Update FIPS support to bring in latest changes
- * RH2048582: Support PKCS#12 keystores - * RH2020290: Support TLS 1.3 in FIPS mode - * Add nss.fips.cfg support to OpenJDK tree - * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode - * Remove forgotten dead code from RH2020290 and RH2104724 - * OJ1357: Fix issue on FIPS with a SecurityManager in place - * RH2134669: Add missing attributes when registering services in FIPS mode. - * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class - * RH1940064: Enable XML Signature provider in FIPS mode - * Remove GCC minor versioning (JDK-8284772) to unbreak testing - Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build - require tzdata 2023c
This commit is contained in:
parent
43b5b84321
commit
a238aebf8e
File diff suppressed because it is too large
Load Diff
@ -383,7 +383,7 @@
|
|||||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||||
# Define current Git revision for the FIPS support patches
|
# Define current Git revision for the FIPS support patches
|
||||||
%global fipsver fd3de3d95b5
|
%global fipsver 75ffdc48eda
|
||||||
|
|
||||||
# Standard JPackage naming and versioning defines
|
# Standard JPackage naming and versioning defines
|
||||||
%global origin openjdk
|
%global origin openjdk
|
||||||
@ -632,9 +632,6 @@ Source15: TestSecurityProperties.java
|
|||||||
# Ensure vendor settings are correct
|
# Ensure vendor settings are correct
|
||||||
Source16: CheckVendor.java
|
Source16: CheckVendor.java
|
||||||
|
|
||||||
# nss fips configuration file
|
|
||||||
Source17: nss.fips.cfg.in
|
|
||||||
|
|
||||||
# Ensure translations are available for new timezones
|
# Ensure translations are available for new timezones
|
||||||
Source18: TestTranslations.java
|
Source18: TestTranslations.java
|
||||||
|
|
||||||
@ -667,8 +664,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1
|
|||||||
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
||||||
|
|
||||||
# Crypto policy and FIPS support patches
|
# Crypto policy and FIPS support patches
|
||||||
# Patch is generated from the fips-20u tree at https://github.com/rh-openjdk/jdk/tree/fips-20u
|
# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
|
||||||
# as follows: git diff %%{vcstag} src make > fips-20u-$(git show -s --format=%h HEAD).patch
|
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
|
||||||
# Diff is limited to src and make subdirectories to exclude .github changes
|
# Diff is limited to src and make subdirectories to exclude .github changes
|
||||||
# Fixes currently included:
|
# Fixes currently included:
|
||||||
# PR3183, RH1340845: Follow system wide crypto policy
|
# PR3183, RH1340845: Follow system wide crypto policy
|
||||||
@ -691,8 +688,18 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
|||||||
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||||
# RH2104724: Avoid import/export of DH private keys
|
# RH2104724: Avoid import/export of DH private keys
|
||||||
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
||||||
|
# RH2048582: Support PKCS#12 keystores
|
||||||
|
# RH2020290: Support TLS 1.3 in FIPS mode
|
||||||
|
# Add nss.fips.cfg support to OpenJDK tree
|
||||||
|
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||||
|
# Remove forgotten dead code from RH2020290 and RH2104724
|
||||||
|
# OJ1357: Fix issue on FIPS with a SecurityManager in place
|
||||||
|
# RH2134669: Add missing attributes when registering services in FIPS mode.
|
||||||
|
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
|
||||||
|
# RH1940064: Enable XML Signature provider in FIPS mode
|
||||||
# Build the systemconf library on all platforms
|
# Build the systemconf library on all platforms
|
||||||
# Patch1001: fips-20u-%{fipsver}.patch
|
# Remove GCC minor versioning (JDK-8284772) to unbreak testing
|
||||||
|
Patch1001: fips-21u-%{fipsver}.patch
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
#
|
#
|
||||||
@ -761,8 +768,8 @@ BuildRequires: java-latest-openjdk-devel
|
|||||||
%ifarch %{zero_arches}
|
%ifarch %{zero_arches}
|
||||||
BuildRequires: libffi-devel
|
BuildRequires: libffi-devel
|
||||||
%endif
|
%endif
|
||||||
# 2022g required as of JDK-8297804
|
# 2023c required as of JDK-8305113
|
||||||
BuildRequires: tzdata-java >= 2022g
|
BuildRequires: tzdata-java >= 2023c
|
||||||
|
|
||||||
# cacerts build requirement in portable mode
|
# cacerts build requirement in portable mode
|
||||||
BuildRequires: ca-certificates
|
BuildRequires: ca-certificates
|
||||||
@ -977,7 +984,7 @@ pushd %{top_level_dir_name}
|
|||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
# Add crypto policy and FIPS support
|
