From 49fde4f730087e1ac7f059fe868c8a62b10c2e1d88b3a4d99f7a0a6e3f2e68dd Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 7 Feb 2024 14:37:23 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:Factory/java-21-openjdk?expand=0&rev=32 --- fips.patch | 2 +- java-21-openjdk.changes | 16 ++++++++++++++++ java-21-openjdk.spec | 25 +++---------------------- nss-security-provider.patch | 10 ---------- nss.cfg.in | 5 ----- nss.fips.cfg.in | 6 ------ 6 files changed, 20 insertions(+), 44 deletions(-) delete mode 100644 nss-security-provider.patch delete mode 100644 nss.cfg.in delete mode 100644 nss.fips.cfg.in diff --git a/fips.patch b/fips.patch index a849b6c..6ec46e3 100644 --- a/fips.patch +++ b/fips.patch @@ -1983,8 +1983,8 @@ index 5149edba0e5..8227d650a03 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -86,6 +86,17 @@ security.provider.tbd=Apple + #endif security.provider.tbd=SunPKCS11 - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg +# +# Security providers used when FIPS mode support is active diff --git a/java-21-openjdk.changes b/java-21-openjdk.changes index 720f195..082aaac 100644 --- a/java-21-openjdk.changes +++ b/java-21-openjdk.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Feb 7 13:59:23 UTC 2024 - Fridrich Strba + +- Recommend mozilla-nss-sysinit in order to have available the + /etc/pki/nssdb directory and its content, required in fips mode + (bsc#1219662) +- Do not install our crafted nss.fips.cfg file, but use the one that + the build produces with our fips.patch applied +- Removed patch: + * nss-security-provider.patch + + this DISABLED nss security provider was not used for years and + is largely rendered obsolete by the NSS-FIPS provider +- Modified patch: + * fips.patch + + adapt to the removal of the nss security provider + ------------------------------------------------------------------- Wed Jan 24 08:16:42 UTC 2024 - Fridrich Strba diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec index c47832f..3c89f58 100644 --- a/java-21-openjdk.spec +++ b/java-21-openjdk.spec @@ -134,10 +134,6 @@ Source0: https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag Source10: systemtap-tapset.tar.xz # Desktop files. Adapated from IcedTea. Source11: jconsole.desktop.in -# nss configuration file -Source12: nss.cfg.in -# nss fips configuration file -Source13: nss.fips.cfg.in # Ensure we aren't using the limited crypto policy Source14: TestCryptoLevel.java # Ensure ECDSA is working @@ -163,8 +159,7 @@ Patch12: adlc-parser.patch # Fix: implicit-pointer-decl Patch13: implicit-pointer-decl.patch Patch15: system-pcsclite.patch -Patch17: nss-security-provider.patch -Patch18: fips.patch +Patch16: fips.patch # Patch20: loadAssistiveTechnologies.patch # @@ -282,6 +277,7 @@ Requires(post): update-alternatives Requires(posttrans): java-ca-certificates # Postun requires update-alternatives to uninstall tool update-alternatives. Requires(postun): update-alternatives +Recommends: mozilla-nss-sysinit Recommends: tzdata-java8 Obsoletes: %{name}-accessibility %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap} @@ -404,8 +400,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2* %patch15 -p1 %endif -%patch17 -p1 -%patch18 -p1 +%patch16 -p1 %patch20 -p1 @@ -444,13 +439,6 @@ for file in %{SOURCE11} ; do sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE done -# Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg - -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:sql\:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg - %build %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64} @@ -519,12 +507,6 @@ popd >& /dev/null export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ - -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -# install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Copy tz.properties echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties @@ -966,7 +948,6 @@ fi %{_jvmdir}/%{sdkdir}/lib/*/classes*.jsa %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs -%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg %config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg %{_jvmdir}/%{sdkdir}/lib/security/default.policy %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat diff --git a/nss-security-provider.patch b/nss-security-provider.patch deleted file mode 100644 index 8ae1a85..0000000 --- a/nss-security-provider.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/src/java.base/share/conf/security/java.security -+++ b/src/java.base/share/conf/security/java.security -@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI - security.provider.tbd=Apple - #endif - security.provider.tbd=SunPKCS11 -+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # - # A list of preferred providers for specific algorithms. These providers will diff --git a/nss.cfg.in b/nss.cfg.in deleted file mode 100644 index fe53560..0000000 --- a/nss.cfg.in +++ /dev/null @@ -1,5 +0,0 @@ -name = NSS -nssLibraryDirectory = @NSS_LIBDIR@ -nssDbMode = noDb -attributes = compatibility -handleStartupErrors = ignoreMultipleInitialisation diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index fc7e4e7..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,6 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ -nssDbMode = readOnly -nssModule = fips -