diff --git a/fips.patch b/fips.patch index 19f6b08..b498b42 100644 --- a/fips.patch +++ b/fips.patch @@ -1418,8 +1418,8 @@ --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -83,6 +83,17 @@ security.provider.tbd=Apple + #endif security.provider.tbd=SunPKCS11 - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg +# +# Security providers used when FIPS mode support is active diff --git a/java-17-openjdk.changes b/java-17-openjdk.changes index 4e1ab8d..deb8b55 100644 --- a/java-17-openjdk.changes +++ b/java-17-openjdk.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Feb 7 14:14:46 UTC 2024 - Fridrich Strba + +- Recommend mozilla-nss-sysinit in order to have available the + /etc/pki/nssdb directory and its content, required in fips mode + (bsc#1219662) +- Do not install our crafted nss.fips.cfg file, but use the one that + the build produces with our fips.patch applied +- Removed patch: + * nss-security-provider.patch + + this DISABLED nss security provider was not used for years and + is largely rendered obsolete by the NSS-FIPS provider +- Modified patch: + * fips.patch + + adapt to the removal of the nss security provider + ------------------------------------------------------------------- Wed Jan 17 14:03:44 UTC 2024 - Fridrich Strba diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index f1ccabd..05498ce 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -1,5 +1,5 @@ # -# spec file +# spec file for package java-17-openjdk # # Copyright (c) 2024 SUSE LLC # @@ -138,10 +138,6 @@ Source0: https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag Source10: systemtap-tapset.tar.xz # Desktop files. Adapated from IcedTea. Source11: jconsole.desktop.in -# nss configuration file -Source12: nss.cfg.in -# nss fips configuration file -Source13: nss.fips.cfg.in # Ensure we aren't using the limited crypto policy Source14: TestCryptoLevel.java # Ensure ECDSA is working @@ -168,8 +164,7 @@ Patch13: implicit-pointer-decl.patch # Use SOURCE_DATE_EPOCH in timestamp when writing properties Patch14: reproducible-properties.patch Patch15: system-pcsclite.patch -Patch16: nss-security-provider.patch -Patch17: fips.patch +Patch16: fips.patch # Patch20: loadAssistiveTechnologies.patch # @@ -289,9 +284,10 @@ Requires: jpackage-utils Requires: mozilla-nss # Post requires update-alternatives to install tool update-alternatives. Requires(post): update-alternatives -Requires(posttrans):java-ca-certificates +Requires(posttrans): java-ca-certificates # Postun requires update-alternatives to uninstall tool update-alternatives. -Requires(postun):update-alternatives +Requires(postun): update-alternatives +Recommends: mozilla-nss-sysinit Recommends: tzdata-java8 Obsoletes: %{name}-accessibility %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} @@ -327,7 +323,7 @@ Requires: %{name} = %{version}-%{release} # Post requires update-alternatives to install tool update-alternatives. Requires(post): update-alternatives # Postun requires update-alternatives to uninstall tool update-alternatives. -Requires(postun):update-alternatives +Requires(postun): update-alternatives %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} # Standard JPackage devel provides. Provides: java-%{javaver}-devel = %{version} @@ -373,7 +369,7 @@ Requires: jpackage-utils # Post requires update-alternatives to install javadoc alternative. Requires(post): update-alternatives # Postun requires update-alternatives to uninstall javadoc alternative. -Requires(postun):update-alternatives +Requires(postun): update-alternatives BuildArch: noarch %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} # Standard JPackage javadoc provides. @@ -415,7 +411,6 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2* %endif %patch16 -p1 -%patch17 -p1 %patch20 -p1 @@ -459,13 +454,6 @@ for file in %{SOURCE11} ; do sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE done -# Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg - -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:sql\:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg - %build %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64} @@ -534,12 +522,6 @@ popd >& /dev/null export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ - -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Copy tz.properties echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties @@ -972,7 +954,6 @@ fi %endif %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs -%{_jvmdir}/%{sdkdir}/conf/security/nss.cfg %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg %{_jvmdir}/%{sdkdir}/lib/security/default.policy %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat diff --git a/nss-security-provider.patch b/nss-security-provider.patch deleted file mode 100644 index 745e731..0000000 --- a/nss-security-provider.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/src/java.base/share/conf/security/java.security -+++ b/src/java.base/share/conf/security/java.security -@@ -81,6 +81,7 @@ security.provider.tbd=SunMSCAPI - security.provider.tbd=Apple - #endif - security.provider.tbd=SunPKCS11 -+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # - # A list of preferred providers for specific algorithms. These providers will diff --git a/nss.cfg.in b/nss.cfg.in deleted file mode 100644 index fe53560..0000000 --- a/nss.cfg.in +++ /dev/null @@ -1,5 +0,0 @@ -name = NSS -nssLibraryDirectory = @NSS_LIBDIR@ -nssDbMode = noDb -attributes = compatibility -handleStartupErrors = ignoreMultipleInitialisation diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index 27b8c5d..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,8 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = sql:/etc/pki/nssdb -nssDbMode = readOnly -nssModule = fips - -attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } -