From 526841b89375beea8445c5b77cdd8289950a482c5e4cabccd6e0f7fa12d80e71 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 24 May 2023 13:50:33 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=99 --- java-17-openjdk.changes | 6 ++++++ java-17-openjdk.spec | 9 +++++++++ nss.fips.cfg.in | 8 ++++++++ 3 files changed, 23 insertions(+) create mode 100644 nss.fips.cfg.in diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes index cabd0c8..ff5b366 100644 --- a/java-17-openjdk.changes +++ b/java-17-openjdk.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed May 24 13:47:09 UTC 2023 - Fridrich Strba + +- Bring back our nss.fips.cfg file, since the variable expansion + in the upstream file does not work (fixes: bsc#1211679) + ------------------------------------------------------------------- Thu May 11 12:52:16 UTC 2023 - jsilva@suse.com diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 2e68976..78d9d3e 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -139,6 +139,8 @@ Source10: systemtap-tapset.tar.xz Source11: jconsole.desktop.in # nss configuration file Source12: nss.cfg.in +# nss fips configuration file +Source13: nss.fips.cfg.in # Ensure we aren't using the limited crypto policy Source14: TestCryptoLevel.java # Ensure ECDSA is working @@ -452,6 +454,10 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:sql\:/etc/pki/nssdb:g" nss.fips.cfg + %build %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64} @@ -513,6 +519,9 @@ export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Copy tz.properties echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..27b8c5d --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,8 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = sql:/etc/pki/nssdb +nssDbMode = readOnly +nssModule = fips + +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } +