Update FIPS support to bring in latest changes

- * RH2048582: Support PKCS#12 keystores - * RH2020290: Support TLS 1.3 in FIPS mode - * Add nss.fips.cfg support to OpenJDK tree - * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode - * Remove forgotten dead code from RH2020290 and RH2104724 - * OJ1357: Fix issue on FIPS with a SecurityManager in place - * RH2134669: Add missing attributes when registering services in FIPS mode. - * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class - * RH1940064: Enable XML Signature provider in FIPS mode - * Remove GCC minor versioning (JDK-8284772) to unbreak testing - Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build - require tzdata 2023c
2023-08-25 09:14:14 +02:00 · 2023-08-25 09:14:14 +02:00 · a238aebf8e
parent 43b5b84321
commit a238aebf8e
4 changed files with 1044 additions and 281 deletions
--- a/fips-21u-75ffdc48eda.patch
+++ b/fips-21u-75ffdc48eda.patch
--- a/java-latest-openjdk-portable.spec
+++ b/java-latest-openjdk-portable.spec
@ -383,7 +383,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver fd3de3d95b5
+%global fipsver 75ffdc48eda

 # Standard JPackage naming and versioning defines
 %global origin          openjdk
@ -632,9 +632,6 @@ Source15: TestSecurityProperties.java
 # Ensure vendor settings are correct
 Source16: CheckVendor.java

-# nss fips configuration file
-Source17: nss.fips.cfg.in
-
 # Ensure translations are available for new timezones
 Source18: TestTranslations.java

@ -667,8 +664,8 @@ Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch

 # Crypto policy and FIPS support patches
-# Patch is generated from the fips-20u tree at https://github.com/rh-openjdk/jdk/tree/fips-20u
-# as follows: git diff %%{vcstag} src make > fips-20u-$(git show -s --format=%h HEAD).patch
+# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
 # PR3183, RH1340845: Follow system wide crypto policy
@ -691,8 +688,18 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # RH2090378: Revert to disabling system security properties and FIPS mode support together
 # RH2104724: Avoid import/export of DH private keys
 # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
+# OJ1357: Fix issue on FIPS with a SecurityManager in place
+# RH2134669: Add missing attributes when registering services in FIPS mode.
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+# RH1940064: Enable XML Signature provider in FIPS mode
 # Build the systemconf library on all platforms
-# Patch1001: fips-20u-%{fipsver}.patch
+# Remove GCC minor versioning (JDK-8284772) to unbreak testing
+Patch1001: fips-21u-%{fipsver}.patch

 #############################################
 #
@ -761,8 +768,8 @@ BuildRequires: java-latest-openjdk-devel
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2022g required as of JDK-8297804
-BuildRequires: tzdata-java >= 2022g
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c

 # cacerts build requirement in portable mode
 BuildRequires: ca-certificates
@ -977,7 +984,7 @@ pushd %{top_level_dir_name}
 %patch3 -p1
 %patch6 -p1
 # Add crypto policy and FIPS support
-# %patch1001 -p1
+%patch1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
 %patch1000 -p1
 popd # openjdk
@ -1039,9 +1046,6 @@ done
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg

-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
-
 %build
 %if (0%{?rhel} > 0 && 0%{?rhel} < 8)
 mkdir bootjdk
@ -1151,6 +1155,7 @@ function buildjdk() {
    --with-boot-jdk=${buildjdk} \
    --with-debug-level=${debuglevel} \
    --with-native-debug-symbols="%{debug_symbols}" \
+    --disable-sysconf-nss \
    --enable-unlimited-crypto \
    --with-zlib=%{link_type} \
    --with-freetype=%{link_type} \
@ -1202,9 +1207,6 @@ function installjdk() {
        # Install nss.cfg right away as we will be using the JRE above
        install -m 644 nss.cfg ${imagepath}/conf/security/

-        # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-        install -m 644 nss.fips.cfg ${imagepath}/conf/security/
-
        # Create fake alt-java as a placeholder for future alt-java
        if [ -d man/man1 ] ; then
          pushd ${imagepath}
@ -1632,6 +1634,19 @@ done
 - updated to jdk21 ea
 - updated patch 1001 - rh1648249-add_commented_out_nss_cfg_provider_to_java_security
 - replace smoketests in staticlibs test, as the previous files used were removed by a patch in JDK
+- require tzdata 2023c
+- Update FIPS support to bring in latest changes
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+- * Add nss.fips.cfg support to OpenJDK tree
+- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+- * Remove forgotten dead code from RH2020290 and RH2104724
+- * OJ1357: Fix issue on FIPS with a SecurityManager in place
+- * RH2134669: Add missing attributes when registering services in FIPS mode.
+- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+- * RH1940064: Enable XML Signature provider in FIPS mode
+- * Remove GCC minor versioning (JDK-8284772) to unbreak testing
+- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build

 * Thu Aug 03 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.2.0.9-1.rolling
 - Update to jdk-20.0.2+9
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@ -1,8 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = sql:/etc/pki/nssdb
-nssDbMode = readOnly
-nssModule = fips
-
-attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
-
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@ -1,13 +1,13 @@
-diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index 5149edba0e5..7676c695b36 100644
--- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -84,6 +84,8 @@ security.provider.tbd=SunMSCAPI
+diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
+index 68a9c1a2d08..7aa25eb2cb7 100644
+--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
 security.provider.tbd=Apple
 #endif
 security.provider.tbd=SunPKCS11
 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
-+
 
 #
- # A list of preferred providers for specific algorithms. These providers will
+ # Security providers used when FIPS mode support is active
+