This commit is contained in:
parent
13ae640102
commit
f47ab9c08c
@ -1418,8 +1418,8 @@
|
||||
--- a/src/java.base/share/conf/security/java.security
|
||||
+++ b/src/java.base/share/conf/security/java.security
|
||||
@@ -83,6 +83,17 @@ security.provider.tbd=Apple
|
||||
#endif
|
||||
security.provider.tbd=SunPKCS11
|
||||
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
+#
|
||||
+# Security providers used when FIPS mode support is active
|
||||
|
@ -1,3 +1,19 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 7 14:14:46 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
||||
|
||||
- Recommend mozilla-nss-sysinit in order to have available the
|
||||
/etc/pki/nssdb directory and its content, required in fips mode
|
||||
(bsc#1219662)
|
||||
- Do not install our crafted nss.fips.cfg file, but use the one that
|
||||
the build produces with our fips.patch applied
|
||||
- Removed patch:
|
||||
* nss-security-provider.patch
|
||||
+ this DISABLED nss security provider was not used for years and
|
||||
is largely rendered obsolete by the NSS-FIPS provider
|
||||
- Modified patch:
|
||||
* fips.patch
|
||||
+ adapt to the removal of the nss security provider
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 17 14:03:44 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file
|
||||
# spec file for package java-17-openjdk
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
@ -138,10 +138,6 @@ Source0: https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag
|
||||
Source10: systemtap-tapset.tar.xz
|
||||
# Desktop files. Adapated from IcedTea.
|
||||
Source11: jconsole.desktop.in
|
||||
# nss configuration file
|
||||
Source12: nss.cfg.in
|
||||
# nss fips configuration file
|
||||
Source13: nss.fips.cfg.in
|
||||
# Ensure we aren't using the limited crypto policy
|
||||
Source14: TestCryptoLevel.java
|
||||
# Ensure ECDSA is working
|
||||
@ -168,8 +164,7 @@ Patch13: implicit-pointer-decl.patch
|
||||
# Use SOURCE_DATE_EPOCH in timestamp when writing properties
|
||||
Patch14: reproducible-properties.patch
|
||||
Patch15: system-pcsclite.patch
|
||||
Patch16: nss-security-provider.patch
|
||||
Patch17: fips.patch
|
||||
Patch16: fips.patch
|
||||
#
|
||||
Patch20: loadAssistiveTechnologies.patch
|
||||
#
|
||||
@ -289,9 +284,10 @@ Requires: jpackage-utils
|
||||
Requires: mozilla-nss
|
||||
# Post requires update-alternatives to install tool update-alternatives.
|
||||
Requires(post): update-alternatives
|
||||
Requires(posttrans):java-ca-certificates
|
||||
Requires(posttrans): java-ca-certificates
|
||||
# Postun requires update-alternatives to uninstall tool update-alternatives.
|
||||
Requires(postun):update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
Recommends: mozilla-nss-sysinit
|
||||
Recommends: tzdata-java8
|
||||
Obsoletes: %{name}-accessibility
|
||||
%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
|
||||
@ -327,7 +323,7 @@ Requires: %{name} = %{version}-%{release}
|
||||
# Post requires update-alternatives to install tool update-alternatives.
|
||||
Requires(post): update-alternatives
|
||||
# Postun requires update-alternatives to uninstall tool update-alternatives.
|
||||
Requires(postun):update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
|
||||
# Standard JPackage devel provides.
|
||||
Provides: java-%{javaver}-devel = %{version}
|
||||
@ -373,7 +369,7 @@ Requires: jpackage-utils
|
||||
# Post requires update-alternatives to install javadoc alternative.
|
||||
Requires(post): update-alternatives
|
||||
# Postun requires update-alternatives to uninstall javadoc alternative.
|
||||
Requires(postun):update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
BuildArch: noarch
|
||||
%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
|
||||
# Standard JPackage javadoc provides.
|
||||
@ -415,7 +411,6 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
|
||||
%endif
|
||||
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
|
||||
%patch20 -p1
|
||||
|
||||
@ -459,13 +454,6 @@ for file in %{SOURCE11} ; do
|
||||
sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
|
||||
done
|
||||
|
||||
# Setup nss.cfg
|
||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg
|
||||
|
||||
# Setup nss.fips.cfg
|
||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg
|
||||
sed -i -e "s:@NSS_SECMOD@:sql\:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg
|
||||
|
||||
%build
|
||||
|
||||
%ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
|
||||
@ -534,12 +522,6 @@ popd >& /dev/null
|
||||
|
||||
export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
|
||||
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg $JAVA_HOME/conf/security/
|
||||
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
|
||||
|
||||
# Copy tz.properties
|
||||
echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties
|
||||
|
||||
@ -972,7 +954,6 @@ fi
|
||||
%endif
|
||||
|
||||
%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
|
||||
%{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
|
||||
%{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
|
||||
%{_jvmdir}/%{sdkdir}/lib/security/default.policy
|
||||
%{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
|
||||
|
@ -1,10 +0,0 @@
|
||||
--- a/src/java.base/share/conf/security/java.security
|
||||
+++ b/src/java.base/share/conf/security/java.security
|
||||
@@ -81,6 +81,7 @@ security.provider.tbd=SunMSCAPI
|
||||
security.provider.tbd=Apple
|
||||
#endif
|
||||
security.provider.tbd=SunPKCS11
|
||||
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
|
||||
|
||||
#
|
||||
# A list of preferred providers for specific algorithms. These providers will
|
@ -1,5 +0,0 @@
|
||||
name = NSS
|
||||
nssLibraryDirectory = @NSS_LIBDIR@
|
||||
nssDbMode = noDb
|
||||
attributes = compatibility
|
||||
handleStartupErrors = ignoreMultipleInitialisation
|
@ -1,8 +0,0 @@
|
||||
name = NSS-FIPS
|
||||
nssLibraryDirectory = @NSS_LIBDIR@
|
||||
nssSecmodDirectory = sql:/etc/pki/nssdb
|
||||
nssDbMode = readOnly
|
||||
nssModule = fips
|
||||
|
||||
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||
|
Loading…
Reference in New Issue
Block a user