OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=27

java-17-openjdk.changes

@@ -4,17 +4,17 @@ Mon Aug 23 07:16:54 UTC 2021 - Fridrich Strba <fstrba@suse.com>
 - Initial release of the last release candidate of OpenJDK 17,
   the next LTS release of OpenJDK
   * Features:
-    + 306: Restore Always-Strict Floating-Point Semantics
-    + 356: Enhanced Pseudo-Random Number Generators
-    + 382: New macOS Rendering Pipeline
-    + 391: macOS/AArch64 Port
-    + 398: Deprecate the Applet API for Removal
-    + 403: Strongly Encapsulate JDK Internals
-    + 406: Pattern Matching for switch (Preview)
-    + 407: Remove RMI Activation
-    + 409: Sealed Classes
-    + 410: Remove the Experimental AOT and JIT Compiler
-    + 411: Deprecate the Security Manager for Removal
-    + 412: Foreign Function & Memory API (Incubator)
-    + 414: Vector API (Second Incubator)
-    + 415: Context-Specific Deserialization Filters
+    + JEP-306: Restore Always-Strict Floating-Point Semantics
+    + JEP-356: Enhanced Pseudo-Random Number Generators
+    + JEP-382: New macOS Rendering Pipeline
+    + JEP-391: macOS/AArch64 Port
+    + JEP-398: Deprecate the Applet API for Removal
+    + JEP-403: Strongly Encapsulate JDK Internals
+    + JEP-406: Pattern Matching for switch (Preview)
+    + JEP-407: Remove RMI Activation
+    + JEP-409: Sealed Classes
+    + JEP-410: Remove the Experimental AOT and JIT Compiler
+    + JEP-411: Deprecate the Security Manager for Removal
+    + JEP-412: Foreign Function & Memory API (Incubator)
+    + JEP-414: Vector API (Second Incubator)
+    + JEP-415: Context-Specific Deserialization Filters

java-17-openjdk.spec

@@ -123,6 +123,7 @@
 %else
 %global with_systemtap 0
 %endif
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
 %if %{with_systemtap}
 %global tapsetroot      %{_datadir}/systemtap
 %global tapsetdir %{tapsetroot}/tapset/%{_build_cpu}
@@ -157,7 +158,7 @@ Source10:       systemtap-tapset.tar.xz
 # Desktop files. Adapated from IcedTea.
 Source11:       jconsole.desktop.in
 # nss configuration file
-Source13:       nss.cfg
+Source13:       nss.cfg.in
 # Ensure we aren't using the limited crypto policy
 Source14:       TestCryptoLevel.java
 # Ensure ECDSA is working
@@ -204,6 +205,9 @@ Patch12:        adlc-parser.patch
 Patch13:        implicit-pointer-decl.patch
 Patch14:        harfbuzz-libs.patch
 Patch15:        system-pcsclite.patch
+
+Patch16:        system-crypto-policy.patch
+Patch17:        nss-security-provider.patch
 #
 Patch20:        loadAssistiveTechnologies.patch
 #
@@ -245,6 +249,7 @@ BuildRequires:  libjpeg-devel
 BuildRequires:  libpng-devel
 BuildRequires:  libtool
 BuildRequires:  libxslt
+BuildRequires:  mozilla-nss-devel
 BuildRequires:  pkgconfig
 BuildRequires:  unzip
 BuildRequires:  update-desktop-files
@@ -261,14 +266,7 @@ BuildRequires:  pkgconfig(gthread-2.0)
 # Requires rest of java
 Requires:       %{name}-headless = %{version}-%{release}
 Requires:       fontconfig
-# mozilla-nss has to be installed to prevent
-# java.security.ProviderException: Could not initialize NSS
-# ...
-# java.io.FileNotFoundException: /usr/lib64/libnss3.so
-#was bnc#634793
-Requires:       mozilla-nss
 Requires(post): file
-Requires(post): java-ca-certificates
 # Standard JPackage base provides.
 Provides:       java = %{javaver}
 Provides:       java-%{javaver} = %{version}-%{release}
@@ -334,6 +332,8 @@ The OpenJDK %{featurever} runtime environment.
 Summary:        OpenJDK %{featurever} Runtime Environment
 Group:          Development/Languages/Java
 Requires:       jpackage-utils
+Requires(post): java-ca-certificates
+Requires:       mozilla-nss
 # Post requires update-alternatives to install tool update-alternatives.
 Requires(post): update-alternatives
 # Postun requires update-alternatives to uninstall tool update-alternatives.
@@ -485,6 +485,10 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
 %patch15 -p1
 %endif
 
+%patch16 -p1
+%patch17 -p1
+
+
 %patch20 -p1
 
 %patch200 -p1
@@ -533,6 +537,9 @@ for file in %{SOURCE11} ; do
     sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
 done
 
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.cfg
+
 %build
 
 %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@@ -596,6 +603,9 @@ popd >& /dev/null
 
 export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
 
+# Install nss.cfg right away as we will be using the JRE above
+install -m 644 nss.cfg $JAVA_HOME/conf/security/
+
 # Copy tz.properties
 echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties
 
@@ -873,9 +883,6 @@ pushd %{buildoutputdir}/%{imagesdir}
 
 popd
 
-# Install nss.cfg
-install -m 644 %{SOURCE13} %{buildroot}%{_jvmdir}/%{sdkdir}/lib/security/
-
 # Install Javadoc documentation.
 install -d -m 755 %{buildroot}%{_javadocdir}
 cp -a %{buildoutputdir}/images/docs %{buildroot}%{_javadocdir}/%{sdklnk}
@@ -1221,7 +1228,7 @@ fi
 %endif
 
 %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
-%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/nss.cfg
+%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
 %{_jvmdir}/%{sdkdir}/lib/security/default.policy
 %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
 

nss-security-provider.patch

@@ -0,0 +1,10 @@
+--- openjdk/src/java.base/share/conf/security/java.security	2021-03-16 07:15:49.798093653 +0100
++++ openjdk/src/java.base/share/conf/security/java.security	2021-03-16 11:38:01.416893125 +0100
+@@ -60,6 +60,7 @@
+ #
+ # List of providers and their preference orders (see above):
+ #
++security.provider.tbd=SunPKCS11 ${java.home}/conf/security/nss.cfg
+ security.provider.tbd=SUN
+ security.provider.tbd=SunRsaSign
+ security.provider.tbd=SunEC

nss.cfg

@@ -1,4 +0,0 @@
-name = NSS
-nssLibraryDirectory = 
-nssDbMode = noDb
-attributes = compatibility

nss.cfg.in

@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation

system-crypto-policy.patch

@@ -0,0 +1,81 @@
+--- openjdk/src/java.base/share/classes/java/security/Security.java	2021-03-16 07:15:49.742093294 +0100
++++ openjdk/src/java.base/share/classes/java/security/Security.java	2021-03-16 07:16:54.394507360 +0100
+@@ -47,6 +47,9 @@
+  * implementation-specific location, which is typically the properties file
+  * {@code conf/security/java.security} in the Java installation directory.
+  *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+  * @author Benjamin Renaud
+  * @since 1.1
+  */
+@@ -57,6 +60,10 @@
+     private static final Debug sdebug =
+                         Debug.getInstance("properties");
+ 
++    /* System property file*/
++    private static final String SYSTEM_PROPERTIES =
++        "/etc/crypto-policies/back-ends/java.config";
++
+     /* The java.security properties */
+     private static Properties props;
+ 
+@@ -98,6 +105,7 @@
+                 if (sdebug != null) {
+                     sdebug.println("reading security properties file: " +
+                                 propFile);
++                    sdebug.println(props.toString());
+                 }
+             } catch (IOException e) {
+                 if (sdebug != null) {
+@@ -183,6 +191,33 @@
+                 }
+             }
+         }
++
++        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++        if (disableSystemProps == null &&
++            "true".equalsIgnoreCase(props.getProperty
++                ("security.useSystemPropertiesFile"))) {
++
++            // now load the system file, if it exists, so its values
++            // will win if they conflict with the earlier values
++            try (BufferedInputStream bis =
++                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++                props.load(bis);
++                loadedProps = true;
++
++                if (sdebug != null) {
++                    sdebug.println("reading system security properties file " +
++                                   SYSTEM_PROPERTIES);
++                    sdebug.println(props.toString());
++                }
++            } catch (IOException e) {
++                if (sdebug != null) {
++                    sdebug.println
++                        ("unable to load security properties from " +
++                         SYSTEM_PROPERTIES);
++                    e.printStackTrace();
++                }
++            }
++        }
+ 
+         if (!loadedProps) {
+             initializeStatic();
+--- openjdk/src/java.base/share/conf/security/java.security	2021-03-16 07:15:49.798093653 +0100
++++ openjdk/src/java.base/share/conf/security/java.security	2021-03-16 11:38:01.416893125 +0100
+@@ -336,6 +336,13 @@
+ security.overridePropertiesFile=true
+ 
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #