logic in a +program, namely the conditional extraction of components from objects, +to be expressed more concisely and safely. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 14 & 15 and became final in OpenJDK 16. + +Records +======= +https://openjdk.java.net/jeps/359 +https://openjdk.java.net/jeps/384 +https://openjdk.java.net/jeps/395 + +Enhance the Java programming language with records. Records provide a +compact syntax for declaring classes which are transparent holders for +shallowly immutable data. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 14 & 15 and became final in OpenJDK 16. + +Sealed Classes +============== +https://openjdk.java.net/jeps/360 +https://openjdk.java.net/jeps/397 +https://openjdk.java.net/jeps/409 +https://cr.openjdk.java.net/~briangoetz/amber/datum.html + +Enhance the Java programming language with sealed classes and +interfaces. Sealed classes and interfaces restrict which other classes +or interfaces may extend or implement them. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 15 & 16 and became final in OpenJDK 17. + +Restore Always-Strict Floating-Point Semantics +============================================== +https://openjdk.java.net/jeps/306 + +Make floating-point operations consistently strict, rather than have +both strict floating-point semantics (`strictfp`) and subtly different +default floating-point semantics. This will restore the original +floating-point semantics to the language and VM, matching the +semantics before the introduction of strict and default floating-point +modes in Java SE 1.2. + +Pattern Matching for switch +=========================== +https://openjdk.java.net/jeps/406 + +Enhance the Java programming language with pattern matching for +`switch` expressions and statements, along with extensions to the +language of patterns. Extending pattern matching to `switch` allows an +expression to be tested against a number of patterns, each with a +specific action, so that complex data-oriented queries can be +expressed concisely and safely. + +This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK +17. + +Library Features +================ + +JVM Constants API +================= +https://openjdk.java.net/jeps/334 + +Introduce an API to model nominal descriptions of key class-file and +run-time artifacts, in particular constants that are loadable from the +constant pool. + +Reimplement the Legacy Socket API +================================= +https://openjdk.java.net/jeps/353 + +Replace the underlying implementation used by the `java.net.Socket` +and `java.net.ServerSocket` APIs with a simpler and more modern +implementation that is easy to maintain and debug. The new +implementation will be easy to adapt to work with user-mode threads, +a.k.a. fibers, currently being explored in Project Loom +(https://openjdk.java.net/projects/loom). + +JFR Event Streaming +=================== +https://openjdk.java.net/jeps/349 + +Expose JDK Flight Recorder data for continuous monitoring. + +Non-Volatile Mapped Byte Buffers +================================ +https://openjdk.java.net/jeps/352 + +Add new JDK-specific file mapping modes so that the `FileChannel` API +can be used to create `MappedByteBuffer` instances that refer to +non-volatile memory. + +Helpful NullPointerExceptions +============================= +https://openjdk.java.net/jeps/358 + +Improve the usability of `NullPointerException`s generated by the JVM +by describing precisely which variable was `null`. + +Foreign-Memory Access API +========================= +https://openjdk.java.net/jeps/370 +https://openjdk.java.net/jeps/383 +https://openjdk.java.net/jeps/393 + +Introduce an API to allow Java programs to safely and efficiently +access foreign memory outside of the Java heap. + +This was a incubation feature (https://openjdk.java.net/jeps/11) in +OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory +API in OpenJDK 17 (see below). + +Edwards-Curve Digital Signature Algorithm (EdDSA) +================================================= +https://openjdk.java.net/jeps/339 + +Implement cryptographic signatures using the Edwards-Curve Digital +Signature Algorithm (EdDSA) as described by RFC 8032 +(https://tools.ietf.org/html/rfc8032). + +Hidden Classes +============== +https://openjdk.java.net/jeps/371 + +Introduce hidden classes, which are classes that cannot be used +directly by the bytecode of other classes. Hidden classes are intended +for use by frameworks that generate classes at run time and use them +indirectly, via reflection. A hidden class may be defined as a member +of an access control nest (https://openjdk.java.net/jeps/181), and may +be unloaded independently of other classes. + +Reimplement the Legacy DatagramSocket API +========================================= +https://openjdk.java.net/jeps/373 + +Replace the underlying implementations of the +`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with +simpler and more modern implementations that are easy to maintain and +debug. The new implementations will be easy to adapt to work with +virtual threads, currently being explored in Project Loom +(https://openjdk.java.net/projects/loom). This is a follow-on to JEP +353 (see above), which already reimplemented the legacy Socket API. + +Vector API +========== +https://openjdk.java.net/jeps/338 +https://openjdk.java.net/jeps/414 + +Provide an initial iteration of an incubator module, +`jdk.incubator.vector`, to express vector computations that reliably +compile at runtime to optimal vector hardware instructions on +supported CPU architectures and thus achieve superior performance to +equivalent scalar computations. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16. + +Unix-Domain Socket Channels +=========================== +https://openjdk.java.net/jeps/380 + +Add Unix-domain (`AF_UNIX`) socket support to the socket channel and +server-socket channel APIs in the `java.nio.channels` package. Extend +the inherited channel mechanism to support Unix-domain socket channels +and server socket channels. + +Foreign Linker API (Incubator) +============================== +https://openjdk.java.net/jeps/389 + +Introduce an API that offers statically-typed, pure-Java access to +native code. This API, together with the Foreign-Memory API (see +above), will considerably simplify the otherwise error-prone process +of binding to a native library. + +This was an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16, now superseded by the Foreign Function & +Memory API in OpenJDK 17 (see below). + +Strongly Encapsulate JDK Internals by Default +============================================= +https://openjdk.java.net/jeps/396 +https://openjdk.java.net/jeps/403 + +Strongly encapsulate all internal elements of the JDK by default, +except for critical internal APIs such as `sun.misc.Unsafe`. It will +no longer be possible to relax the strong encapsulation of internal +elements via a single command-line option, as was possible in OpenJDK +9 through 16. + +Enhanced Pseudo-Random Number Generators +======================================== +https://openjdk.java.net/jeps/356 + +Provide new interface types and implementations for pseudo-random +number generators (PRNGs), including jumpable PRNGs and an additional +class of splittable PRNG algorithms (LXM). + +Foreign Function & Memory API +============================= +https://openjdk.java.net/jeps/412 + +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. + +This API is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 17, and is an evolution of the Foreign Memory +Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK +16) (see above). + +Context-Specific Deserialization Filters +======================================== +https://openjdk.java.net/jeps/415 + +Allow applications to configure context-specific and +dynamically-selected deserialization filters via a JVM-wide filter +factory that is invoked to select a filter for each individual +deserialization operation. + +Tools +===== + +Packaging Tool +============== +https://openjdk.java.net/jeps/343 +https://openjdk.java.net/jeps/392 + +Provide the `jpackage` tool, for packaging self-contained Java +applications. + +JVM Features +============ + +Shenandoah: A Low-Pause-Time Garbage Collector +============================================== +https://openjdk.java.net/jeps/189 +https://openjdk.java.net/jeps/379 + +Add a new garbage collection (GC) algorithm named Shenandoah which +reduces GC pause times by doing evacuation work concurrently with the +running Java threads. Pause times with Shenandoah are independent of +heap size, meaning you will have the same consistent pause times +whether your heap is 200 MB or 200 GB. + +Shenandoah has been provided in Red Hat builds of OpenJDK 8 since +8u131 in April 2017 and in all 11u builds. + +Upstream, it was introduced in OpenJDK 12 as an experimental feature +and became a production feature in OpenJDK 15. It was backported to +OpenJDK 11 with the 11.0.9 release in October 2020. + +Abortable Mixed Collections for G1 +================================== +https://openjdk.java.net/jeps/344 + +Make G1 mixed collections abortable if they might exceed the pause +target. + +Promptly Return Unused Committed Memory from G1 +=============================================== +https://openjdk.java.net/jeps/346 + +Enhance the G1 garbage collector to automatically return Java heap +memory to the operating system when idle. + +Dynamic CDS Archives +==================== +https://openjdk.java.net/jeps/310 +https://openjdk.java.net/jeps/350 + +Extend application class-data sharing to allow the dynamic archiving +of classes at the end of Java application execution. The archived +classes will include all loaded application classes and library +classes that are not present in the default, base-layer CDS archive. + +ZGC: Uncommit Unused Memory (Experimental) +========================================== +https://openjdk.java.net/jeps/351 + +Enhance ZGC to return unused heap memory to the operating system. + +NUMA-Aware Memory Allocation for G1 +=================================== +https://openjdk.java.net/jeps/345 + +Improve G1 performance on large machines by implementing NUMA-aware +memory allocation. + +ZGC on macOS (Experimental) +=========================== +https://openjdk.java.net/jeps/364 + +Port the ZGC garbage collector to macOS. + +ZGC on Windows (Experimental) +============================= +https://openjdk.java.net/jeps/365 + +Port the ZGC garbage collector to Windows. + +ZGC: A Scalable Low-Latency Garbage Collector (Production) +========================================================== +https://openjdk.java.net/jeps/377 + +Change the Z Garbage Collector from an experimental feature into a +product feature. + +ZGC: Concurrent Thread-Stack Processing +======================================= +https://openjdk.java.net/jeps/376 + +Move ZGC thread-stack processing from safepoints to a concurrent +phase. + +Elastic Metaspace +================= +https://openjdk.java.net/jeps/387 + +Return unused HotSpot class-metadata (i.e., metaspace) memory to the +operating system more promptly, reduce metaspace footprint, and +simplify the metaspace code in order to reduce maintenance costs. + +Ports +===== + +Alpine Linux Port +================= +https://openjdk.java.net/jeps/386 + +Port the JDK to Alpine Linux, and to other Linux distributions that +use musl as their primary C library, on both the x64 and AArch64 +architectures, + +Windows/AArch64 Port +==================== +https://openjdk.java.net/jeps/388 + +Port the JDK to Windows/AArch64. + +New macOS Rendering Pipeline +============================ +https://openjdk.java.net/jeps/382 + +Implement a Java 2D internal rendering pipeline for macOS using the +Apple Metal API as alternative to the existing pipeline, which uses +the deprecated Apple OpenGL API. + +macOS/AArch64 Port +================== +https://openjdk.java.net/jeps/391 + +Port the JDK to macOS/AArch64. + +DEPRECATIONS +============ + +Deprecate the ParallelScavenge + SerialOld GC Combination +========================================================= +https://openjdk.java.net/jeps/366 + +Deprecate the combination of the Parallel Scavenge and Serial Old +garbage collection algorithms. + +Deprecate and Disable Biased Locking +==================================== +https://openjdk.java.net/jeps/374 + +Disable biased locking by default, and deprecate all related +command-line options. + +Warnings for Value-Based Classes +================================ +https://openjdk.java.net/jeps/390 + +Designate the primitive wrapper classes as value-based and deprecate +their constructors for removal, prompting new deprecation +warnings. Provide warnings about improper attempts to synchronize on +instances of any value-based classes in the Java Platform. + +Deprecate the Applet API for Removal +==================================== +https://openjdk.java.net/jeps/398 + +Deprecate the Applet API for removal. It is essentially irrelevant +since all web-browser vendors have either removed support for Java +browser plug-ins or announced plans to do so. + +Deprecate the Security Manager for Removal +========================================== +https://openjdk.java.net/jeps/411 + +Deprecate the Security Manager for removal in a future release. The +Security Manager dates from Java 1.0. It has not been the primary +means of securing client-side Java code for many years, and it has +rarely been used to secure server-side code. To move Java forward, we +intend to deprecate the Security Manager for removal in concert with +the legacy Applet API (see above). . + +REMOVALS +======== + +Remove the Concurrent Mark Sweep (CMS) Garbage Collector +======================================================== +https://openjdk.java.net/jeps/363 + +Remove the Concurrent Mark Sweep (CMS) garbage collector. + +Remove the Pack200 Tools and API +================================ +https://openjdk.java.net/jeps/336 +https://openjdk.java.net/jeps/367 + +Remove the `pack200` and `unpack200` tools, and the `Pack200` API in +the `java.util.jar` package. These tools and API were deprecated for +removal in OpenJDK 11 with the express intent to remove them in a +future release. + +Remove the Nashorn JavaScript Engine +==================================== +https://openjdk.java.net/jeps/372 + +Remove the Nashorn JavaScript script engine and APIs, and the `jjs` +tool. The engine, the APIs, and the tool were deprecated for removal +in OpenJDK 11 with the express intent to remove them in a future +release. + +Remove the Solaris and SPARC Ports +================================== +https://openjdk.java.net/jeps/362 +https://openjdk.java.net/jeps/381 + +Remove the source code and build support for the Solaris/SPARC, +Solaris/x64, and Linux/SPARC ports. These ports were deprecated for +removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). + +Remove RMI Activation +===================== +https://openjdk.java.net/jeps/385 +https://openjdk.java.net/jeps/407 +https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html + +Remove the Remote Method Invocation (RMI) Activation mechanism, while +preserving the rest of RMI. RMI Activation is an obsolete part of RMI +that has been optional since OpenJDK 8 and was deprecated in OpenJDK +15. + +Remove the Experimental AOT and JIT Compiler +============================================ +https://openjdk.java.net/jeps/410 + +Remove the experimental Java-based ahead-of-time (AOT) and +just-in-time (JIT) compiler. This compiler has seen little use since +its introduction and the effort required to maintain it is +significant. Retain the experimental Java-level JVM compiler +interface (JVMCI) so that developers can continue to use +externally-built versions of the compiler for JIT compilation. diff --git a/SOURCES/TestCryptoLevel.java b/SOURCES/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/SOURCES/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/SOURCES/TestECDSA.java b/SOURCES/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/SOURCES/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/SOURCES/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in new file mode 100644 index 0000000..a8917c1 --- /dev/null +++ b/SOURCES/jconsole.desktop.in @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@ +Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@ +Exec=@JAVA_HOME@/jconsole +Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling;Java; +Version=1.0 diff --git a/SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch b/SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch new file mode 100644 index 0000000..9acd70d --- /dev/null +++ b/SOURCES/jdk8272332-rh2004078-broken_harfbuzz_linking.patch @@ -0,0 +1,21 @@ +commit e506cb23cfce35d1bc997d1e280f4dc40c9b3397 +Author: Severin Gehwolf +Date: Mon Aug 16 09:57:28 2021 +0000 + + 8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + + Backport-of: d38b31438dd4730ee2149c02277d60c35b9d7d81 + +diff --git openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk +index 4d0c0c00dbf..ef7eadae206 100644 +--- openjdk.orig/make/modules/java.desktop/lib/Awt2dLibraries.gmk ++++ openjdk/make/modules/java.desktop/lib/Awt2dLibraries.gmk +@@ -435,7 +435,7 @@ endif + + ifeq ($(USE_EXTERNAL_HARFBUZZ), true) + LIBFONTMANAGER_EXTRA_SRC = +- BUILD_LIBFONTMANAGER_FONTLIB += $(LIBHARFBUZZ_LIBS) ++ BUILD_LIBFONTMANAGER_FONTLIB += $(HARFBUZZ_LIBS) + else + LIBFONTMANAGER_EXTRA_SRC = libharfbuzz + diff --git a/SOURCES/nss.cfg.in b/SOURCES/nss.cfg.in new file mode 100644 index 0000000..377a39c --- /dev/null +++ b/SOURCES/nss.cfg.in @@ -0,0 +1,5 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility +handleStartupErrors = ignoreMultipleInitialisation diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/SOURCES/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch new file mode 100644 index 0000000..4efbe9a --- /dev/null +++ b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch @@ -0,0 +1,88 @@ + +# HG changeset patch +# User andrew +# Date 1478057514 0 +# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c +# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a +PR3183: Support Fedora/RHEL system crypto policy +diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100 ++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000 +@@ -43,6 +43,9 @@ + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ +@@ -52,6 +55,10 @@ + private static final Debug sdebug = + Debug.getInstance("properties"); + ++ /* System property file*/ ++ private static final String SYSTEM_PROPERTIES = ++ "/etc/crypto-policies/back-ends/java.config"; ++ + /* The java.security properties */ + private static Properties props; + +@@ -93,6 +100,7 @@ + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -114,6 +122,31 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ ++ if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security +--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100 ++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000 +@@ -276,6 +276,13 @@ + security.overridePropertiesFile=true + + # ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ ++# + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. + # diff --git a/SOURCES/pr3695-toggle_system_crypto_policy.patch b/SOURCES/pr3695-toggle_system_crypto_policy.patch new file mode 100644 index 0000000..3799237 --- /dev/null +++ b/SOURCES/pr3695-toggle_system_crypto_policy.patch @@ -0,0 +1,78 @@ +# HG changeset patch +# User andrew +# Date 1545198926 0 +# Wed Dec 19 05:55:26 2018 +0000 +# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 +# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c +PR3695: Allow use of system crypto policy to be disabled by the user +Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile + +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -125,31 +125,6 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); +- loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } +- } +- } +- +- if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +@@ -215,6 +190,33 @@ + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if (disableSystemProps == null && ++ "true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ + if (!loadedProps) { + initializeStatic(); + if (sdebug != null) { diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh new file mode 100644 index 0000000..e999c7e --- /dev/null +++ b/SOURCES/remove-intree-libraries.sh @@ -0,0 +1,157 @@ +#!