Merge rawhide into f35
This commit is contained in:
commit
169d1eef69
|
@ -9,35 +9,59 @@ public class TestSecurityProperties {
|
|||
// JDK 8
|
||||
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
|
||||
|
||||
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
|
||||
|
||||
private static final String MSG_PREFIX = "DEBUG: ";
|
||||
|
||||
public static void main(String[] args) {
|
||||
if (args.length == 0) {
|
||||
System.err.println("TestSecurityProperties <true|false>");
|
||||
System.err.println("Invoke with 'true' if system security properties should be enabled.");
|
||||
System.err.println("Invoke with 'false' if system security properties should be disabled.");
|
||||
System.exit(1);
|
||||
}
|
||||
boolean enabled = Boolean.valueOf(args[0]);
|
||||
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
|
||||
Properties jdkProps = new Properties();
|
||||
loadProperties(jdkProps);
|
||||
if (enabled) {
|
||||
loadPolicy(jdkProps);
|
||||
}
|
||||
for (Object key: jdkProps.keySet()) {
|
||||
String sKey = (String)key;
|
||||
String securityVal = Security.getProperty(sKey);
|
||||
String jdkSecVal = jdkProps.getProperty(sKey);
|
||||
if (!securityVal.equals(jdkSecVal)) {
|
||||
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||
String msg = "Expected value '" + jdkSecVal + "' for key '" +
|
||||
sKey + "'" + " but got value '" + securityVal + "'";
|
||||
throw new RuntimeException("Test failed! " + msg);
|
||||
} else {
|
||||
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
|
||||
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
|
||||
}
|
||||
}
|
||||
System.out.println("TestSecurityProperties PASSED!");
|
||||
}
|
||||
|
||||
|
||||
private static void loadProperties(Properties props) {
|
||||
String javaVersion = System.getProperty("java.version");
|
||||
System.out.println("Debug: Java version is " + javaVersion);
|
||||
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
|
||||
String propsFile = JDK_PROPS_FILE_JDK_11;
|
||||
if (javaVersion.startsWith("1.8.0")) {
|
||||
propsFile = JDK_PROPS_FILE_JDK_8;
|
||||
}
|
||||
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
|
||||
try (FileInputStream fin = new FileInputStream(propsFile)) {
|
||||
props.load(fin);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Test failed!", e);
|
||||
}
|
||||
}
|
||||
|
||||
private static void loadPolicy(Properties props) {
|
||||
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
|
||||
props.load(fin);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Test failed!", e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644
|
|||
|
||||
// Return the instance of this class or create one if needed.
|
||||
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
|
||||
index ff2bc942c03..d303ae5c8f3 100644
|
||||
index ff2bc942c03..96a3ba4040c 100644
|
||||
--- a/src/java.base/share/classes/java/security/Security.java
|
||||
+++ b/src/java.base/share/classes/java/security/Security.java
|
||||
@@ -32,6 +32,7 @@ import java.net.URL;
|
||||
|
@ -1409,7 +1409,7 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||
import jdk.internal.access.SharedSecrets;
|
||||
import jdk.internal.util.StaticProperty;
|
||||
import sun.security.util.Debug;
|
||||
@@ -47,6 +48,9 @@ import sun.security.jca.*;
|
||||
@@ -47,12 +48,20 @@ import sun.security.jca.*;
|
||||
* implementation-specific location, which is typically the properties file
|
||||
* {@code conf/security/java.security} in the Java installation directory.
|
||||
*
|
||||
|
@ -1419,7 +1419,18 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||
* @author Benjamin Renaud
|
||||
* @since 1.1
|
||||
*/
|
||||
@@ -67,6 +71,19 @@ public final class Security {
|
||||
|
||||
public final class Security {
|
||||
|
||||
+ private static final String SYS_PROP_SWITCH =
|
||||
+ "java.security.disableSystemPropertiesFile";
|
||||
+ private static final String SEC_PROP_SWITCH =
|
||||
+ "security.useSystemPropertiesFile";
|
||||
+
|
||||
/* Are we debugging? -- for developers */
|
||||
private static final Debug sdebug =
|
||||
Debug.getInstance("properties");
|
||||
@@ -67,6 +76,19 @@ public final class Security {
|
||||
}
|
||||
|
||||
static {
|
||||
|
@ -1439,7 +1450,15 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||
// doPrivileged here because there are multiple
|
||||
// things in initialize that might require privs.
|
||||
// (the FileInputStream call and the File.exists call,
|
||||
@@ -99,6 +116,7 @@ public final class Security {
|
||||
@@ -84,6 +106,7 @@ public final class Security {
|
||||
props = new Properties();
|
||||
boolean loadedProps = false;
|
||||
boolean overrideAll = false;
|
||||
+ boolean systemSecPropsEnabled = false;
|
||||
|
||||
// first load the system properties file
|
||||
// to determine the value of security.overridePropertiesFile
|
||||
@@ -99,6 +122,7 @@ public final class Security {
|
||||
if (sdebug != null) {
|
||||
sdebug.println("reading security properties file: " +
|
||||
propFile);
|
||||
|
@ -1447,30 +1466,63 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||
}
|
||||
} catch (IOException e) {
|
||||
if (sdebug != null) {
|
||||
@@ -193,6 +211,28 @@ public final class Security {
|
||||
@@ -193,6 +217,61 @@ public final class Security {
|
||||
}
|
||||
}
|
||||
|
||||
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
|
||||
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
|
||||
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
|
||||
+ if (!SystemConfigurator.configureSysProps(props)) {
|
||||
+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
|
||||
+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
|
||||
+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
|
||||
+ }
|
||||
+ if (!sysUseProps && secUseProps) {
|
||||
+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
|
||||
+ if (!systemSecPropsEnabled) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("WARNING: System properties could not be loaded.");
|
||||
+ sdebug.println("WARNING: System security properties could not be loaded.");
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("System security property support disabled by user.");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ // FIPS support depends on the contents of java.security so
|
||||
+ // ensure it has loaded first
|
||||
+ if (loadedProps) {
|
||||
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
|
||||
+ if (sdebug != null) {
|
||||
+ if (fipsEnabled) {
|
||||
+ sdebug.println("FIPS support enabled.");
|
||||
+ } else {
|
||||
+ sdebug.println("FIPS support disabled.");
|
||||
+ if (loadedProps && systemSecPropsEnabled) {
|
||||
+ boolean shouldEnable;
|
||||
+ String sysProp = System.getProperty("com.redhat.fips");
|
||||
+ if (sysProp == null) {
|
||||
+ shouldEnable = true;
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("com.redhat.fips unset, using default value of true");
|
||||
+ }
|
||||
+ } else {
|
||||
+ shouldEnable = Boolean.valueOf(sysProp);
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
|
||||
+ }
|
||||
+ }
|
||||
+ if (shouldEnable) {
|
||||
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
|
||||
+ if (sdebug != null) {
|
||||
+ if (fipsEnabled) {
|
||||
+ sdebug.println("FIPS mode support configured and enabled.");
|
||||
+ } else {
|
||||
+ sdebug.println("FIPS mode support disabled.");
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (sdebug != null ) {
|
||||
+ sdebug.println("FIPS mode support disabled by user.");
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
|
||||
+ "system security properties being enabled.");
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
@ -1478,10 +1530,10 @@ index ff2bc942c03..d303ae5c8f3 100644
|
|||
/*
|
||||
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
new file mode 100644
|
||||
index 00000000000..da2af5defda
|
||||
index 00000000000..98ffced455b
|
||||
--- /dev/null
|
||||
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -0,0 +1,245 @@
|
||||
@@ -0,0 +1,249 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
||||
+ *
|
||||
|
@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda
|
|||
+ * security.useSystemPropertiesFile is true.
|
||||
+ */
|
||||
+ static boolean configureSysProps(Properties props) {
|
||||
+ boolean loadedProps = false;
|
||||
+ boolean systemSecPropsLoaded = false;
|
||||
+
|
||||
+ try (BufferedInputStream bis =
|
||||
+ new BufferedInputStream(
|
||||
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
|
||||
+ props.load(bis);
|
||||
+ loadedProps = true;
|
||||
+ systemSecPropsLoaded = true;
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("reading system security properties file " +
|
||||
+ CRYPTO_POLICIES_JAVA_CONFIG);
|
||||
|
@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda
|
|||
+ e.printStackTrace();
|
||||
+ }
|
||||
+ }
|
||||
+ return loadedProps;
|
||||
+ return systemSecPropsLoaded;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
|
@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda
|
|||
+ sdebug.println("FIPS support enabled without plain key support");
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
|
||||
+ }
|
||||
+ } catch (Exception e) {
|
||||
+ if (sdebug != null) {
|
||||
|
@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda
|
|||
+ return plainKeySupportEnabled;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||
+ * system property is true (default) and the system is in FIPS mode.
