diff --git a/download b/download new file mode 100644 index 0000000000000000000000000000000000000000..603af3d9df055b19fe56043a839ca27c0ac56346 --- /dev/null +++ b/download @@ -0,0 +1,2 @@ +98cc05179da922835dddd115a18c7909 openjdk-jdk17u-jdk-17.0.2+8.tar.xz +5d441d6217cc75372ca5a0943997cb24 tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index daa5a7a1ae817b8662c88989ffba5859525823a1..37747dbc7d6b0c7dc42c7f5c24a55a3d0a6dfb32 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -12,10 +12,7 @@ # # Only produce a release build on x86_64: # $ fedpkg mockbuild --without slowdebug --without fastdebug -# -# Only produce a debug build on x86_64: -# $ fedpkg local --without release -# + # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -24,6 +21,8 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -33,6 +32,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -59,11 +65,11 @@ %global staticlibs_suffix "%{staticlibs_suffix_unquoted}" %global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. -%global debug_on with full debugging on -%global fastdebug_on with minimal debugging on %global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. -%global for_fastdebug_on for packages with minimal debugging on -%global for_debug for packages with debugging on +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation %if %{with release} %global include_normal_build 1 @@ -102,17 +108,20 @@ %global ppc64be ppc64 ppc64p7 # Set of architectures which support multiple ABIs %global multilib_arches %{power64} sparc64 x86_64 -# Set of architectures for which we build debug builds +# Set of architectures for which we build slowdebug builds %global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures with a Ahead-Of-Time (AOT) compiler %global aot_arches x86_64 %{aarch64} -%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures which support the serviceability agent %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} # Set of architectures which support class data sharing @@ -125,8 +134,10 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 -# Set of architectures for which java has short vector math library (libsvml.so) +# Set of architectures for which java has short vector math library (libjsvml.so) %global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -169,9 +180,9 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics -%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -180,27 +191,35 @@ %endif %ifarch %{bootstrap_arches} -%global bootstrap_build 1 +%global bootstrap_build true %else -%global bootstrap_build 1 +%global bootstrap_build false %endif -%if %{bootstrap_build} -%global release_targets bootcycle-images docs-zip -%else -%global release_targets images docs-zip -%endif -# No docs nor bootcycle for debug builds -%global debug_targets images - %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others %global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} %endif +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk + # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -220,51 +239,63 @@ # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap -# does not match that given by _build_cpu +# does not match that given by _target_cpu %ifarch x86_64 %global archinstall amd64 +%global stapinstall x86_64 %endif %ifarch ppc %global archinstall ppc +%global stapinstall powerpc %endif %ifarch %{ppc64be} %global archinstall ppc64 +%global stapinstall powerpc %endif %ifarch %{ppc64le} %global archinstall ppc64le +%global stapinstall powerpc %endif %ifarch %{ix86} %global archinstall i686 +%global stapinstall i386 %endif %ifarch ia64 %global archinstall ia64 +%global stapinstall ia64 %endif %ifarch s390 %global archinstall s390 +%global stapinstall s390 %endif %ifarch s390x %global archinstall s390x +%global stapinstall s390 %endif %ifarch %{arm} %global archinstall arm +%global stapinstall arm %endif %ifarch %{aarch64} %global archinstall aarch64 +%global stapinstall arm64 %endif # 32 bit sparc, optimized for v9 %ifarch sparcv9 %global archinstall sparc +%global stapinstall %{_target_cpu} %endif # 64 bit sparc %ifarch sparc64 %global archinstall sparcv9 +%global stapinstall %{_target_cpu} %endif -%ifnarch %{jit_arches} -%global archinstall %{_arch} +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} %endif - - %ifarch %{systemtap_arches} %global with_systemtap 1 %else @@ -303,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 4 +%global rpmrelease 6 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -316,7 +347,7 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames @@ -421,10 +452,10 @@ # and 32 bit architectures we place the tapsets under the arch # specific dir (note that systemtap will only pickup the tapset # for the primary arch for now). Systemtap uses the machine name -# aka build_cpu as architecture specific directory name. +# aka target_cpu as architecture specific directory name. %global tapsetroot /usr/share/systemtap %global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif # not-duplicated scriptlets for normal/debug packages @@ -462,7 +493,7 @@ alternatives \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ - %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext for X in %{origin} %{javaver} ; do alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} @@ -520,7 +551,9 @@ alternatives \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -578,7 +611,7 @@ alternatives \\ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ for X in %{origin} %{javaver} ; do alternatives \\ @@ -710,8 +743,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %ifarch %{svml_arches} @@ -758,7 +793,7 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access -# these are config templates, thus not config-noreplace +# This is a config template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template %config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties @@ -781,6 +816,10 @@ exit 0 %ghost %{_jvmdir}/jre-%{javaver}-%{origin} %endif %endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } %define files_devel() %{expand: @@ -799,9 +838,11 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -940,7 +981,10 @@ Requires: libXcomposite%{?_isa} Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # for java-X-openjdk package's desktop binding +# Where recommendations are available, recommend Gtk+ for the Swing look and feel +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Recommends: gtk3%{?_isa} +%endif Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -979,8 +1023,11 @@ Requires: cups-libs Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# for optional support of kernel stream control, card reader and printing bindings +# Where suggestions are available, recommend the sctp and pcsc libraries +# for optional support of kernel stream control and card reader +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} +%endif # Standard JPackage base provides Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} @@ -1010,9 +1057,9 @@ Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1055,10 +1102,10 @@ Requires(post): %{alternatives_requires} Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1092,6 +1139,10 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} Epoch: 1 Summary: %{origin_nice} %{featurever} Runtime Environment +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif # HotSpot code is licensed under GPLv2 # JDK library code is licensed under GPLv2 with the Classpath exception @@ -1153,7 +1204,7 @@ Source17: nss.fips.cfg.in # NSS via SunPKCS11 Provider (disabled comment # due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# enable build of speculative store bypass hardened alt-java +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) Patch600: rh1750419-redhat_alt_java.patch # Ignore AWTError when assistive technologies are loaded @@ -1185,6 +1236,8 @@ Patch1009: rh1995150-disable_non-fips_crypto.patch # RH1996182: Login to the NSS software token in FIPS mode Patch1010: rh1996182-login_to_nss_software_token.patch Patch1012: rh1996182-extend_security_policy.patch +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch @@ -1234,7 +1287,7 @@ BuildRequires: zip BuildRequires: javapackages-filesystem BuildRequires: java-17-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif BuildRequires: tzdata-java >= 2015d @@ -1256,6 +1309,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug @@ -1266,7 +1322,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_fastdebug_build} %package fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug @@ -1277,6 +1335,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_normal_build} %package headless Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_headless_rpo %{nil}} @@ -1287,6 +1348,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_debug_build} %package headless-slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_headless_rpo -- %{debug_suffix_unquoted}} @@ -1298,7 +1362,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_fastdebug_build} %package headless-fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_headless_rpo -- %{fastdebug_suffix_unquoted}} @@ -1310,6 +1376,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_normal_build} %package devel Summary: %{origin_nice} %{featurever} Development Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_devel_rpo %{nil}} @@ -1320,6 +1389,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_debug_build} %package devel-slowdebug Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_devel_rpo -- %{debug_suffix_unquoted}} @@ -1331,7 +1403,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_fastdebug_build} %package devel-fastdebug Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools +%endif %{java_devel_rpo -- %{fastdebug_suffix_unquoted}} @@ -1380,6 +1454,9 @@ The %{origin_nice} %{featurever} libraries for static linking. %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{featurever} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_jmods_rpo %{nil}} @@ -1390,6 +1467,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_debug_build} %package jmods-slowdebug Summary: JMods for %{origin_nice} %{featurever} %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_jmods_rpo -- %{debug_suffix_unquoted}} @@ -1401,7 +1481,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_fastdebug_build} %package jmods-fastdebug Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools +%endif %{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} @@ -1410,10 +1492,12 @@ The JMods for %{origin_nice} %{featurever}. %{fastdebug_warning} %endif - %if %{include_normal_build} %package demo Summary: %{origin_nice} %{featurever} Demos +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_demo_rpo %{nil}} @@ -1424,6 +1508,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_debug_build} %package demo-slowdebug Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_demo_rpo -- %{debug_suffix_unquoted}} @@ -1435,7 +1522,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_fastdebug_build} %package demo-fastdebug Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_demo_rpo -- %{fastdebug_suffix_unquoted}} @@ -1447,6 +1536,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_normal_build} %package src Summary: %{origin_nice} %{featurever} Source Bundle +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_src_rpo %{nil}} @@ -1458,6 +1550,9 @@ class library source code for use by IDE indexers and debuggers. %if %{include_debug_build} %package src-slowdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_src_rpo -- %{debug_suffix_unquoted}} @@ -1469,7 +1564,9 @@ The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_n %if %{include_fastdebug_build} %package src-fastdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_src_rpo -- %{fastdebug_suffix_unquoted}} @@ -1478,14 +1575,16 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. %endif - %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{featurever} API documentation +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. @@ -1494,16 +1593,28 @@ The %{origin_nice} %{featurever} API documentation. %if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. %endif %prep + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else @@ -1559,6 +1670,7 @@ popd # openjdk %patch1010 %patch1011 %patch1012 +%patch1013 %patch1014 %patch1015 @@ -1572,7 +1684,6 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif - for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -1642,63 +1753,54 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -export EXTRA_CFLAGS - -for suffix in %{build_loop} ; do -if [ "x$suffix" = "x" ] ; then - debugbuild=release -else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` -fi - -for loop in %{main_suffix} %{staticlibs_loop} ; do - -if test "x${loop}" = "x%{main_suffix}" ; then - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full - # Variable used by configure and hs_err hook on build failures - link_opt="system" - # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +export EXTRA_CFLAGS EXTRA_CPP_FLAGS + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # The OpenJDK version file includes the current + # upstream version information. For some reason, + # configure does not automatically use the + # default pre-version supplied there (despite + # what the file claims), so we pass it manually + # to configure + VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf + if [ -f ${VERSION_FILE} ] ; then + EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) + else + echo "Could not find OpenJDK version file."; + exit 16 + fi + if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then + echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; + exit 17 fi -else - # Variable used by configure and hs_err hook on build failures - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" -fi -top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} -top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} -# The OpenJDK version file includes the current -# upstream version information. For some reason, -# configure does not automatically use the -# default pre-version supplied there (despite -# what the file claims), so we pass it manually -# to configure -VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf -if [ -f ${VERSION_FILE} ] ; then - EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) -else - echo "Could not find OpenJDK version file."; - exit 16 -fi -if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then - echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; - exit 17 -fi + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}" -mkdir -p ${top_dir_abs_build_path} -pushd ${top_dir_abs_build_path} + mkdir -p ${outputdir} + pushd ${outputdir} -bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1712,9 +1814,9 @@ bash ${top_dir_abs_src_path}/configure \ --with-vendor-url="https://www.redhat.com/" \ --with-vendor-bug-url="%{bugs}" \ --with-vendor-vm-bug-url="%{bugs}" \ - --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ - --with-debug-level=$debugbuild \ - --with-native-debug-symbols=internal \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ @@ -1735,53 +1837,116 @@ bash ${top_dir_abs_src_path}/configure \ %endif --disable-warnings-as-errors -make \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + cat spec.gmk -popd >& /dev/null + make \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) -# Restore original source tree if we modified it by removing full in-tree sources -if [ -d %{top_level_dir_name_backup} ] ; then - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -fi + popd +} -done # end of main / staticlibs loop +function installjdk() { + local imagepath=${1} -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; -# the build (erroneously) removes read permissions from some jars -# this is a regression in OpenJDK 7 (our compiler): -# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; -# Build screws up permissions on binaries -# https://bugs.openjdk.java.net/browse/JDK-8173610 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ -# Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi +} -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif -# Use system-wide tzdata -rm $JAVA_HOME/lib/tzdb.dat -ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat +for suffix in %{build_loop} ; do -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + + if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Use system libraries + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + rm -rf ${bootbuilddir} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + + done # end of main / staticlibs loop + + # Final setup on the main image + top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} # build cycles done # end of release / debug cycle loop @@ -1832,8 +1997,9 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c %endif +so_suffix="so" # Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib do if [ -f "$lib" ] ; then echo "Testing $lib for debug symbols" @@ -1886,7 +2052,7 @@ done # Make sure gdb can do a backtrace based on line numbers on libjvm.so # javaCalls.cpp:58 should map to: -# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 # Using line number 1 might cause build problems. See: # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 @@ -1894,7 +2060,7 @@ gdb -q "$JAVA_HOME/bin/java" < - 1:17.0.2.0.8-4 +* Fri Feb 18 2022 Andrew Hughes - 1:17.0.2.0.8-6 - Fix FIPS issues in native code and with initialisation of java.security.Security -- Related: rhbz#2039366 - -* Fri Jan 14 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Resolves: rhbz#2023378 + +* Thu Feb 17 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Thu Feb 17 2022 Jiri Vanek - 1:17.0.2.0.8-5 +- Replaced tabs by sets of spaces to make rpmlint happy +- javadoc-zip gets its own provides next to plain javadoc ones +- Resolves: rhbz#2022822 + +* Tue Feb 08 2022 Jiri Vanek - 1:17.0.2.0.8-4 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-3 - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ - Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository -- Related: rhbz#2039366 +- Related: rhbz#2022822 -* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-2 -- Sync desktop files with upstream IcedTea release 3.15.0 using new script -- Related: rhbz#2039366 +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Severin Gehwolf - 1:17.0.2.0.8-2 +- Set LTS designator. +- Related: rhbz#2022822 * Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 - January 2022 security update to jdk 17.0.2+8 - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - Rename libsvml.so to libjsvml.so following JDK-8276025 -- ** This tarball is embargoed until 2022-01-18 @ 1pm PT. ** - Resolves: rhbz#2039366 -* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-2 -- Extend LTS check to exclude EPEL. -- Related: rhbz#2013841 - -* Thu Oct 28 2021 Severin Gehwolf - 1:17.0.1.0.12-2 -- Set LTS designator. -- Related: rhbz#2013841 +* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-3 +- Sync desktop files with upstream IcedTea release 3.15.0 using new script +- Related: rhbz#2013842 -* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-1 +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 - Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 -- Resolves: rhbz#2013841 +- Resolves: rhbz#2013842 -* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-1 +* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-2 - October CPU update to jdk 17.0.1+12 - Dropped commented-out source line -- Resolves: rhbz#2013841 +- Resolves: rhbz#2013842 -* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-4 -- Bump release to avoid conflict with RHEL 8.6. -- Resolves: rhbz#1994084 +* Sun Oct 10 2021 Andrew Hughes - 1:17.0.0.0.35-6 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1994661 -* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-3 -- Update release notes to document the major changes between OpenJDK 11 & 17. -- Resolves: rhbz#1994084 +* Sun Oct 10 2021 Martin Balao - 1:17.0.0.0.35-6 +- Add patch to allow plain key import. +- Resolves: rhbz#1994661 -* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-2 -- Add JDK-8272332 fix so we actually link against HarfBuzz. -- Resolves: rhbz#1994084 +* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-5 +- Update release notes to document the major changes between OpenJDK 11 & 17. +- Resolves: rhbz#2003072 -* Tue Sep 14 2021 Andrew Hughes - 1:17.0.0.0.35-1 +* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-3 - Update to jdk-17+35, also known as jdk-17-ga. - Switch to GA mode. -- Resolves: rhbz#1994084 +- Add JDK-8272332 fix so we actually link against HarfBuzz. +- Resolves: rhbz#2003072 +- Resolves: rhbz#2004078 * Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. @@ -2433,7 +2622,7 @@ require "copy_jdk_configs.lua" * Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling - update to 16.0.1+9 april cpu tag -- dropped jdk8259949-allow_cf-protection_on_x86.patch +- dropped jdk8259949-allow_cf-protection_on_x86.patch * Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling - Perform static library build on a separate source tree with bundled image libraries @@ -2481,7 +2670,7 @@ require "copy_jdk_configs.lua" * Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling - many cosmetic changes taken from more maintained jdk11 -- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches +- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches instead of various hardcoded ifarches - updated systemtap - added requires excludes for debug pkgs @@ -2564,7 +2753,7 @@ require "copy_jdk_configs.lua" * Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling - Remove s390x workaround flags for GCC 10 - bump buildjdkver to 14 -- uploaded new src tarball +- uploaded new src tarball * Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling - removed a whitespace causing fail of postinstall script @@ -2584,7 +2773,7 @@ require "copy_jdk_configs.lua" - fix issues with build with GCC10: JDK-8224851, -fcommon switch * Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling -- Add JDK-8224851 patch to resolve aarch64 issues +- Add JDK-8224851 patch to resolve aarch64 issues * Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling - fix Release, as it was broken by last rpmdev-bumpspec @@ -2905,7 +3094,7 @@ require "copy_jdk_configs.lua" - Removed unneeded patches: PStack-808293.patch multiple-pkcs11-library-init.patch - ppc_stack_overflow_fix.patch + ppc_stack_overflow_fix.patch - Added patches for s390 Zero builds: JDK-8201495-s390-java-opts.patch JDK-8201509-s390-atomic_store.patch diff --git a/openjdk-jdk17u-jdk-17.0.2+8.tar.xz b/openjdk-jdk17u-jdk-17.0.2+8.tar.xz deleted file mode 100644 index 594b92a79c2826b9f32f2eff8ae7d7aacac9112a..0000000000000000000000000000000000000000 Binary files a/openjdk-jdk17u-jdk-17.0.2+8.tar.xz and /dev/null differ diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch new file mode 100644 index 0000000000000000000000000000000000000000..79d2743644e1babffc22e79445e51c5d3df0eee7 --- /dev/null +++ b/rh1991003-enable_fips_keys_import.patch @@ -0,0 +1,579 @@ +commit abcd0954643eddbf826d96291d44a143038ab750 +Author: Martin Balao +Date: Sun Oct 10 18:14:01 2021 +0100 + + RH1991003: Enable the import of plain keys into the NSS software token. + + This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index ce32c939253..dc7020ce668 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -82,6 +82,10 @@ public final class Security { + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } + }); + + // doPrivileged here because there are multiple +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 6aa1419dfd0..ecab722848e 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -55,6 +55,7 @@ final class SystemConfigurator { + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + +@@ -150,6 +151,16 @@ final class SystemConfigurator { + } + loadedProps = true; + systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } + } + } catch (Exception e) { + if (sdebug != null) { +@@ -177,6 +188,19 @@ final class SystemConfigurator { + return systemFipsEnabled; + } + ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ + /* + * OpenJDK FIPS mode will be enabled only if the com.redhat.fips + * system property is true (default) and the system is in FIPS mode. +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +index a31e93ec02e..3f3caac64dc 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -27,4 +27,5 @@ package jdk.internal.access; + + public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); + } +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..bee3a1e1537 +--- /dev/null ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,291 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 5d3963ea893..42c72b393fd 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 5c0aacd1a67..4d80145cb91 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -152,16 +153,28 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +index e2d6d371bec..dc5e7eefdd3 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception { + return "0x" + Functions.toFullHexString((int)errorCode); + } + ++ /** ++ * Constructor taking the error code (the CKR_* constants in PKCS#11) with ++ * no extra info for the error message. ++ */ ++ public PKCS11Exception(long errorCode) { ++ this(errorCode, null); ++ } ++ + /** + * Constructor taking the error code (the CKR_* constants in PKCS#11) and + * extra info for error message. diff --git a/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz b/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz deleted file mode 100644 index bc4e1747e3a003d6e7e64363425c8e286044c792..0000000000000000000000000000000000000000 Binary files a/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz and /dev/null differ