/bin/sh + +# Arguments: +TREE=${1} +TYPE=${2} + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} + +echo "Removing built-in libs (they will be linked)" + +# On full runs, allow for zlib having already been deleted by minimal +echo "Removing zlib" +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} + +# Minimal is limited to just zlib so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch new file mode 100644 index 0000000..3042186 --- /dev/null +++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -0,0 +1,16 @@ +diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java +--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200 ++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200 +@@ -595,7 +595,11 @@ + toolkit = new HeadlessToolkit(toolkit); + } + if (!GraphicsEnvironment.isHeadless()) { +- loadAssistiveTechnologies(); ++ try { ++ loadAssistiveTechnologies(); ++ } catch (AWTError error) { ++ // ignore silently ++ } + } + } + return toolkit; diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch new file mode 100644 index 0000000..7be1fae --- /dev/null +++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -0,0 +1,12 @@ +diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security +index 534bdae5a16..2df2b59cbf6 100644 +--- openjdk/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI + security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 ++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # A list of preferred providers for specific algorithms. These providers will diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch new file mode 100644 index 0000000..53026ad --- /dev/null +++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch @@ -0,0 +1,20 @@ +--- openjdk/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -304,6 +304,8 @@ + # + package.access=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # List of comma-separated packages that start with or equal this string +@@ -316,6 +318,8 @@ + # + package.definition=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # Determines whether this properties file can be appended to diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..80cd91c --- /dev/null +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,205 @@ +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -196,26 +196,8 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); ++ if (SystemConfigurator.configure(props)) { + loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } + } + } + +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,151 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (fipsEnabled) { ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -87,6 +87,14 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch new file mode 100644 index 0000000..5e2b254 --- /dev/null +++ b/SOURCES/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch @@ -0,0 +1,13 @@ +--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100 ++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100 +@@ -48,8 +48,8 @@ + + private final static String PROP_NAME = "sun.security.smartcardio.library"; + +- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so"; +- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so"; ++ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1"; ++ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1"; + private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC"; + + PlatformPCSC() { diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..88f5e5a --- /dev/null +++ b/SOURCES/rh1750419-redhat_alt_java.patch @@ -0,0 +1,117 @@ +diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk +index 700ddefda49..2882de68eb2 100644 +--- openjdk.orig/make/modules/java.base/Launcher.gmk ++++ openjdk/make/modules/java.base/Launcher.gmk +@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \ + OPTIMIZATION := HIGH, \ + )) + ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ ++ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ + ifeq ($(call isTargetOs, windows), true) + $(eval $(call SetupBuildLauncher, javaw, \ + CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ +diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h +new file mode 100644 +index 00000000000..697df2898ac +--- /dev/null ++++ openjdk/src/java.base/share/native/launcher/alt_main.h +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c +index b734fe2ba78..79dc8307650 100644 +--- openjdk.orig/src/java.base/share/native/launcher/main.c ++++ openjdk/src/java.base/share/native/launcher/main.c +@@ -34,6 +34,14 @@ + #include "jli_util.h" + #include "jni.h" + ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) ++#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 + diff --git a/SOURCES/rh1818909-fips_default_keystore_type.patch b/SOURCES/rh1818909-fips_default_keystore_type.patch new file mode 100644 index 0000000..ff34f3e --- /dev/null +++ b/SOURCES/rh1818909-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 +@@ -299,6 +299,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..8dcd9a8 --- /dev/null +++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,318 @@ +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index f9baf8c9742..60fa75cab45 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ import java.nio.file.Path; + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; ++import jdk.internal.access.SharedSecrets; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ import sun.security.util.Debug; + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ class SystemConfigurator { + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ class SystemConfigurator { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ class SystemConfigurator { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -160,13 +164,30 @@ class SystemConfigurator { + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..a31e93ec02e +--- /dev/null ++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index f6d3638c3dd..5a2c9eb0c46 100644 +--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -81,6 +81,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -442,4 +443,12 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index 6ffdfeda18d..775b185fb06 100644 +--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -32,6 +32,7 @@ import java.security.cert.*; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { + private static final List serverDefaultCipherSuites; + + static { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10, +- ProtocolVersion.SSL30, +- ProtocolVersion.SSL20Hello +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + // Use the customized TLS protocols. + candidates = +diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index 894e26dfad8..8b16378b96b 100644 +--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + + /** +@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + List.of("SSL"), null); diff --git a/SOURCES/rh1915071-always_initialise_configurator_access.patch b/SOURCES/rh1915071-always_initialise_configurator_access.patch new file mode 100644 index 0000000..513fbbf --- /dev/null +++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch @@ -0,0 +1,70 @@ +diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index f1633afb627..ce32c939253 100644 +--- openjdk/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -74,6 +75,15 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -194,9 +204,8 @@ public final class Security { + } + + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { + loadedProps = true; + } +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 60fa75cab45..10b54aa4ce4 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -38,8 +38,6 @@ import java.util.Map.Entry; + import java.util.Properties; + import java.util.regex.Pattern; + +-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; +-import jdk.internal.access.SharedSecrets; + import sun.security.util.Debug; + + /** +@@ -65,16 +63,6 @@ final class SystemConfigurator { + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and diff --git a/SOURCES/rh1929465-dont_define_unused_throwioexception.patch b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch new file mode 100644 index 0000000..eba090f --- /dev/null +++ b/SOURCES/rh1929465-dont_define_unused_throwioexception.patch @@ -0,0 +1,69 @@ +commit 90e344e7d4987af610fa0054c92d18fe1c2edd41 +Author: Andrew Hughes +Date: Sat Aug 28 01:15:28 2021 +0100 + + RH1929465: Don't define unused throwIOException function when using NSS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..38919d6bb0f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -34,14 +34,34 @@ + + #include "java_security_SystemConfigurator.h" + +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" + #define MSG_MAX_SIZE 96 + + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read ++#ifndef SYSCONF_NSS ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++#endif ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + /* + * Class: java_security_SystemConfigurator +@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + + #endif // SYSCONF_NSS + } +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } +-} diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch new file mode 100644 index 0000000..4dfd1d4 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch @@ -0,0 +1,428 @@ +diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..b2b1c1787da +--- /dev/null ++++ openjdk/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,84 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +index a65d91ee974..a8f054c1397 100644 +--- openjdk/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +index 29445c8c24f..9b1b512a34a 100644 +--- openjdk/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk +index 5658ff342e5..cb7a56852f7 100644 +--- openjdk/make/modules/java.base/Lib.gmk ++++ openjdk/make/modules/java.base/Lib.gmk +@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..6f4656bfcb6 +--- /dev/null ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -0,0 +1,168 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 10b54aa4ce4..6aa1419dfd0 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,13 +30,9 @@ import java.io.BufferedInputStream; + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -58,11 +54,23 @@ final class SystemConfigurator { + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; +- + private static boolean systemFipsEnabled = false; + ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and +@@ -170,16 +178,34 @@ final class SystemConfigurator { + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } diff --git a/SOURCES/rh1995150-disable_non-fips_crypto.patch b/SOURCES/rh1995150-disable_non-fips_crypto.patch new file mode 100644 index 0000000..b3d0ae7 --- /dev/null +++ b/SOURCES/rh1995150-disable_non-fips_crypto.patch @@ -0,0 +1,596 @@ +diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 9d4a794de1a..39e69362458 100644 +--- openjdk/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.net, +diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..c5e13c98bd9 100644 +--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,147 +99,149 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); ++ ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ ++ /* ++ * Algorithm Parameter Generator engines ++ */ ++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", ++ "sun.security.provider.DSAParameterGenerator", attrs); ++ attrs.remove("KeySize"); ++ ++ /* ++ * Algorithm Parameter engines ++ */ ++ addWithAlias(p, "AlgorithmParameters", "DSA", ++ "sun.security.provider.DSAParameters", attrs); ++ ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); + } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); +- +- attrs.remove("KeySize"); +- +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); +- /* +- * Key Pair Generator engines +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("KeySize", "2048"); // for DSA KPG and APG only +- +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); +- +- /* +- * Algorithm Parameter Generator engines +- */ +- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", +- "sun.security.provider.DSAParameterGenerator", attrs); +- attrs.remove("KeySize"); +- +- /* +- * Algorithm Parameter engines +- */ +- addWithAlias(p, "AlgorithmParameters", "DSA", +- "sun.security.provider.DSAParameters", attrs); +- +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); +- +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); + + /* + * Certificates +diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 8c9e4f9dbe6..9eeb3013e0d 100644 +--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAAlgorithmParameters; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; +@@ -56,6 +57,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -249,85 +254,86 @@ public final class SunEC extends Provider { + + putXDHEntries(); + putEdDSAEntries(); +- +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderService(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", +- List.of("EllipticCurve"), ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ++ List.of("EllipticCurve"), ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -344,23 +350,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -375,21 +383,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..7622622 --- /dev/null +++ b/SOURCES/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit bfd7c5dae9c15266799cb885b8c60199217b65b9 +Author: Andrew Hughes +Date: Mon Aug 30 16:14:14 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index 8356e56367b..23925f048be 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..475c521 --- /dev/null +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,65 @@ +commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923 +Author: Martin Balao +Date: Sat Aug 28 00:35:44 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 39e69362458..aeb5fc2eb46 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.cryptoki, + jdk.crypto.ec, + jdk.jartool, + jdk.jlink, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..5d3963ea893 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch new file mode 100644 index 0000000..1b706a1 --- /dev/null +++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch @@ -0,0 +1,19 @@ +Remove uses of FAR in jpeg code + +Upstream libjpeg-trubo removed the (empty) FAR macro: +http://sourceforge.net/p/libjpeg-turbo/code/1312/ + +Adjust our code to not use the undefined FAR macro anymore. + +diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +@@ -1385,7 +1385,7 @@ + /* and fill it in */ + dst_ptr = icc_data; + for (seq_no = first; seq_no < last; seq_no++) { +- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; ++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; + unsigned int length = + icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; + diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec new file mode 100644 index 0000000..423d0ec --- /dev/null +++ b/SPECS/java-17-openjdk.spec @@ -0,0 +1,2903 @@ +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-17-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug +# +# Only produce a debug build on x86_64: +# $ fedpkg local --without release +# +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# With LTO flags enabled, debuginfo checks fail for some reason. Disable +# LTO for a passing build. This really needs to be looked at. +%define _lto_cflags %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global debug_on with full debugging on +%global fastdebug_on with minimal debugging on +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global for_fastdebug_on for packages with minimal debugging on +%global for_debug for packages with debugging on + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build debug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{debug_arches} %{arm} +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# See https://bugzilla.redhat.com/show_bug.cgi?id=513605 +# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT +%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libsvml.so) +%global svml_arches x86_64 + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable both builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%ifarch %{bootstrap_arches} +%global bootstrap_build 1 +%else +%global bootstrap_build 1 +%endif + +%if %{bootstrap_build} +%global release_targets bootcycle-images docs-zip +%else +%global release_targets images docs-zip +%endif +# No docs nor bootcycle for debug builds +%global debug_targets images + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%endif + + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _build_cpu +%ifarch x86_64 +%global archinstall amd64 +%endif +%ifarch ppc +%global archinstall ppc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%endif +%ifarch %{ix86} +%global archinstall i686 +%endif +%ifarch ia64 +%global archinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%endif +%ifarch %{arm} +%global archinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%endif +%ifnarch %{jit_arches} +%global archinstall %{_arch} +%endif + + + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 17 +%global interimver 0 +%global updatever 0 +%global patchver 0 +# If you bump featurever, you must also bump vendor_version_string +# Used via new version scheme. JDK 17 was +# GA'ed in September 2021 => 21.9 +%global vendor_version_string 21.9 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver 17 +# We don't add any LTS designator for STS packages (this package). +# Neither for Fedora nor EPEL which would have %%{rhel} macro defined. + %global lts_designator "" + %global lts_designator_zip "" + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 3.15.0 + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{origin} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 35 +%global rpmrelease 3 +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} + +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global expected_ea_designator "" +%global ea_designator_zip "" +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global expected_ea_designator ea +%global ea_designator_zip -%{expected_ea_designator} +%global extraver .%{expected_ea_designator} +%global eaprefix 0. +%endif + +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global bugs https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for any debug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka build_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +exit 0 +} + + +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_mandir}/man1/java.1$ext java.1$ext \\ + %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ + %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ + %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + +for X in %{origin} %{javaver} ; do + alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} + + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +# see pretrans where this file is declared +# also see that pretrans is only for non-debug +if [ ! "%{?1}" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} + fi +fi + +exit 0 +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + + +%define postun_headless() %{expand: + alternatives --remove java %{jrebindir -- %{?1}}/java + alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} +} + +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + +%define post_devel() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{sa_arches} + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ + %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ + %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ + %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ + %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ + %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ + %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ + %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ + %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ + %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ + %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ + %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\ + %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ + %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ + %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ + %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ + %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +for X in %{origin} %{javaver} ; do + alternatives \\ + --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +exit 0 +} + +%define postun_devel() %{expand: + alternatives --remove javac %{sdkbindir -- %{?1}}/javac + alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + +%define posttrans_devel() %{expand: +%{update_desktop_icons} +} + +%define post_javadoc() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc() %{expand: + alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +exit 0 +} + +%define post_javadoc_zip() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc_zip() %{expand: + alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +exit 0 +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%{_jvmdir}/%{jrelnk -- %{?1}} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so +%ifarch %{svml_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ +%ifarch %{share_arches} +%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/sdp +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# these are config templates, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_bindir}/%{alt_java_name} +%ghost %{_jvmdir}/jre +%ghost %{_bindir}/keytool +%ghost %{_bindir}/pack200 +%ghost %{_bindir}/rmid +%ghost %{_bindir}/rmiregistry +%ghost %{_bindir}/unpack200 +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz + +%if %{with_systemtap} +%dir %{tapsetroot} +%dir %{tapsetdirttapset} +%dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_jvmdir}/%{alt_java_name} +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%ghost %{_jvmdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +%{_jvmdir}/%{sdkdir -- %{?1}}/sample +} + +%define files_src() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_static_libs() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%endif +%endif +} + +# x86 is not supported by OpenJDK 17 +ExcludeArch: %{ix86} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +Recommends: gtk3%{?_isa} + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +# Require zone-info data provided by tzdata-java sub-package +Requires: tzdata-java >= 2015d +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} +# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, +# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be +# considered as regression +Requires: copy-jdk-configs >= 4.0 +OrderWithRequires: copy-jdk-configs +%endif +# for printing support +Requires: cups-libs +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} +# for optional support of kernel stream control, card reader and printing bindings +Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + +%define java_jmods_rpo() %{expand: +# Requires devel package +# as jmods are bytecode, they should be OK without any _isa +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_javadoc_rpo() %{expand: +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install javadoc alternative +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{alternatives_requires} + +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +Name: java-%{javaver}-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + + +# to regenerate source0 (jdk) run update_package.sh +# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives +Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz +#Source0: openjdk-jdk%{featurever}-jdk-%{filever}+%{buildver}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (3.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# nss fips configuration file +Source17: nss.fips.cfg.in + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# NSS via SunPKCS11 Provider (disabled comment +# due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# enable build of speculative store bypass hardened alt-java +Patch600: rh1750419-redhat_alt_java.patch + +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# Restrict access to java-atk-wrapper classes +Patch2: rh1648644-java_access_bridge_privileged_security.patch +Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +# Follow system wide crypto policy RHBZ#1249083 +Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch +# PR3695: Allow use of system crypto policy to be disabled by the user +Patch5: pr3695-toggle_system_crypto_policy.patch +# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo +Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch + +# FIPS support patches +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +Patch1002: rh1818909-fips_default_keystore_type.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1007: rh1915071-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1008: rh1929465-improve_system_FIPS_detection.patch +Patch1011: rh1929465-dont_define_unused_throwioexception.patch +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +Patch1009: rh1995150-disable_non-fips_crypto.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1010: rh1996182-login_to_nss_software_token.patch +Patch1012: rh1996182-extend_security_policy.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# + +############################################# +# +# OpenJDK patches appearing in 17.0.1 +# +############################################# +# JDK-8272332, RH2004078: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 +Patch100: jdk8272332-rh2004078-broken_harfbuzz_linking.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: javapackages-filesystem +BuildRequires: java-17-openjdk-devel +# Zero-assembler build requirement +%ifnarch %{jit_arches} +BuildRequires: libffi-devel +%endif +BuildRequires: tzdata-java >= 2015d +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} %{featurever} Headless Runtime Environment + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} development tools . +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{featurever} + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice} %{featurever}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{featurever} %{debug_on} + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{featurever}. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +Group: Development/Tools + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{featurever}. +%{fastdebug_warning} +%endif + + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} %{featurever} Demos + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} %{featurever} demos. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} %{featurever} Demos %{debug_on} + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} %{featurever} demos. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} %{featurever} demos. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} %{featurever} Source Bundle + +%{java_src_rpo %{nil}} + +%description src +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. +%endif + +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +Group: Development/Languages + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. +%endif + + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{featurever} API documentation +Requires: javapackages-filesystem +Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling + +%{java_javadoc_rpo %{nil}} + +%description javadoc +The %{origin_nice} %{featurever} API documentation. +%endif + +%if %{include_normal_build} +%package javadoc-zip +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +Requires: javapackages-filesystem +Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling + +%{java_javadoc_rpo %{nil}} + +%description javadoc-zip +The %{origin_nice} %{featurever} API documentation compressed in a single archive. +%endif + +%prep +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} + +# Patch the JDK +pushd %{top_level_dir_name} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch100 -p1 +popd # openjdk + +%patch1000 +%patch600 +%patch1001 +%patch1002 +%patch1004 +%patch1007 +%patch1008 +%patch1009 +%patch1010 +%patch1011 +%patch1012 + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE +%else + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:@JAVA_HOME@:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@JRE_HOME@:%{jrebindir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@ARCH@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_MAJOR_VERSION@:%{featurever}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg + +%build +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +export EXTRA_CFLAGS + +for suffix in %{build_loop} ; do +if [ "x$suffix" = "x" ] ; then + debugbuild=release +else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` +fi + +for loop in %{main_suffix} %{staticlibs_loop} ; do + +if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Variable used by configure and hs_err hook on build failures + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up + maketargets="%{release_targets}" + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + fi +else + # Variable used by configure and hs_err hook on build failures + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" +fi + +top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} +top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then + echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; + exit 17 +fi + +mkdir -p ${top_dir_abs_build_path} +pushd ${top_dir_abs_build_path} + +bash ${top_dir_abs_src_path}/configure \ +%ifnarch %{jit_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{ppc64le} + --with-jobs=1 \ +%endif + --with-version-build=%{buildver} \ + --with-version-pre="${EA_DESIGNATOR}" \ + --with-version-opt=%{lts_designator} \ + --with-vendor-version-string="%{vendor_version_string}" \ + --with-vendor-name="Red Hat, Inc." \ + --with-vendor-url="https://www.redhat.com/" \ + --with-vendor-bug-url="%{bugs}" \ + --with-vendor-vm-bug-url="%{bugs}" \ + --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ + --with-debug-level=$debugbuild \ + --with-native-debug-symbols=internal \ + --enable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=system \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=dynamic \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --with-source-date="${SOURCE_DATE_EPOCH}" \ + --disable-javac-server \ +%ifarch %{zgc_arches} + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors + +make \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + +popd >& /dev/null + +# Restore original source tree if we modified it by removing full in-tree sources +if [ -d %{top_level_dir_name_backup} ] ; then + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +fi + +done # end of main / staticlibs loop + +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + +# the build (erroneously) removes read permissions from some jars +# this is a regression in OpenJDK 7 (our compiler): +# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; + +# Build screws up permissions on binaries +# https://bugs.openjdk.java.net/browse/JDK-8173610 +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; +find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; + +# Install nss.cfg right away as we will be using the JRE above +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Install nss.cfg right away as we will be using the JRE above +install -m 644 nss.cfg $JAVA_HOME/conf/security/ + +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + +# Use system-wide tzdata +rm $JAVA_HOME/lib/tzdb.dat +ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat + +# Create fake alt-java as a placeholder for future alt-java +pushd ${JAVA_HOME} +# add alt-java man page +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 +cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 +popd + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +%endif + +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # If this is the empty library, libsyslookup.so, of the foreign function and memory + # API incubation module (JEP 412), skip the debuginfo check as this seems unreliable + # on s390x. It's not very useful for other arches either, so skip unconditionally. + if [ "`basename $lib`" = "libsyslookup.so" ]; then + echo "Skipping debuginfo check for empty library 'libsyslookup.so'" + continue + fi + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre +-- if copy-jdk-configs is in transaction, it installs in pretrans to temp +-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is +-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends +-- whether copy-jdk-configs is installed or not. If so, then configs are copied +-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all +local posix = require "posix" + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end + +SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" +SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" + +local stat1 = posix.stat(SOURCE1, "type"); +local stat2 = posix.stat(SOURCE2, "type"); + + if (stat1 ~= nil) then + if (debug) then + print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") + end; + package.path = package.path .. ";" .. SOURCE1 +else + if (stat2 ~= nil) then + if (debug) then + print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") + end; + package.path = package.path .. ";" .. SOURCE2 + else + if (debug) then + print(SOURCE1 .." does NOT exists") + print(SOURCE2 .." does NOT exists") + print("No config files will be copied") + end + return + end +end +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) + +%post +%{post_script %{nil}} + +%post headless +%{post_headless %{nil}} + +%postun +%{postun_script %{nil}} + +%postun headless +%{postun_headless %{nil}} + +%posttrans +%{posttrans_script %{nil}} + +%post devel +%{post_devel %{nil}} + +%postun devel +%{postun_devel %{nil}} + +%posttrans devel +%{posttrans_devel %{nil}} + +%post javadoc +%{post_javadoc %{nil}} + +%postun javadoc +%{postun_javadoc %{nil}} + +%post javadoc-zip +%{post_javadoc_zip %{nil}} + +%postun javadoc-zip +%{postun_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} + +%postun headless-slowdebug +%{postun_headless -- %{debug_suffix_unquoted}} + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + + +%if %{include_normal_build} +%files headless +# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +# all config/noreplace files (and more) have to be declared in pretrans. See pretrans +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%if %{include_staticlibs} +%files static-libs +%{files_static_libs %{nil}} +%endif + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} +%endif + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif + +%changelog +* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-3 +- Update release notes to document the major changes between OpenJDK 11 & 17. +- Resolves: rhbz#1994059 + +* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-2 +- Add JDK-8272332 fix so we actually link against HarfBuzz. +- Resolves: rhbz#1994059 + +* Tue Sep 14 2021 Andrew Hughes - 1:17.0.0.0.35-1 +- Update to jdk-17+35, also known as jdk-17-ga. +- Switch to GA mode. +- Resolves: rhbz#1994059 + +* Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. +- Resolves: rhbz#1997359 + +* Sat Aug 28 2021 Andrew Hughes - 1:17.0.0.0.33-0.4.ea +- Fix unused function compiler warning found in systemconf.c +- Related: rhbz#1995889 + +* Sat Aug 28 2021 Martin Balao - 1:17.0.0.0.33-0.4.ea +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997359 + +* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.3.ea +- Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. +- Resolves: rhbz#1995889 + +* Fri Aug 27 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Related: rhbz#1995889 + +* Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Related: rhbz#1995889 + +* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.1.ea +- Update RH1655466 FIPS patch with changes in OpenJDK 8 version. +- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. +- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. +- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. +- Disable FIPS mode support unless com.redhat.fips is set to "true". +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode +- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) +- Related: rhbz#1995889 + +* Thu Aug 26 2021 Martin Balao - 1:17.0.0.0.33-0.1.ea +- Support the FIPS mode crypto policy (RH1655466) +- Use appropriate keystore types when in FIPS mode (RH1818909) +- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) +- Related: rhbz#1995889 + +* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.0.ea +- Update to jdk-17+33, including JDWP fix and July 2021 CPU +- Resolves: rhbz#1870625 + +* Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.26-0.5.ea +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. +- Resolves: rhbz#1870625 + +* Mon Aug 09 2021 Mohan Boddu - 1:17.0.0.0.26-0.4.ea.1 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 14 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.4.ea +- Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again +- Resolves: rhbz#1870625 + +* Tue Jul 13 2021 Jiri Vanek - 1:17.0.0.0.26-0.3.ea +- Add gating support +- Resolves: rhbz#1870625 + +* Fri Jun 25 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea +- Re-enable TestSecurityProperties after inclusion of PR3695 +- Resolves: rhbz#1870625 + +* Fri Jun 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea +- Add PR3695 to allow the system crypto policy to be turned off +- Resolves: rhbz#1870625 + +* Fri Jun 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.1.ea +- Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. +- Resolves: rhbz#1870625 + +* Thu Jun 24 2021 Severin Gehwolf - 1:17.0.0.0.26-0.1.ea +- Update buildjdkver to 17 so as to build with itself +- Resolves: rhbz#1870625 + +* Mon Jun 21 2021 Andrew Hughes - 1:17.0.0.0.26-0.0.ea +- Rename to java-17-openjdk and bootstrap using boot JDK in local sources +- Exclude x86 as this is not supported by OpenJDK 17 +- Use unzip to test src.zip to avoid looking for jar on path +- Resolves: rhbz#1870625 + +* Fri Jun 11 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.0.ea.rolling +- update sources to jdk 17.0.0+26 +- set is_ga to 0, as this is early access build +- change vendor_version_string +- change path to the version-numbers.conf +- removed rmid binary from files and from slaves +- removed JAVAC_FLAGS=-g from make command, as it breaks the build since JDK-8258407 +- add lib/libsyslookup.so to files +- renamed lib/security/blacklisted.certs to lib/security/blocked.certs +- add lib/libsvml.so for intel +- skip debuginfo check for libsyslookup.so on s390x + +* Fri May 07 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling +- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction + +* Thu Apr 29 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling +- adapted to debug handling in newer cjc +- The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution +- Disable copy-jdk-configs for Flatpak builds + +* Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling +- update to 16.0.1+9 april cpu tag +- dropped jdk8259949-allow_cf-protection_on_x86.patch + +* Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling +- Perform static library build on a separate source tree with bundled image libraries +- Make static library build optional +- Based on initial work by Severin Gehwolf + +* Tue Mar 09 2021 Jiri Vanek - 1:16.0.0.0.36-1.rolling +- fixed suggests of wrong pcsc-lite-devel%{?_isa} to correct pcsc-lite-libs%{?_isa} +- bumped buildjdkver to build by itself - 16 + +* Fri Feb 19 2021 Andrew Hughes - 1:16.0.0.0.36-0.rolling +- Update to jdk-16.0.0.0+36 +- Update tarball generation script to use git following OpenJDK's move to github +- Update tarball generation script to use PR3823 which handles JDK-8235710 changes +- Use upstream default for version-pre rather than setting it to "ea" or "" +- Drop libsunec.so which is no longer generated, thanks to JDK-8235710 +- Drop unnecessary compiler flags, dating back to work on GCC 6 & 10 +- Adapt RH1750419 alt-java patch to still apply after some variable re-naming in the makefiles +- Update filever to remove any trailing zeros, as in the OpenJDK build, and use for source filename +- Use system harfbuzz now this is supported. +- Pass SOURCE_DATE_EPOCH to build for reproducible builds + +* Fri Feb 19 2021 Stephan Bergmann - 1:15.0.2.0.7-1.rolling +- Hardcode /usr/sbin/alternatives for Flatpak builds + +* Tue Jan 26 2021 Fedora Release Engineering - 1:15.0.2.0.7-0.rolling.