|
||||
+ /**
|
||||
+ * Determines whether FIPS mode should be enabled.
|
||||
+ *
|
||||
+ * OpenJDK FIPS mode will be enabled only if the system is in
|
||||
+ * FIPS mode.
|
||||
+ *
|
||||
+ * Calls to this method only occur if the system property
|
||||
+ * com.redhat.fips is not set to false.
|
||||
+ *
|
||||
+ * There are 2 possible ways in which OpenJDK detects that the system
|
||||
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
||||
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
||||
+ * /proc/sys/crypto/fips_enabled file is read.
|
||||
+ *
|
||||
+ * @return true if the system is in FIPS mode
|
||||
+ */
|
||||
+ private static boolean enableFips() throws Exception {
|
||||
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
+ if (shouldEnable) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||
+ }
|
||||
+ try {
|
||||
+ boolean fipsEnabled = getSystemFIPSEnabled();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||
+ + fipsEnabled);
|
||||
+ }
|
||||
+ try {
|
||||
+ shouldEnable = getSystemFIPSEnabled();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||
+ + shouldEnable);
|
||||
+ }
|
||||
+ return shouldEnable;
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||
+ sdebug.println(e.getMessage());
|
||||
+ }
|
||||
+ throw e;
|
||||
+ return fipsEnabled;
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||
+ sdebug.println(e.getMessage());
|
||||
+ }
|
||||
+ } else {
|
||||
+ return false;
|
||||
+ throw e;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
|
@ -2352,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644
|
|||
"sun.security.ssl.SSLContextImpl$TLSContext",
|
||||
List.of("SSL"), null);
|
||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||
index 6d91e3f8e4e..5a355e70cae 100644
|
||||
index 6d91e3f8e4e..adfaf57d29e 100644
|
||||
--- a/src/java.base/share/conf/security/java.security
|
||||
+++ b/src/java.base/share/conf/security/java.security
|
||||
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
|
||||
|
@ -2360,7 +2416,7 @@ index 6d91e3f8e4e..5a355e70cae 100644
|
|||
security.provider.tbd=SunPKCS11
|
||||
|
||||
+#
|
||||
+# Security providers used when global crypto-policies are set to FIPS.
|
||||
+# Security providers used when FIPS mode support is active
|
||||
+#
|
||||
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
|
||||
+fips.provider.2=SUN
|
||||
|
@ -2393,7 +2449,7 @@ index 6d91e3f8e4e..5a355e70cae 100644
|
|||
+# using the system properties file stored at
|
||||
+# /etc/crypto-policies/back-ends/java.config
|
||||
+#
|
||||
+security.useSystemPropertiesFile=true
|
||||
+security.useSystemPropertiesFile=false
|
||||
+
|
||||
#
|
||||
# Determines the default key and trust manager factory algorithms for
|
||||
|
@ -3074,7 +3130,7 @@ index 112b639aa96..5549cd9ed4e 100644
|
|||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||
throw new UnsupportedOperationException
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||
index 5c0aacd1a67..372a50dd587 100644
|
||||
index 5c0aacd1a67..1e98ce2e280 100644
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
|
||||
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
|
||||
|
@ -3087,8 +3143,21 @@ index 5c0aacd1a67..372a50dd587 100644
|
|||
import java.util.*;
|
||||
|
||||
import java.security.AccessController;
|
||||
@@ -152,16 +155,30 @@ public class PKCS11 {
|
||||
@@ -150,18 +153,43 @@ public class PKCS11 {
|
||||
this.pkcs11ModulePath = pkcs11ModulePath;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Compatibility wrapper to allow this method to work as before
|
||||
+ * when FIPS mode support is not active.
