From cd1a64e40b4ff3ddc557af71b4fb7496f9a2e5e46dc4aaaa1865f10b03f4ec5d Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Mon, 23 Aug 2021 08:04:31 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=27 --- java-17-openjdk.changes | 28 ++++++------- java-17-openjdk.spec | 31 ++++++++------ nss-security-provider.patch | 10 +++++ nss.cfg | 4 -- nss.cfg.in | 5 +++ system-crypto-policy.patch | 81 +++++++++++++++++++++++++++++++++++++ 6 files changed, 129 insertions(+), 30 deletions(-) create mode 100644 nss-security-provider.patch delete mode 100644 nss.cfg create mode 100644 nss.cfg.in create mode 100644 system-crypto-policy.patch diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes index 4bb4385..e9adf3f 100644 --- a/java-17-openjdk.changes +++ b/java-17-openjdk.changes @@ -4,17 +4,17 @@ Mon Aug 23 07:16:54 UTC 2021 - Fridrich Strba - Initial release of the last release candidate of OpenJDK 17, the next LTS release of OpenJDK * Features: - + 306: Restore Always-Strict Floating-Point Semantics - + 356: Enhanced Pseudo-Random Number Generators - + 382: New macOS Rendering Pipeline - + 391: macOS/AArch64 Port - + 398: Deprecate the Applet API for Removal - + 403: Strongly Encapsulate JDK Internals - + 406: Pattern Matching for switch (Preview) - + 407: Remove RMI Activation - + 409: Sealed Classes - + 410: Remove the Experimental AOT and JIT Compiler - + 411: Deprecate the Security Manager for Removal - + 412: Foreign Function & Memory API (Incubator) - + 414: Vector API (Second Incubator) - + 415: Context-Specific Deserialization Filters + + JEP-306: Restore Always-Strict Floating-Point Semantics + + JEP-356: Enhanced Pseudo-Random Number Generators + + JEP-382: New macOS Rendering Pipeline + + JEP-391: macOS/AArch64 Port + + JEP-398: Deprecate the Applet API for Removal + + JEP-403: Strongly Encapsulate JDK Internals + + JEP-406: Pattern Matching for switch (Preview) + + JEP-407: Remove RMI Activation + + JEP-409: Sealed Classes + + JEP-410: Remove the Experimental AOT and JIT Compiler + + JEP-411: Deprecate the Security Manager for Removal + + JEP-412: Foreign Function & Memory API (Incubator) + + JEP-414: Vector API (Second Incubator) + + JEP-415: Context-Specific Deserialization Filters diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 741521f..dd36435 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -123,6 +123,7 @@ %else %global with_systemtap 0 %endif +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) %if %{with_systemtap} %global tapsetroot %{_datadir}/systemtap %global tapsetdir %{tapsetroot}/tapset/%{_build_cpu} @@ -157,7 +158,7 @@ Source10: systemtap-tapset.tar.xz # Desktop files. Adapated from IcedTea. Source11: jconsole.desktop.in # nss configuration file -Source13: nss.cfg +Source13: nss.cfg.in # Ensure we aren't using the limited crypto policy Source14: TestCryptoLevel.java # Ensure ECDSA is working @@ -204,6 +205,9 @@ Patch12: adlc-parser.patch Patch13: implicit-pointer-decl.patch Patch14: harfbuzz-libs.patch Patch15: system-pcsclite.patch + +Patch16: system-crypto-policy.patch +Patch17: nss-security-provider.patch # Patch20: loadAssistiveTechnologies.patch # @@ -245,6 +249,7 @@ BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: libtool BuildRequires: libxslt +BuildRequires: mozilla-nss-devel BuildRequires: pkgconfig BuildRequires: unzip BuildRequires: update-desktop-files @@ -261,14 +266,7 @@ BuildRequires: pkgconfig(gthread-2.0) # Requires rest of java Requires: %{name}-headless = %{version}-%{release} Requires: fontconfig -# mozilla-nss has to be installed to prevent -# java.security.ProviderException: Could not initialize NSS -# ... -# java.io.FileNotFoundException: /usr/lib64/libnss3.so -#was bnc#634793 -Requires: mozilla-nss Requires(post): file -Requires(post): java-ca-certificates # Standard JPackage base provides. Provides: java = %{javaver} Provides: java-%{javaver} = %{version}-%{release} @@ -334,6 +332,8 @@ The OpenJDK %{featurever} runtime environment. Summary: OpenJDK %{featurever} Runtime Environment Group: Development/Languages/Java Requires: jpackage-utils +Requires(post): java-ca-certificates +Requires: mozilla-nss # Post requires update-alternatives to install tool update-alternatives. Requires(post): update-alternatives # Postun requires update-alternatives to uninstall tool update-alternatives. @@ -485,6 +485,10 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2* %patch15 -p1 %endif +%patch16 -p1 +%patch17 -p1 + + %patch20 -p1 %patch200 -p1 @@ -533,6 +537,9 @@ for file in %{SOURCE11} ; do sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE done +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.cfg + %build %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64} @@ -596,6 +603,9 @@ popd >& /dev/null export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk +# Install nss.cfg right away as we will be using the JRE above +install -m 644 nss.cfg $JAVA_HOME/conf/security/ + # Copy tz.properties echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties @@ -873,9 +883,6 @@ pushd %{buildoutputdir}/%{imagesdir} popd -# Install nss.cfg -install -m 644 %{SOURCE13} %{buildroot}%{_jvmdir}/%{sdkdir}/lib/security/ - # Install Javadoc documentation. install -d -m 755 %{buildroot}%{_javadocdir} cp -a %{buildoutputdir}/images/docs %{buildroot}%{_javadocdir}/%{sdklnk} @@ -1221,7 +1228,7 @@ fi %endif %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs -%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/nss.cfg +%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg %{_jvmdir}/%{sdkdir}/lib/security/default.policy %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat diff --git a/nss-security-provider.patch b/nss-security-provider.patch new file mode 100644 index 0000000..b6deee8 --- /dev/null +++ b/nss-security-provider.patch @@ -0,0 +1,10 @@ +--- openjdk/src/java.base/share/conf/security/java.security 2021-03-16 07:15:49.798093653 +0100 ++++ openjdk/src/java.base/share/conf/security/java.security 2021-03-16 11:38:01.416893125 +0100 +@@ -60,6 +60,7 @@ + # + # List of providers and their preference orders (see above): + # ++security.provider.tbd=SunPKCS11 ${java.home}/conf/security/nss.cfg + security.provider.tbd=SUN + security.provider.tbd=SunRsaSign + security.provider.tbd=SunEC diff --git a/nss.cfg b/nss.cfg deleted file mode 100644 index 74d461d..0000000 --- a/nss.cfg +++ /dev/null @@ -1,4 +0,0 @@ -name = NSS -nssLibraryDirectory = -nssDbMode = noDb -attributes = compatibility diff --git a/nss.cfg.in b/nss.cfg.in new file mode 100644 index 0000000..fe53560 --- /dev/null +++ b/nss.cfg.in @@ -0,0 +1,5 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility +handleStartupErrors = ignoreMultipleInitialisation diff --git a/system-crypto-policy.patch b/system-crypto-policy.patch new file mode 100644 index 0000000..348f8e2 --- /dev/null +++ b/system-crypto-policy.patch @@ -0,0 +1,81 @@ +--- openjdk/src/java.base/share/classes/java/security/Security.java 2021-03-16 07:15:49.742093294 +0100 ++++ openjdk/src/java.base/share/classes/java/security/Security.java 2021-03-16 07:16:54.394507360 +0100 +@@ -47,6 +47,9 @@ + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ +@@ -57,6 +60,10 @@ + private static final Debug sdebug = + Debug.getInstance("properties"); + ++ /* System property file*/ ++ private static final String SYSTEM_PROPERTIES = ++ "/etc/crypto-policies/back-ends/java.config"; ++ + /* The java.security properties */ + private static Properties props; + +@@ -98,6 +105,7 @@ + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -183,6 +191,33 @@ + } + } + } ++ ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if (disableSystemProps == null && ++ "true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } + + if (!loadedProps) { + initializeStatic(); +--- openjdk/src/java.base/share/conf/security/java.security 2021-03-16 07:15:49.798093653 +0100 ++++ openjdk/src/java.base/share/conf/security/java.security 2021-03-16 11:38:01.416893125 +0100 +@@ -336,6 +336,13 @@ + security.overridePropertiesFile=true + + # ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ ++# + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. + #