# Add crypto policy and FIPS support
|
||||||
# %patch1001 -p1
|
%patch1001 -p1
|
||||||
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
||||||
%patch1000 -p1
|
%patch1000 -p1
|
||||||
popd # openjdk
|
popd # openjdk
|
||||||
@ -1039,9 +1046,6 @@ done
|
|||||||
# Setup nss.cfg
|
# Setup nss.cfg
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
||||||
|
|
||||||
# Setup nss.fips.cfg
|
|
||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
|
%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
|
||||||
mkdir bootjdk
|
mkdir bootjdk
|
||||||
@ -1151,6 +1155,7 @@ function buildjdk() {
|
|||||||
--with-boot-jdk=${buildjdk} \
|
--with-boot-jdk=${buildjdk} \
|
||||||
--with-debug-level=${debuglevel} \
|
--with-debug-level=${debuglevel} \
|
||||||
--with-native-debug-symbols="%{debug_symbols}" \
|
--with-native-debug-symbols="%{debug_symbols}" \
|
||||||
|
--disable-sysconf-nss \
|
||||||
--enable-unlimited-crypto \
|
--enable-unlimited-crypto \
|
||||||
--with-zlib=%{link_type} \
|
--with-zlib=%{link_type} \
|
||||||
--with-freetype=%{link_type} \
|
--with-freetype=%{link_type} \
|
||||||
@ -1202,9 +1207,6 @@ function installjdk() {
|
|||||||
# Install nss.cfg right away as we will be using the JRE above
|
# Install nss.cfg right away as we will be using the JRE above
|
||||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||||
|
|
||||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
|
||||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
|
||||||
|
|
||||||
# Create fake alt-java as a placeholder for future alt-java
|
# Create fake alt-java as a placeholder for future alt-java
|
||||||
if [ -d man/man1 ] ; then
|
if [ -d man/man1 ] ; then
|
||||||
pushd ${imagepath}
|
pushd ${imagepath}
|
||||||
@ -1632,6 +1634,19 @@ done
|
|||||||
- updated to jdk21 ea
|
- updated to jdk21 ea
|
||||||
- updated patch 1001 - rh1648249-add_commented_out_nss_cfg_provider_to_java_security
|
- updated patch 1001 - rh1648249-add_commented_out_nss_cfg_provider_to_java_security
|
||||||
- replace smoketests in staticlibs test, as the previous files used were removed by a patch in JDK
|
- replace smoketests in staticlibs test, as the previous files used were removed by a patch in JDK
|
||||||
|
- require tzdata 2023c
|
||||||
|
- Update FIPS support to bring in latest changes
|
||||||
|
- * RH2048582: Support PKCS#12 keystores
|
||||||
|
- * RH2020290: Support TLS 1.3 in FIPS mode
|
||||||
|
- * Add nss.fips.cfg support to OpenJDK tree
|
||||||
|
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||||
|
- * Remove forgotten dead code from RH2020290 and RH2104724
|
||||||
|
- * OJ1357: Fix issue on FIPS with a SecurityManager in place
|
||||||
|
- * RH2134669: Add missing attributes when registering services in FIPS mode.
|
||||||
|
- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
|
||||||
|
- * RH1940064: Enable XML Signature provider in FIPS mode
|
||||||
|
- * Remove GCC minor versioning (JDK-8284772) to unbreak testing
|
||||||
|
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
|
||||||
|
|
||||||
* Thu Aug 03 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.2.0.9-1.rolling
|
* Thu Aug 03 2023 Jiri Vanek <jvanek@redhat.com> - 1:20.0.2.0.9-1.rolling
|
||||||
- Update to jdk-20.0.2+9
|
- Update to jdk-20.0.2+9
|
||||||
|
@ -1,8 +0,0 @@
|
|||||||
name = NSS-FIPS
|
|
||||||
nssLibraryDirectory = @NSS_LIBDIR@
|
|
||||||
nssSecmodDirectory = sql:/etc/pki/nssdb
|
|
||||||
nssDbMode = readOnly
|
|
||||||
nssModule = fips
|
|
||||||
|
|
||||||
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
|
||||||
|
|
@ -1,13 +1,13 @@
|
|||||||
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
|
diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
|
||||||
index 5149edba0e5..7676c695b36 100644
|
index 68a9c1a2d08..7aa25eb2cb7 100644
|
||||||
--- a/src/java.base/share/conf/security/java.security
|
--- openjdk.orig/src/java.base/share/conf/security/java.security
|
||||||
+++ b/src/java.base/share/conf/security/java.security
|
+++ openjdk/src/java.base/share/conf/security/java.security
|
||||||
@@ -84,6 +84,8 @@ security.provider.tbd=SunMSCAPI
|
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
|
||||||
security.provider.tbd=Apple
|
security.provider.tbd=Apple
|
||||||
#endif
|
#endif
|
||||||
security.provider.tbd=SunPKCS11
|
security.provider.tbd=SunPKCS11
|
||||||
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||||
+
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# A list of preferred providers for specific algorithms. These providers will
|
# Security providers used when FIPS mode support is active
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user