|
||||
+ */
|
||||
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
||||
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
||||
+ boolean omitInitialize) throws IOException, PKCS11Exception {
|
||||
+ return getInstance(pkcs11ModulePath, functionList,
|
||||
+ pInitArgs, omitInitialize, null, null);
|
||||
+ }
|
||||
+
|
||||
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
|
||||
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
|
||||
- boolean omitInitialize) throws IOException, PKCS11Exception {
|
||||
|
@ -3121,7 +3190,7 @@ index 5c0aacd1a67..372a50dd587 100644
|
|||
}
|
||||
if (omitInitialize == false) {
|
||||
try {
|
||||
@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
|
||||
@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
|
||||
super.C_GenerateRandom(hSession, randomData);
|
||||
}
|
||||
}
|
|
@ -190,11 +190,15 @@
|
|||
%global staticlibs_loop %{nil}
|
||||
%endif
|
||||
|
||||
%if 0%{?flatpak}
|
||||
%global bootstrap_build false
|
||||
%else
|
||||
%ifarch %{bootstrap_arches}
|
||||
%global bootstrap_build true
|
||||
%else
|
||||
%global bootstrap_build false
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Extra target for producing the static-libraries. Separate from
|
||||
|
@ -328,7 +332,7 @@
|
|||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||
# Define current Git revision for the FIPS support patches
|
||||
%global fipsver 3625385b13d
|
||||
%global fipsver f8142a23d0a
|
||||
|
||||
# Standard JPackage naming and versioning defines
|
||||
%global origin openjdk
|
||||
|
@ -336,7 +340,7 @@
|
|||
%global top_level_dir_name %{origin}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 7
|
||||
%global rpmrelease 2
|
||||
%global rpmrelease 7
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
%if %is_system_jdk
|
||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||
|
@ -400,6 +404,10 @@
|
|||
# images directories from upstream build
|
||||
%global jdkimage jdk
|
||||
%global static_libs_image static-libs
|
||||
# installation directory for static libraries
|
||||
%global static_libs_root lib/static
|
||||
%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
|
||||
%global static_libs_install_dir %{static_libs_arch_dir}/glibc
|
||||
# output dir stub
|
||||
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
|
||||
# we can copy the javadoc to not arched dir, or make it not noarch
|
||||
|
@ -544,7 +552,7 @@ alternatives \\
|
|||
--slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
|
||||
%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
|
||||
--slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
|
||||
%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
|
||||
%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
|
||||
|
||||
%{set_if_needed_alternatives $key %{family}}
|
||||
|
||||
|
@ -806,6 +814,7 @@ exit 0
|
|||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
|
||||
|
@ -864,6 +873,7 @@ exit 0
|
|||
%dir %{etcjavadir -- %{?1}}/lib
|
||||
%dir %{etcjavadir -- %{?1}}/lib/security
|
||||
%{etcjavadir -- %{?1}}/lib/security/cacerts
|
||||
%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
|
||||
%dir %{etcjavadir -- %{?1}}/conf
|
||||
%dir %{etcjavadir -- %{?1}}/conf/sdp
|
||||
%dir %{etcjavadir -- %{?1}}/conf/management
|
||||
|
@ -933,7 +943,7 @@ exit 0
|
|||
%ifarch %{sa_arches}
|
||||
%ifnarch %{zero_arches}
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
|
||||
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
|
||||
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
|
||||
%endif
|
||||
%endif
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
|
||||
|
@ -972,11 +982,11 @@ exit 0
|
|||
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
|
||||
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
|
||||
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
|
||||
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
|
||||
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
|
||||
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
|
||||
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
|
||||
|
||||
%if %{with_systemtap}
|
||||
%dir %{tapsetroot}
|
||||
|
@ -1034,10 +1044,10 @@ exit 0
|
|||
}
|
||||
|
||||
%define files_static_libs() %{expand:
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
|
||||
}
|
||||
|
||||
%define files_javadoc() %{expand:
|
||||
|
@ -1327,6 +1337,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
|||
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
||||
# RH2023467: Enable FIPS keys export
|
||||
# RH2094027: SunEC runtime permission for FIPS
|
||||
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||
Patch1001: fips-17u-%{fipsver}.patch
|
||||
|
||||
#############################################
|
||||
|
@ -1800,6 +1812,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
|||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
||||
|
||||
%build
|
||||
|
||||
# How many CPU's do we have?
|
||||
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
||||
export NUM_PROC=${NUM_PROC:-1}
|
||||
|
@ -1924,32 +1937,117 @@ function installjdk() {
|
|||
local imagepath=${1}
|
||||
|
||||
if [ -d ${imagepath} ] ; then
|
||||
# the build (erroneously) removes read permissions from some jars
|
||||
# this is a regression in OpenJDK 7 (our compiler):
|
||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||
# the build (erroneously) removes read permissions from some jars
|
||||
# this is a regression in OpenJDK 7 (our compiler):
|
||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||
|
||||
# Build screws up permissions on binaries
|
||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
||||
find ${imagepath}/bin/ -exec chmod +x {} \;
|
||||
# Build screws up permissions on binaries
|
||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
||||
find ${imagepath}/bin/ -exec chmod +x {} \;
|
||||
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
||||
|
||||
# Use system-wide tzdata
|
||||
rm ${imagepath}/lib/tzdb.dat
|
||||
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
||||
# Turn on system security properties
|
||||
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||
${imagepath}/conf/security/java.security
|
||||
|
||||
# Use system-wide tzdata
|
||||
mv ${imagepath}/lib/tzdb.dat{,.upstream}
|
||||
ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
||||
|
||||
# Rename OpenJDK cacerts database
|
||||
mv ${imagepath}/lib/security/cacerts{,.upstream}
|
||||
# Install cacerts symlink needed by some apps which hard-code the path
|
||||
ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
|
||||
|
||||
# Create fake alt-java as a placeholder for future alt-java
|
||||
pushd ${imagepath}
|
||||
# add alt-java man page
|
||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||
popd
|
||||
fi
|
||||
}
|
||||
|
||||
# Checks on debuginfo must be performed before the files are stripped
|
||||
# by the RPM installation stage
|
||||
function debugcheckjdk() {
|
||||
local imagepath=${1}
|
||||
|
||||
if [ -d ${imagepath} ] ; then
|
||||
|
||||
so_suffix="so"
|
||||
# Check debug symbols are present and can identify code
|
||||
find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
||||
do
|
||||
if [ -f "$lib" ] ; then
|
||||
echo "Testing $lib for debug symbols"
|
||||
# All these tests rely on RPM failing the build if the exit code of any set
|
||||
# of piped commands is non-zero.
|
||||
|
||||
# Test for .debug_* sections in the shared object. This is the main test
|
||||
# Stripped objects will not contain these
|
||||
eu-readelf -S "$lib" | grep "] .debug_"
|
||||
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
|
||||
|
||||
# Test FILE symbols. These will most likely be removed by anything that
|
||||
# manipulates symbol tables because it's generally useless. So a nice test
|
||||
# that nothing has messed with symbols
|
||||
old_IFS="$IFS"
|
||||
IFS=$'\n'
|
||||
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
|
||||
do
|
||||
# We expect to see .cpp files, except for architectures like aarch64 and
|
||||
# s390 where we expect .o and .oS files
|
||||
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
|
||||
done
|
||||
IFS="$old_IFS"
|
||||
|
||||
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
|
||||
if [ "`basename $lib`" = "libjvm.so" ]; then
|
||||
eu-readelf -s "$lib" | \
|
||||
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
|
||||
fi
|
||||
|
||||
# Test that there are no .gnu_debuglink sections pointing to another
|
||||
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
||||
# no sense either
|
||||
eu-readelf -S "$lib" | grep 'gnu'
|
||||
if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
|
||||
echo "bad .gnu_debuglink section."
|
||||
eu-readelf -x .gnu_debuglink "$lib"
|
||||
false
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
|
||||
# javaCalls.cpp:58 should map to:
|
||||
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
|
||||
# Using line number 1 might cause build problems. See:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
|
||||
gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out
|
||||
handle SIGSEGV pass nostop noprint
|
||||
handle SIGILL pass nostop noprint
|
||||
set breakpoint pending on
|
||||
break javaCalls.cpp:58
|
||||
commands 1
|
||||
backtrace
|
||||
quit
|
||||
end
|
||||
run -version
|
||||
EOF
|
||||
%ifarch %{gdb_arches}
|
||||
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
||||
%endif
|
||||
|
||||
# Create fake alt-java as a placeholder for future alt-java
|
||||
pushd ${imagepath}
|
||||
# add alt-java man page
|
||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||
popd
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -2019,138 +2117,12 @@ for suffix in %{build_loop} ; do
|
|||
# Final setup on the main image
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
# Check debug symbols were built into the dynamic libraries
|
||||
debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
|
||||
# build cycles
|
||||
done # end of release / debug cycle loop
|
||||
|
||||
%check
|
||||
|
||||
# We test debug first as it will give better diagnostics on a crash
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
%if %{include_staticlibs}
|
||||
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||
%endif
|
||||
|
||||
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
|
||||
#check Shenandoah is enabled
|
||||
%if %{use_shenandoah_hotspot}
|
||||
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||
%endif
|
||||
|
||||
# Check unlimited policy has been used
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE13}
|
||||
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
|
||||
|
||||
# Check ECC is working
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
||||
|
||||
# Check system crypto (policy) can be disabled
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
||||
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
||||
|
||||
# Check java launcher has no SSB mitigation
|
||||
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
||||
|
||||
# Check alt-java launcher has SSB mitigation on supported architectures
|
||||
%ifarch %{ssbd_arches}
|
||||
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
||||
%else
|
||||
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
||||
%endif
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Check debug symbols in static libraries (smoke test)
|
||||
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
|
||||
%endif
|
||||
|
||||
so_suffix="so"
|
||||
# Check debug symbols are present and can identify code
|
||||
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
||||
do
|
||||
if [ -f "$lib" ] ; then
|
||||
echo "Testing $lib for debug symbols"