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 22 2021 Andrew Hughes - 1:15.0.2.0.7-0.rolling +- Update to jdk-15.0.2.0+7 +- Add release notes for 15.0.1.0 & 15.0.2.0 +- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly. +- Still use 15.0.x rather than 15.0.x.0 for file naming, as the trailing zero is omitted from tags. +- Cleanup debug package descriptions and version number placement. +- Remove unused patch files. + +* Tue Jan 19 2021 Andrew Hughes - 1:15.0.1.9-10.rolling +- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV) + +* Tue Dec 22 2020 Jiri Vanek - 1:15.0.1.9-9.rolling +- fixed missing condition for fastdebug packages being counted as debug ones + +* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-8.rolling +- removed lib-style provides for fastdebug_suffix_unquoted + +* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling +- many cosmetic changes taken from more maintained jdk11 +- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches + instead of various hardcoded ifarches +- updated systemtap +- added requires excludes for debug pkgs +- removed redundant logic around jsa files +- added runtime requires of lksctp-tools and libXcomposite% +- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies +- s390x excluded form fastdebug build + +* Thu Dec 17 2020 Andrew Hughes - 1:15.0.1.9-5.rolling +- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched +- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly +- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures + +* Wed Dec 9 2020 Jiri Vanek - 1:15.0.1.9-4.rolling +- moved wrongly placed licenses to accompany other ones +- this bad placement was killng parallel-installability and thus having bad impact to leapp if used + +* Tue Dec 01 2020 Jiri Vanek - 1:15.0.1.9-3.rolling +- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch +- no longer copying of java->alt-java as it is created by patch600 + +* Mon Nov 23 2020 Jiri Vanek - 1:15.0.1.9-2.rolling +- Create a copy of java as alt-java with alternatives and man pages +- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there... + +* Sun Oct 25 2020 Petra Alice Mikova - 1:15.0.1.9-1.rolling +- updated to October CPU 2020 sources + +* Thu Oct 22 2020 Severin Gehwolf - 1:15.0.0.36-4.rolling +- Fix directory ownership of -static-libs sub-package. + +* Fri Oct 09 2020 Jiri Vanek - 1:15.0.0.36-3.rolling +- Build static-libs-image and add resulting files via -static-libs sub-package. +- Disable stripping of debug symbols for static libraries part of the -static-libs sub-package. +- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard. +- Update static-libs packaging to new layout + +* Mon Sep 21 2020 Petra Alice Mikova - 1:15.0.0.36-2.rolling +- Add support for fastdebug builds on 64 bit architectures + +* Tue Sep 15 2020 Severin Gehwolf - 1:15.0.0.36-1.rolling +- Remove EA designation +- Re-generate sources with PR3803 patch + +* Mon Aug 31 2020 Petra Alice Mikova - 1:15.0.0.36-0.1.ea.rolling +- Update to jdk 15.0.0.36 tag +- Modify rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +- Update vendor version string to 20.9 +- jjs removed from packaging after JEP 372: Nashorn removal +- rmic removed from packaging after JDK-8225319 + +* Mon Jul 27 2020 Severin Gehwolf - 1:14.0.2.12-2.rolling +- Disable LTO so as to pass debuginfo check + +* Wed Jul 22 2020 Petra Alice Mikova - 1:14.0.2.12-1.rolling +- update to jdk 14.0.2.12 CPU version +- remove upstreamed patch jdk8237879-make_4_3_build_fixes.patch +- remove upstreamed patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h.patch +- remove upstreamed patch jdk8243059-build_fails_when_with_vendor_contains_comma.patch + +* Thu Jul 09 2020 Andrew Hughes - 1:14.0.1.7-4.rolling +- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds. +- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk. + +* Thu May 14 2020 Petra Alice Mikova - 1:14.0.1.7-3.rolling +- introduce patch jdk8235833-posixplatform_cpp_should_not_include_sysctl_h to fix build issues in rawhide +- rename and reorganize patch sections + +* Thu Apr 23 2020 Severin Gehwolf - 1:14.0.1.7-2.rolling +- Fix vendor version to 20.3 (from 19.9) + +* Fri Apr 17 2020 Petra Alice Mikova - 1:14.0.1.7-1.rolling +- April security update +- uploaded new src tarball + +* Wed Apr 08 2020 Jiri Vanek - 1:14.0.0.36-4.rolling +- set vendor property and vendor urls +- made urls to be preconfigured by os + +* Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling +- Remove s390x workaround flags for GCC 10 +- bump buildjdkver to 14 +- uploaded new src tarball + +* Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling +- removed a whitespace causing fail of postinstall script +- removed backslashes at the end of alternatives command + +* Fri Mar 13 2020 Petra Alice Mikova - 1:14.0.0.36-1.rolling +- update to jdk 14+36 ga build +- remove JDK-8224851 patch, as OpenJDK 14 already contains it +- removed pack200 and unpack200 binaries, slaves, manpages and libunpack.so library +- added listings for jpackage binary, manpages and added slave records to alternatives + +* Thu Mar 12 2020 Petra Alice Mikova - 1:13.0.2.8-4.rolling +- add patch for build issues with make 4.3 + +* Thu Feb 27 2020 Severin Gehwolf - 1:13.0.2.8-3.rolling +- add workaround for issues with build with GCC10 on s390x (see RHBZ#1799531) +- fix issues with build with GCC10: JDK-8224851, -fcommon switch + +* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling +- Add JDK-8224851 patch to resolve aarch64 issues + +* Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling +- fix Release, as it was broken by last rpmdev-bumpspec + +* Wed Jan 29 2020 Fedora Release Engineering - 1:13.0.2.8-1.rolling.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Petra Alice Mikova - 1:13.0.2.8-1.rolling +- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch +- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch +- updated sources to the 13.0.2+8 tag + +* Fri Oct 25 2019 Petra Alice Mikova - 1:13.0.1.9-2.rolling +- Fixed hardcoded major version in jdk13u to macro +- added jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch +- added jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch + +* Mon Oct 21 2019 Petra Alice Mikova - 1:13.0.1.9-1.rolling +- Updated to October 2019 CPU sources + +* Wed Oct 16 2019 Petra Alice Mikova - 1:13.0.0.33-3.rolling +- synced up generate tarball script with other OpenJDK packages +- dropped pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch from the sources +- regenerated sources with the updated script + +* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling +- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it. + +* Wed Oct 02 2019 Andrew John Hughes - 1:13.0.0.33-3.rolling +- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime. +- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency +- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency +- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency + +* Wed Oct 02 2019 Andrew Hughes - 1:13.0.0.33-3.rolling +- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively. + +* Tue Oct 01 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling +- Don't produce javadoc/javadoc-zip sub packages for the + debug variant build. +- Don't perform a bootcycle build for the debug variant build. + +* Mon Sep 30 2019 Severin Gehwolf - 1:13.0.0.33-2.rolling +- Fix vendor version as JDK 13 has been GA'ed September 2019: 19.3 => 19.9 + +* Wed Aug 14 2019 Petra Alice Mikova - 1:13.0.0.33-1.rolling +- updated to 13+33 sources +- added two manpages to file listings (jfr, jaotc) +- set is_ga to 1 to match build from jdk.java.net + +* Fri Jul 26 2019 Severin Gehwolf - 1:13.0.0.28-0.2.ea.rolling +- Fix bootjdkver macro. It attempted to build with jdk 12, which is + no longer available in rawhide (it's 13 instead). +- Fix Release as rpmdev-bumpspec doesn't do it correctly. + +* Thu Jul 25 2019 Fedora Release Engineering - 1:13.0.0.28-0.1.ea.rolling.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jul 09 2019 Petra Alice Mikova - 1:13.0.0.28-0.1.ea.rolling +- updated to jdk 13 +- adapted pr2126-synchronise_elliptic_curves_in_sun_security_ec_namedcurve_with_those_listed_by_nss.patch +- adapted rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +- fixed file listings +- included https://src.fedoraproject.org/rpms/java-11-openjdk/pull-request/49: +- Include 'ea' designator in Release when appropriate +- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately + +* Tue May 21 2019 Petra Alice Mikova - 1:12.0.1.12-2.rolling +- fixed requires/provides for the non-system JDK case (backport of RHBZ#1702324) + +* Thu Apr 18 2019 Petra Mikova - 1:12.0.1.12-1.rolling +- updated sources to current CPU release + +* Thu Apr 04 2019 Petra Mikova - 1:12.0.0.33-4.rolling +- added slave for jfr binary in devel package + +* Thu Mar 21 2019 Petra Mikova - 1:12.0.0.33-3.rolling +- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs. +- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc +- removed LTS string from LTS designator, because epel builds get identified as rhel and JDK 12 is not LTS +- removed duplicated dependency on lksctp-tools + +* Wed Mar 20 2019 Peter Robinson 1:12.0.0.33-2.ea.1.rolling +- Drop chkconfig dep, 1.7 shipped in f24 + +* Thu Mar 07 2019 Petra Mikova - 1:12.0.0.33-1.ea.1.rolling +- bumped sources to jdk12+33 + +* Mon Feb 11 2019 Severin Gehwolf - 1:12.0.0.30-1.ea.1.rolling +- Only build 'bootcycle-images docs' target and 'images docs' targets, respectively. + +* Fri Feb 01 2019 Fedora Release Engineering - 1:12.0.0.25-0.ea.1.rolling.