Accepting request 1144979 from Java:Factory

Fips related fixes OBS-URL: https://build.opensuse.org/request/show/1144979 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/java-21-openjdk?expand=0&rev=8
2024-02-08 18:01:45 +00:00 · 2024-02-08 18:01:45 +00:00 · a14532fe55
commit a14532fe55
parent 7555b028d9 49fde4f730
6 changed files with 20 additions and 44 deletions
--- a/fips.patch
+++ b/fips.patch
@ -1983,8 +1983,8 @@ index 5149edba0e5..8227d650a03 100644
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
@@ -86,6 +86,17 @@ security.provider.tbd=Apple
 #endif
 security.provider.tbd=SunPKCS11
 #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 +#
 +# Security providers used when FIPS mode support is active
--- a/java-21-openjdk.changes
+++ b/java-21-openjdk.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Wed Feb  7 13:59:23 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 - Recommend mozilla-nss-sysinit in order to have available the
  /etc/pki/nssdb directory and its content, required in fips mode
  (bsc#1219662)
 - Do not install our crafted nss.fips.cfg file, but use the one that
  the build produces with our fips.patch applied
 - Removed patch:
  * nss-security-provider.patch
    + this DISABLED nss security provider was not used for years and
      is largely rendered obsolete by the NSS-FIPS provider
 - Modified patch:
  * fips.patch
    + adapt to the removal of the nss security provider
 -------------------------------------------------------------------
 Wed Jan 24 08:16:42 UTC 2024 - Fridrich Strba <fstrba@suse.com>
--- a/java-21-openjdk.spec
+++ b/java-21-openjdk.spec
@ -134,10 +134,6 @@ Source0:        https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag
 Source10:       systemtap-tapset.tar.xz
 # Desktop files. Adapated from IcedTea.
 Source11:       jconsole.desktop.in
 # nss configuration file
 Source12:       nss.cfg.in
 # nss fips configuration file
 Source13:       nss.fips.cfg.in
 # Ensure we aren't using the limited crypto policy
 Source14:       TestCryptoLevel.java
 # Ensure ECDSA is working
@ -163,8 +159,7 @@ Patch12:        adlc-parser.patch
 # Fix: implicit-pointer-decl
 Patch13:        implicit-pointer-decl.patch
 Patch15:        system-pcsclite.patch
-Patch17:        nss-security-provider.patch
+Patch16:        fips.patch
 Patch18:        fips.patch
 #
 Patch20:        loadAssistiveTechnologies.patch
 #
@ -282,6 +277,7 @@ Requires(post): update-alternatives
 Requires(posttrans): java-ca-certificates
 # Postun requires update-alternatives to uninstall tool update-alternatives.
 Requires(postun): update-alternatives
 Recommends:     mozilla-nss-sysinit
 Recommends:     tzdata-java8
 Obsoletes:      %{name}-accessibility
 %if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
@ -404,8 +400,7 @@ rm -rvf src/java.desktop/share/native/liblcms/lcms2*
 %patch15 -p1
 %endif
-%patch17 -p1
+%patch16 -p1
 %patch18 -p1
 %patch20 -p1
@ -444,13 +439,6 @@ for file in %{SOURCE11} ; do
    sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
 done
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE12} > nss.cfg
 # Setup nss.fips.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.fips.cfg
 sed -i -e "s:@NSS_SECMOD@:sql\:%{_sysconfdir}/pki/nssdb:g" nss.fips.cfg
 %build
 %ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@ -519,12 +507,6 @@ popd >& /dev/null
 export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
 # Install nss.cfg right away as we will be using the JRE above
 install -m 644 nss.cfg $JAVA_HOME/conf/security/
 # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
 # install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
 # Copy tz.properties
 echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties
@ -966,7 +948,6 @@ fi
 %{_jvmdir}/%{sdkdir}/lib/*/classes*.jsa
 %config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
 %config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
 %config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
 %{_jvmdir}/%{sdkdir}/lib/security/default.policy
 %{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
--- a/nss-security-provider.patch
+++ b/nss-security-provider.patch
@ -1,10 +0,0 @@
 --- a/src/java.base/share/conf/security/java.security
 +++ b/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
 security.provider.tbd=Apple
 #endif
 security.provider.tbd=SunPKCS11
 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 #
 # A list of preferred providers for specific algorithms. These providers will
--- a/nss.cfg.in
+++ b/nss.cfg.in
@ -1,5 +0,0 @@
 name = NSS
 nssLibraryDirectory = @NSS_LIBDIR@
 nssDbMode = noDb
 attributes = compatibility
 handleStartupErrors = ignoreMultipleInitialisation
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@ -1,6 +0,0 @@
 name = NSS-FIPS
 nssLibraryDirectory = @NSS_LIBDIR@
 nssSecmodDirectory = @NSS_SECMOD@
 nssDbMode = readOnly
 nssModule = fips