|
||||
# All these tests rely on RPM failing the build if the exit code of any set
|
||||
# of piped commands is non-zero.
|
||||
|
||||
# Test for .debug_* sections in the shared object. This is the main test
|
||||
# Stripped objects will not contain these
|
||||
eu-readelf -S "$lib" | grep "] .debug_"
|
||||
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
|
||||
|
||||
# Test FILE symbols. These will most likely be removed by anything that
|
||||
# manipulates symbol tables because it's generally useless. So a nice test
|
||||
# that nothing has messed with symbols
|
||||
old_IFS="$IFS"
|
||||
IFS=$'\n'
|
||||
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
|
||||
do
|
||||
# We expect to see .cpp files, except for architectures like aarch64 and
|
||||
# s390 where we expect .o and .oS files
|
||||
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
|
||||
done
|
||||
IFS="$old_IFS"
|
||||
|
||||
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
|
||||
if [ "`basename $lib`" = "libjvm.so" ]; then
|
||||
eu-readelf -s "$lib" | \
|
||||
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
|
||||
fi
|
||||
|
||||
# Test that there are no .gnu_debuglink sections pointing to another
|
||||
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
||||
# no sense either
|
||||
eu-readelf -S "$lib" | grep 'gnu'
|
||||
if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
|
||||
echo "bad .gnu_debuglink section."
|
||||
eu-readelf -x .gnu_debuglink "$lib"
|
||||
false
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
|
||||
# javaCalls.cpp:58 should map to:
|
||||
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
|
||||
# Using line number 1 might cause build problems. See:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
|
||||
gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
|
||||
handle SIGSEGV pass nostop noprint
|
||||
handle SIGILL pass nostop noprint
|
||||
set breakpoint pending on
|
||||
break javaCalls.cpp:58
|
||||
commands 1
|
||||
backtrace
|
||||
quit
|
||||
end
|
||||
run -version
|
||||
EOF
|
||||
%ifarch %{gdb_arches}
|
||||
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
||||
%endif
|
||||
|
||||
# Check src.zip has all sources. See RHBZ#1130490
|
||||
$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||
|
||||
# Check class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
|
||||
|
||||
# Check generated class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
|
||||
|
||||
# build cycles check
|
||||
done
|
||||
|
||||
%install
|
||||
STRIP_KEEP_SYMTAB=libjvm*
|
||||
|
||||
|
@ -2179,17 +2151,10 @@ pushd ${jdk_image}
|
|||
install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
|
||||
for name in $tapsetFiles ; do
|
||||
targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
|
||||
ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
|
||||
ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
|
||||
done
|
||||
%endif
|
||||
|
||||
# Remove empty cacerts database
|
||||
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
|
||||
# Install cacerts symlink needed by some apps which hard-code the path
|
||||
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
|
||||
ln -sf /etc/pki/java/cacerts .