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Dec 21 2018 Jiri Vanek - 1:12.0.0.25-0.ea.1.rolling +- bumped sources to jdk12. Crypto list synced. +- adapted patches to usptream (removed are upstreamed) +- removed fixed upstreamed patch6, jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch: +- renamed patch5, pr1983-rh1565658-..._sunec_provider_jdk11.patch to pr1983-rh1565658-..._sunec_provider_jdk12.patch +- adapted patch5, pr1983-rh1565658 to jdk12 (libraries.m4 and /Lib-jdk.crypto.ec.gmk) +- removed patch8, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch +- removed patch9, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch +- removed patch10, jdk8210647-rh1632174. Is rummored to be in upstream +- removed patch11, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch +- removed patch12, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0 +- removed patch584, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch +- removed patch585, jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch +- set build jdk to jdk11; buildjdkver set to 11 +- todo, revisit _privatelibs and slaves, discuse patch10, more? +- now building with --no-print-directory to workaround JDK8215213 +- renamed original of docs zip to jdk-major+build +- check shenandaoh with -XX:+UnlockExperimentalVMOptions +- libjli moved from lib/libjli to lib +- added lib/jspawnhelper and bin/jfr and conf/sdp/sdp.conf.template +- added explanation to the --no-print-directory +- re-added lts_designator_zip macro +- added patch6 for rh1673833-remove_removal_of_wformat_during_test_compilation.patch + +* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-10.rolling +- for non debug supackages, ghosted all masters and slaves (rhbz1649776) +- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic +- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides + +* Tue Dec 04 2018 Severin Gehwolf - 1:11.0.1.13-9 +- Added %%global _find_debuginfo_opts -g +- Resolves: RHBZ#1520879 (Detailed NMT issue) + +* Fri Nov 30 2018 Jiri Vanek - 1:11.0.1.13-8 +- added rolling suffix to release (before dist) to prevent conflict with java-11-openjdk which now have same major version + +* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6 +- fixed tck failures of arraycopy and process exec with shenandoah on +- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch + +* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5 +- headless' suggests of cups, replaced by Requires of cups-libs + +* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3 +- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch + +* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3 +- Use upstream's version of Aarch64 intrinsics disable patch: + - Removed: + RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch + RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch + - Superceded by: + jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch + +* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2 +- Use LTS designator in version output for RHEL. + +* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1 +- Update to October 2018 CPU release, 11.0.1+13. + +* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2 +- Use --with-vendor-version-string=18.9 so as to show original + GA date for the JDK. + +* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1 +- Identify as GA version and no longer as early access (EA). +- JDK 11 has been released for GA on 2018-09-25. + +* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9 +- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes + RHBZ-1624122. +- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to + optimize compilation of fdlibm library. +- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so + as to optimize compilation of sharedRuntime{Trig,Trans}.cpp +- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to + optimize compilation of libsaproc (extra c flags won't override + optimization). +- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to + optimize compilation of libjsig. +- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to + optimize compilation of vmStructs.cpp (part of libjvm.so). +- Reinstate filtering of opt flags coming from redhat-rpm-config. + +* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8 +- removed version less provides +- javadocdir moved to arched dir as it is no longer noarch + +* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6 +- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch, + so as to disable log math intrinsic on aarch64. Work-around for + JDK-8210858 + +* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5 +- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch, + so as to disable dsin/dcos math intrinsics on aarch64. Work-around for + JDK-8210461. + +* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6 +- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to + optimize compilation of fdlibm library. +- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so + as to optimize compilation of sharedRuntime{Trig,Trans}.cpp +- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to + optimize compilation of libsaproc (extra c flags won't override + optimization). +- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to + optimize compilation of vmStructs.cpp (part of libjvm.so). +- No longer filter -O flags from C flags coming from + redhat-rpm-config. + +* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4 +- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x + +* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3 +- Enable ZGC on x86_64. + +* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2 +- jfr/*jfc files listed for all arches +- lib/classlist do not exists s390, ifarch-ed via jit_arches out + +* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1 +- Update to latest upstream build jdk11+28, the first release + candidate. + +* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8 +- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so + as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue. + +* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6 +- dissabled accessibility, fixed provides for main package's debug variant + +* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5 +- now buildrequires javapackages-filesystem as the issue with macros should be fixed + +* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2 +- changed to build by itself instead of by jdk10 + +* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1 +- added Recommends gtk3 for main package +- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped) +- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package +- see RHBZ1598152 +- added trick to catch hs_err files (sgehwolf) +- updated to shenandaoh-jdk-11+22 + +* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1 +- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch +- improved a bit generate_source_tarball.sh to serve also for systemtap +- thus deleted generate_tapsets.sh +- simplified and cleared update_package.sh +- moved to single source jdk - from shenandoah/jdk11 +- bumped to latest jdk11+20 +- adapted PR2126 to jdk11+20 +- adapted handling of systemtap sources to new style +- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory) +- shortened summaries and descriptions to around 80 chars +- Hunspell spell checked +- license fixed to correct jdk11 (sgehwolf) +- more correct handling of internal libraries (sgehwolf) +- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815) +- added test for shenandaoh GC presence where expected +- Removed workaround for broken aarch64 slowdebug build +- Removed all defattrs +- Removed no longer necessary cleanup of diz and debuginfo files + +* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1 +- updated sources to jdk-11+19 +- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit +- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit + +* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5 +- Revert rename: java-11-openjdk => java-openjdk. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4 +- Add aarch64 to aot_arches. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3 +- Rename to package java-11-openjdk. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2 +- Disable Aarch64 slowdebug build (see JDK-8204331). +- s390x doesn't have the SA even though it's a JIT arch. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1 +- Initial version of JDK 11 ea based on tag jdk-11+16. +- Removed patches no longer needed or upstream: + sorted-diff.patch (see JDK-8198844) + JDK-8201788-bootcycle-images-jobs.patch + JDK-8201509-s390-atomic_store.patch + JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11) + JDK-8193802-npe-jar-getVersionMap.patch +- Updated and renamed patches: + java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch +- Updated patches for JDK 11: + pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch + +* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9 +- Use proper private_libs expression for filtering requires/provides. + +* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8 +- Bump release and rebuild for fixed gdb. See RHBZ#1589118. + +* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7 +- quoted sed expressions, changed possibly confusing # by @ +- added vendor(origin) into icons +- removed last trace of relative symlinks +- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem + +* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5 +- Move to javapackages-filesystem for directory ownership. + Resolves RHBZ#1500288 + +* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4 +- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix + RHBZ#1557375. + +* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3 +- Inject build flags properly. See RHBZ#1571359 +- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch + since libjsig.so doesn't get linker flags injected properly. + +* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2 +- Removed unneeded patches: + PStack-808293.patch + multiple-pkcs11-library-init.patch + ppc_stack_overflow_fix.patch +- Added patches for s390 Zero builds: + JDK-8201495-s390-java-opts.patch + JDK-8201509-s390-atomic_store.patch +- Renamed patches for clarity: + aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch + systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch + bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch + system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch + +* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1 +- updated to security update 1 +- jexec unlinked from path +- used java-openjdk as boot jdk +- aligned provides/requires +- renamed zip javadoc + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12 +- Enable basic EC ciphers test in %%check. + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11 +- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10. +- Resolves RHBZ#1565658 + +* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10 +- jexec linked to path + +* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9 +- subpackage(s) replaced by sub-package(s) and other cosmetic changes + +* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8 +- removed accessibility sub-packages +- kept applied patch and properties files +- debug sub-packages renamed to slowdebug + +* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1 +- initial load