OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-17-openjdk?expand=0&rev=125

fips.patch

@@ -1418,8 +1418,8 @@
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
 @@ -83,6 +83,17 @@ security.provider.tbd=Apple
+ #endif
  security.provider.tbd=SunPKCS11
- #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
  
 +#
 +# Security providers used when FIPS mode support is active

java-17-openjdk.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Feb  7 14:14:46 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Recommend mozilla-nss-sysinit in order to have available the
+  /etc/pki/nssdb directory and its content, required in fips mode
+  (bsc#1219662)
+- Do not install our crafted nss.fips.cfg file, but use the one that
+  the build produces with our fips.patch applied
+- Removed patch:
+  * nss-security-provider.patch
+    + this DISABLED nss security provider was not used for years and
+      is largely rendered obsolete by the NSS-FIPS provider
+- Modified patch:
+  * fips.patch
+    + adapt to the removal of the nss security provider
+
 -------------------------------------------------------------------
 Wed Jan 17 14:03:44 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

java-17-openjdk.spec

@@ -1,5 +1,5 @@
 #
-# spec file
+# spec file for package java-17-openjdk
 #
 # Copyright (c) 2024 SUSE LLC
 #
@@ -138,10 +138,6 @@ Source0:        https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag
 Source10:       systemtap-tapset.tar.xz
 # Desktop files. Adapated from IcedTea.
 Source11:       jconsole.desktop.in
-# nss configuration file
-Source12:       nss.cfg.in
-# nss fips configuration file
-Source13:       nss.fips.cfg.in
 # Ensure we aren't using the limited crypto policy
 Source14:       TestCryptoLevel.java
 # Ensure ECDSA is working
@@ -168,8 +164,7 @@ Patch13:        implicit-pointer-decl.patch
 # Use SOURCE_DATE_EPOCH in timestamp when writing properties
 Patch14:        reproducible-properties.patch
 Patch15:        system-pcsclite.patch
-Patch16:        nss-security-provider.patch
-Patch17:        fips.patch
+Patch16:        fips.patch
 #
 Patch20:        loadAssistiveTechnologies.patch
 #
@@ -289,9 +284,10 @@ Requires:       jpackage-utils
 Requires:       mozilla-nss
 # Post requires update-alternatives to install tool update-alternatives.
 Requires(post): update-alternatives
-Requires(posttrans):java-ca-certificates
+Requires(posttrans): java-ca-certificates
 # Postun requires update-alternatives to uninstall tool update-alternatives.
-Requires(postun):update-alternatives
+Requires(postun): update-alternatives
+Recommends:     mozilla-nss-sysinit
 Recommends:     tzdata-java8
 Obsoletes:      %{name}-accessibility
 %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
@@ -327,7 +323,7 @@ Requires:       %{name} = %{version}-%{release}
 # Post requires update-alternatives to install tool update-alternatives.
 Requires(post): update-alternatives
 # Postun requires update-alternatives to uninstall tool update-alternatives.
-Requires(postun):update-alternatives
+Requires(postun): update-alternatives
 %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
 # Standard JPackage devel provides.
 Provides:       java-%{javaver}-devel = %{version}
@@ -373,7 +369,7 @@ Requires:       jpackage-utils
 # Post requires update-alternatives to install javadoc alternative.
 Requires(post): update-alternatives
 # Postun requires update-alternatives to uninstall javadoc alternative.
-Requires(postun):update-alternatives
+Requires(postun): update-alternatives
 BuildArch:      noarch
 %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
 # Standard JPackage javadoc provides.
@@ -415,7 +411,6 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
 %endif
 
 %patch16 -p1
-%patch17 -p1
 
 %patch20 -p1
 
@@ -459,13 +454,6 @@ for file in %{SOURCE11} ; do
     sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
 done
 
-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg
-
-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg
-sed -i -e "s:@NSS_SECMOD@:sql\:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg
-
 %build
 
 %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@@ -534,12 +522,6 @@ popd >& /dev/null
 
 export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
 
-# Install nss.cfg right away as we will be using the JRE above
-install -m 644 nss.cfg $JAVA_HOME/conf/security/
-
-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
-
 # Copy tz.properties
 echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties
 
@@ -972,7 +954,6 @@ fi
 %endif
 
 %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
-%{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
 %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
 %{_jvmdir}/%{sdkdir}/lib/security/default.policy
 %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat

nss-security-provider.patch

@@ -1,10 +0,0 @@
---- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -81,6 +81,7 @@ security.provider.tbd=SunMSCAPI
- security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
- # A list of preferred providers for specific algorithms. These providers will

nss.cfg.in

@@ -1,5 +0,0 @@
-name = NSS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssDbMode = noDb
-attributes = compatibility
-handleStartupErrors = ignoreMultipleInitialisation

nss.fips.cfg.in

@@ -1,8 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = sql:/etc/pki/nssdb
-nssDbMode = readOnly
-nssModule = fips
-
-attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
-