|
||||
popd
|
||||
|
||||
# Install version-ed symlinks
|
||||
pushd $RPM_BUILD_ROOT%{_jvmdir}
|
||||
ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
|
||||
|
@ -2209,11 +2174,12 @@ pushd ${jdk_image}
|
|||
rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
|
||||
|
||||
popd
|
||||
|
||||
# Install static libs artefacts
|
||||
%if %{include_staticlibs}
|
||||
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
|
||||
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
|
||||
cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
|
||||
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
|
||||
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
|
||||
%endif
|
||||
|
||||
if ! echo $suffix | grep -q "debug" ; then
|
||||
|
@ -2258,21 +2224,85 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
|||
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
|
||||
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
||||
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
|
||||
ln -s %{etcjavadir -- $suffix}/conf ./conf
|
||||
ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf
|
||||
popd
|
||||
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
|
||||
ln -s %{etcjavadir -- $suffix}/lib/security ./security
|
||||
ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security
|
||||
popd
|
||||
# end moving files to /etc
|
||||
|
||||
# stabilize permissions
|
||||
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
|
||||
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
|
||||
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
|
||||
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
|
||||
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
|
||||
find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
|
||||
|
||||
# end, dual install
|
||||
done
|
||||
|
||||
%check
|
||||
|
||||
# We test debug first as it will give better diagnostics on a crash
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
# Tests in the check stage are performed on the installed image
|
||||
# rpmbuild operates as follows: build -> install -> test
|
||||
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
|
||||
|
||||
#check Shenandoah is enabled
|
||||
%if %{use_shenandoah_hotspot}
|
||||
$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||
%endif
|
||||
|
||||
# Check unlimited policy has been used
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE13}
|
||||
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
|
||||
|
||||
# Check ECC is working
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
||||
|
||||
# Check system crypto (policy) is active and can be disabled
|
||||
# Test takes a single argument - true or false - to state whether system
|
||||
# security properties are enabled or not.
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
||||
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
||||
export SEC_DEBUG="-Djava.security.debug=properties"
|
||||
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
|
||||
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
|
||||
|
||||
# Check java launcher has no SSB mitigation
|
||||
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
||||
|
||||
# Check alt-java launcher has SSB mitigation on supported architectures
|
||||
%ifarch %{ssbd_arches}
|
||||
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
||||
%else
|
||||
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
||||
%endif
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Check debug symbols in static libraries (smoke test)
|
||||
export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
|
||||
%endif
|
||||
|
||||
# Check src.zip has all sources. See RHBZ#1130490
|
||||
$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||
|
||||
# Check class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
|
||||
|
||||
# Check generated class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
|
||||
|
||||
# build cycles check
|
||||
done
|
||||
|
||||
%if %{include_normal_build}
|
||||
# intentionally only for non-debug
|
||||
%pretrans headless -p <lua>
|
||||
|
@ -2288,7 +2318,7 @@ local posix = require "posix"
|
|||
if (os.getenv("debug") == "true") then
|
||||
debug = true;
|
||||
print("cjc: in spec debug is on")
|
||||
else
|
||||
else
|
||||
debug = false;
|
||||
end
|
||||
|
||||
|
@ -2517,6 +2547,38 @@ cjc.mainProgram(args)
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-7
|
||||
- Fix whitespace in spec file
|
||||
|
||||
* Thu Jul 07 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-7
|
||||
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
|
||||
|
||||
* Tue Jul 05 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-7
|
||||
- Turn on system security properties as part of the build's install section
|
||||
- Move cacerts replacement to install section and retain original of this and tzdb.dat
|
||||
- Run tests on the installed image, rather than the build image
|
||||
- Introduce variables to refer to the static library installation directories
|
||||
- Use relative symlinks so they work within the image
|
||||
- Run debug symbols check during build stage, before the install strips them
|
||||
|
||||
* Fri Jul 01 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.3.0.7-6
|
||||
- Fix flatpak builds by exempting them from bootstrap
|
||||
|
||||
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
|
||||
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
|
||||
|
||||
* Mon Jun 27 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.3.0.7-4
|
||||
- Fix flatpak builds (catering for their uncompressed manual pages)
|
||||
|
||||
* Wed Jun 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
|
||||
- Update FIPS support to bring in latest changes
|
||||
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
||||
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
|
||||
- Improve security properties test to check both enabled and disabled behaviour
|
||||
- Run security properties test with property debugging on
|
||||
|
||||
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
|
||||
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
|
||||
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
|
||||
|
|
|
@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
|
|||
nssDbMode = readOnly
|
||||
nssModule = fips
|
||||
|
||||
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
||||
index 5a355e70cae..c730ea26ea2 100644
|
||||
index adfaf57d29e..abf89bbf327 100644
|
||||
--- a/src/java.base/share/conf/security/java.security
|
||||
+++ b/src/java.base/share/conf/security/java.security
|
||||
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
|
||||
|
@ -9,4 +9,4 @@ index 5a355e70cae..c730ea26ea2 100644
|
|||
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
#
|
||||
# Security providers used when global crypto-policies are set to FIPS.
|
||||
# Security providers used when FIPS mode support is active
|
||||
|
|
Loading…
Reference in New Issue