Accepting request 1144979 from Java:Factory

Fips related fixes OBS-URL: https://build.opensuse.org/request/show/1144979 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/java-21-openjdk?expand=0&rev=8
2024-02-08 18:01:45 +00:00 · 2024-02-08 18:01:45 +00:00 · a14532fe55
commit a14532fe55
parent 7555b028d9 49fde4f730
6 changed files with 20 additions and 44 deletions
--- a/fips.patch
+++ b/fips.patch
@ -1983,8 +1983,8 @@ index 5149edba0e5..8227d650a03 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
@@ -86,6 +86,17 @@ security.provider.tbd=Apple
+ #endif
 security.provider.tbd=SunPKCS11
- #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 
 +#
 +# Security providers used when FIPS mode support is active
--- a/java-21-openjdk.changes
+++ b/java-21-openjdk.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Feb  7 13:59:23 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Recommend mozilla-nss-sysinit in order to have available the
+  /etc/pki/nssdb directory and its content, required in fips mode
+  (bsc#1219662)
+- Do not install our crafted nss.fips.cfg file, but use the one that
+  the build produces with our fips.patch applied
+- Removed patch:
+  * nss-security-provider.patch
+    + this DISABLED nss security provider was not used for years and
+      is largely rendered obsolete by the NSS-FIPS provider
+- Modified patch:
+  * fips.patch
+    + adapt to the removal of the nss security provider
+
 -------------------------------------------------------------------
 Wed Jan 24 08:16:42 UTC 2024 - Fridrich Strba <fstrba@suse.com>

--- a/java-21-openjdk.spec
+++ b/java-21-openjdk.spec
@ -134,10 +134,6 @@ Source0:        https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag
 Source10:       systemtap-tapset.tar.xz
 # Desktop files. Adapated from IcedTea.
 Source11:       jconsole.desktop.in
-# nss configuration file
-Source12:       nss.cfg.in
-# nss fips configuration file
-Source13:       nss.fips.cfg.in
 # Ensure we aren't using the limited crypto policy
 Source14:       TestCryptoLevel.java
 # Ensure ECDSA is working
@ -163,8 +159,7 @@ Patch12:        adlc-parser.patch
 # Fix: implicit-pointer-decl
 Patch13:        implicit-pointer-decl.patch
 Patch15:        system-pcsclite.patch
-Patch17:        nss-security-provider.patch
-Patch18:        fips.patch
+Patch16:        fips.patch
 #
 Patch20:        loadAssistiveTechnologies.patch
 #
@ -282,6 +277,7 @@ Requires(post): update-alternatives
 Requires(posttrans): java-ca-certificates
 # Postun requires update-alternatives to uninstall tool update-alternatives.
 Requires(postun): update-alternatives
+Recommends:     mozilla-nss-sysinit
 Recommends:     tzdata-java8
 Obsoletes:      %{name}-accessibility
 %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
@ -404,8 +400,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
 %patch15 -p1
 %endif

-%patch17 -p1
-%patch18 -p1
+%patch16 -p1

 %patch20 -p1

@ -444,13 +439,6 @@ for file in %{SOURCE11} ; do
    sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
 done

-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg
-
-# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg
-sed -i -e "s:@NSS_SECMOD@:sql\:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg
-
 %build

 %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@ -519,12 +507,6 @@ popd >& /dev/null

 export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk

-# Install nss.cfg right away as we will be using the JRE above
-install -m 644 nss.cfg $JAVA_HOME/conf/security/
-
-# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-# install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
-
 # Copy tz.properties
 echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties

@ -966,7 +948,6 @@ fi
 %{_jvmdir}/%{sdkdir}/lib/*/classes*.jsa

 %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
-%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
 %config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
 %{_jvmdir}/%{sdkdir}/lib/security/default.policy
 %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
--- a/nss-security-provider.patch
+++ b/nss-security-provider.patch
@ -1,10 +0,0 @@
--- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
- security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
- # A list of preferred providers for specific algorithms. These providers will
--- a/nss.cfg.in
+++ b/nss.cfg.in
@ -1,5 +0,0 @@
-name = NSS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssDbMode = noDb
-attributes = compatibility
-handleStartupErrors = ignoreMultipleInitialisation
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@ -1,6 +0,0 @@
-name = NSS-FIPS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = @NSS_SECMOD@
-nssDbMode = readOnly
-nssModule = fips
-