diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 7c3db6f..3bf0eec 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 35 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1176,8 +1176,12 @@ Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch Patch1007: rh1915071-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection Patch1008: rh1929465-improve_system_FIPS_detection.patch +Patch1011: rh1929465-dont_define_unused_throwioexception.patch # RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers Patch1009: rh1995150-disable_non-fips_crypto.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1010: rh1996182-login_to_nss_software_token.patch +Patch1012: rh1996182-extend_security_policy.patch ############################################# # @@ -1541,6 +1545,9 @@ popd # openjdk %patch1007 %patch1008 %patch1009 +%patch1010 +%patch1011 +%patch1012 # Extract systemtap tapsets %if %{with_systemtap} @@ -2267,6 +2274,13 @@ cjc.mainProgram(args) %endif %changelog +* Thu Sep 30 2021 Andrew Hughes - 1:17.0.0.0.35-4.rolling +- Fix unused function compiler warning found in systemconf.c +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. + +* Thu Sep 30 2021 Martin Balao - 1:17.0.0.0.35-4.rolling +- Add patch to login to the NSS software token when in FIPS mode. + * Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-3.rolling - Update release notes to document the major changes between OpenJDK 11 & 17. diff --git a/rh1929465-dont_define_unused_throwioexception.patch b/rh1929465-dont_define_unused_throwioexception.patch new file mode 100644 index 0000000..eba090f --- /dev/null +++ b/rh1929465-dont_define_unused_throwioexception.patch @@ -0,0 +1,69 @@ +commit 90e344e7d4987af610fa0054c92d18fe1c2edd41 +Author: Andrew Hughes +Date: Sat Aug 28 01:15:28 2021 +0100 + + RH1929465: Don't define unused throwIOException function when using NSS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..38919d6bb0f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -34,14 +34,34 @@ + + #include "java_security_SystemConfigurator.h" + +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" + #define MSG_MAX_SIZE 96 + + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read ++#ifndef SYSCONF_NSS ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++#endif ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + /* + * Class: java_security_SystemConfigurator +@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + + #endif // SYSCONF_NSS + } +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } +-} diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..7622622 --- /dev/null +++ b/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit bfd7c5dae9c15266799cb885b8c60199217b65b9 +Author: Andrew Hughes +Date: Mon Aug 30 16:14:14 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index 8356e56367b..23925f048be 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..475c521 --- /dev/null +++ b/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,65 @@ +commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923 +Author: Martin Balao +Date: Sat Aug 28 00:35:44 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 39e69362458..aeb5fc2eb46 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.cryptoki, + jdk.crypto.ec, + jdk.jartool, + jdk.jlink, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..5d3963ea893 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException