rpms
/
java-1.8.0-openjdk
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import java-1.8.0-openjdk-1.8.0.352.b08-2.el9_1

Browse Source
c9 imports/c9/java-1.8.0-openjdk-1.8.0.352.b08-2.el9_1
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent 501d401e50
commit b76edbd5e1
3 changed files with 406 additions and 115 deletions
Show Stats Download Patch File Download Diff File

63
SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch
Unescape View File

@ -1,63 +0,0 @@
# HG changeset patch
# User andrew
# Date 1459487045 -3600
# Fri Apr 01 06:04:05 2016 +0100
# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b
# Parent 6b81fd2227d14226f2121f2d51b464536925686e
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
PR3575: System cacerts database handling should not affect jssecacerts
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -72,7 +72,7 @@
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
- * cacerts
+ * cacerts (system and local)
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
@@ -83,6 +83,10 @@
defaultStorePath + fileSep + "cacerts";
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
+ /* Check system cacerts DB: /etc/pki/java/cacerts */
+ private static final String systemStore =
+ fileSep + "etc" + fileSep + "pki" +
+ fileSep + "java" + fileSep + "cacerts";
// the trust store name
private final String storeName;
@@ -146,7 +150,8 @@
long temporaryTime = 0L;
if (!"NONE".equals(storePropName)) {
String[] fileNames =
- new String[] {storePropName, defaultStore};
+ new String[] {storePropName,
+ systemStore, defaultStore};
for (String fileName : fileNames) {
File f = new File(fileName);
if (f.isFile() && f.canRead()) {
diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
--- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -108,9 +108,14 @@
throws Exception
{
String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
+ /* Check system cacerts DB first; /etc/pki/java/cacerts */
+ File file = new File(sep + "etc" + sep + "pki" + sep
+ + "java" + sep + "cacerts");
+ if (!file.exists()) {
+ file = new File(System.getProperty("java.home") + sep
+ + "lib" + sep + "security" + sep
+ + "cacerts");
+ }
if (!file.exists()) {
return null;
}

263
SOURCES/pr2888-rh2055274-support_system_cacerts.patch
Unescape View File

@ -0,0 +1,263 @@
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
index e7b4763db53..e8ec8467e6a 100644
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -31,6 +31,7 @@ import java.security.*;
import java.security.cert.*;
import java.util.*;
import sun.security.action.*;
+import sun.security.tools.KeyStoreUtil;
import sun.security.validator.TrustStoreUtil;
/**
@@ -68,7 +69,7 @@ final class TrustStoreManager {
* The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore
* jssecacerts
- * cacerts
+ * cacerts (system and local)
*/
private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator;
@@ -76,7 +77,7 @@ final class TrustStoreManager {
GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
- defaultStorePath + fileSep + "cacerts";
+ KeyStoreUtil.getCacertsKeyStoreFile().getPath();
private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts";
@@ -139,6 +140,10 @@ final class TrustStoreManager {
String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", "");
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+ SSLLogger.fine("Default store: " + defaultStore);
+ }
+
String temporaryName = "";
File temporaryFile = null;
long temporaryTime = 0L;
@@ -146,21 +151,22 @@ final class TrustStoreManager {
String[] fileNames =
new String[] {storePropName, defaultStore};
for (String fileName : fileNames) {
- File f = new File(fileName);
- if (f.isFile() && f.canRead()) {
- temporaryName = fileName;;
- temporaryFile = f;
- temporaryTime = f.lastModified();
-
- break;
- }
-
- // Not break, the file is inaccessible.
- if (SSLLogger.isOn &&
+ if (fileName != null && !"".equals(fileName)) {
+ File f = new File(fileName);
+ if (f.isFile() && f.canRead()) {
+ temporaryName = fileName;;
+ temporaryFile = f;
+ temporaryTime = f.lastModified();
+
+ break;
+ }
+ // Not break, the file is inaccessible.
+ if (SSLLogger.isOn &&
SSLLogger.isOn("trustmanager")) {
- SSLLogger.fine(
- "Inaccessible trust store: " +
- storePropName);
+ SSLLogger.fine(
+ "Inaccessible trust store: " +
+ fileName);
+ }
}
}
} else {
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
index fcc77786da1..f554f83a8b4 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -33,7 +33,10 @@ import java.io.InputStreamReader;
import java.net.URL;
+import java.security.AccessController;
import java.security.KeyStore;
+import java.security.PrivilegedAction;
+import java.security.Security;
import java.security.cert.X509Certificate;
import java.text.Collator;
@@ -54,6 +57,33 @@ public class KeyStoreUtil {
private static final String JKS = "jks";
+ private static final String PROP_NAME = "security.systemCACerts";
+
+ /**
+ * Returns the value of the security property propName, which can be overridden
+ * by a system property of the same name
+ *
+ * @param propName the name of the system or security property
+ * @return the value of the system or security property
+ */
+ @SuppressWarnings("removal")
+ public static String privilegedGetOverridable(String propName) {
+ if (System.getSecurityManager() == null) {
+ return getOverridableProperty(propName);
+ } else {
+ return AccessController.doPrivileged((PrivilegedAction<String>) () -> getOverridableProperty(propName));
+ }
+ }
+
+ private static String getOverridableProperty(String propName) {
+ String val = System.getProperty(propName);
+ if (val == null) {
+ return Security.getProperty(propName);
+ } else {
+ return val;
+ }
+ }
+
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
@@ -96,20 +126,38 @@ public class KeyStoreUtil {
}
}
+ /**
+ * Returns the path to the cacerts DB
+ */
+ public static File getCacertsKeyStoreFile()
+ {
+ String sep = File.separator;
+ File file = null;
+ /* Check system cacerts DB first, preferring system property over security property */
+ String systemDB = privilegedGetOverridable(PROP_NAME);
+ if (systemDB != null && !"".equals(systemDB)) {
+ file = new File(systemDB);
+ }
+ if (file == null || !file.exists()) {
+ file = new File(System.getProperty("java.home") + sep
+ + "lib" + sep + "security" + sep
+ + "cacerts");
+ }
+ if (file.exists()) {
+ return file;
+ }
+ return null;
+ }
+
/**
* Returns the keystore with the configured CA certificates.
*/
public static KeyStore getCacertsKeyStore()
throws Exception
{
- String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
- if (!file.exists()) {
- return null;
- }
KeyStore caks = null;
+ File file = getCacertsKeyStoreFile();
+ if (file == null) { return null; }
try (FileInputStream fis = new FileInputStream(file)) {
caks = KeyStore.getInstance(JKS);
caks.load(fis, null);
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index bfe0c593adb..093bc09bf95 100644
--- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix
@@ -294,6 +294,13 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index 9d1c8fe8a8e..16c9281cc1f 100644
--- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux
@@ -307,6 +307,13 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index 19047c61097..43e034cdeaf 100644
--- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index 7eda556ae13..325937e97fb 100644
--- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris
@@ -295,6 +295,13 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index dfa1a669aa9..92ef777e065 100644
--- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows
@@ -297,6 +297,13 @@ security.overridePropertiesFile=true
#
security.useSystemPropertiesFile=false
+#
+# Specifies the system certificate store
+# This property may be disabled using
+# -Djava.security.disableSystemCACerts=true
+#
+security.systemCACerts=${java.home}/lib/security/cacerts
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.

195
SPECS/java-1.8.0-openjdk.spec
Unescape View File

@ -26,6 +26,8 @@
%bcond_with artifacts %bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm %bcond_without fresh_libjvm
# Build with system libraries
%bcond_with system_libs
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm} %if %{with fresh_libjvm}
@ -34,6 +36,16 @@
%global build_hotspot_first 0 %global build_hotspot_first 0
%endif %endif
%if %{with system_libs}
%global system_libs 1
%global link_type system
%global jpeg_lib |libjavajpeg[.]so.*
%else
%global system_libs 0
%global link_type bundled
%global jpeg_lib |libjpeg[.]so.*
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info. # This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -158,11 +170,15 @@
# Build and test slowdebug first as it provides the best diagnostics # Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches} %ifarch %{bootstrap_arches}
%global bootstrap_build true %global bootstrap_build true
%else %else
%global bootstrap_build false %global bootstrap_build false
%endif %endif
%endif
%global bootstrap_targets images %global bootstrap_targets images
%global release_targets images docs-zip %global release_targets images docs-zip
@ -278,16 +294,15 @@
# New Version-String scheme-style defines # New Version-String scheme-style defines
%global majorver 8 %global majorver 8
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 3.15.0
# Define current Git revision for the FIPS support patches
%global fipsver 6d1aade0648
# Standard JPackage naming and versioning defines # Standard JPackage naming and versioning defines
%global origin openjdk %global origin openjdk
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
# Settings for local security configuration
%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os}
%global cacerts_file /etc/pki/java/cacerts
# Define vendor information used by OpenJDK # Define vendor information used by OpenJDK
%global oj_vendor Red Hat, Inc. %global oj_vendor Red Hat, Inc.
%global oj_vendor_url "https://www.redhat.com/" %global oj_vendor_url "https://www.redhat.com/"
@ -317,7 +332,10 @@
%global project %{shenandoah_project} %global project %{shenandoah_project}
%global repo %{shenandoah_repo} %global repo %{shenandoah_repo}
%global revision %{shenandoah_revision} %global revision %{shenandoah_revision}
# Define IcedTea version used for SystemTap tapsets and desktop files
%global icedteaver 3.15.0
# Define current Git revision for the FIPS support patches
%global fipsver 6d1aade0648
# e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04
%global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*})
@ -371,7 +389,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* %global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*%{jpeg_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk %if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$ %global __provides_exclude ^(%{_privatelibs})$
@ -813,6 +831,7 @@ exit 0
%{_jvmdir}/%{jrelnk -- %{?1}} %{_jvmdir}/%{jrelnk -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
%dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/bin
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib %dir %{_jvmdir}/%{jredir -- %{?1}}/lib
@ -895,7 +914,11 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so
%if %{system_libs}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so
%else
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so
%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so
@ -937,6 +960,7 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/* %{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/* %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
@ -1216,11 +1240,13 @@ Requires: tzdata-java >= 2022d
# for support of kernel stream control # for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand # libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa} Requires: lksctp-tools%{?_isa}
%if ! 0%{?flatpak}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression # considered as regression
Requires: copy-jdk-configs >= 4.0 Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs OrderWithRequires: copy-jdk-configs
%endif
# for printing support # for printing support
Requires: cups-libs Requires: cups-libs
# for system security properties # for system security properties
@ -1398,6 +1424,7 @@ Source20: repackReproduciblePolycies.sh
Source100: config.guess Source100: config.guess
Source101: config.sub Source101: config.sub
############################################ ############################################
# #
# RPM/distribution specific patches # RPM/distribution specific patches
@ -1455,7 +1482,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_
Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch
# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts
Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch # RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
# Must be applied after FIPS patch as it also changes java.security
Patch539: pr2888-rh2055274-support_system_cacerts.patch
# enable build of speculative store bypass hardened alt-java # enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch Patch600: rh1750419-redhat_alt_java.patch
# JDK-8218811: replace open by os::open in hotspot coding # JDK-8218811: replace open by os::open in hotspot coding
@ -1570,12 +1599,8 @@ BuildRequires: desktop-file-utils
BuildRequires: elfutils-devel BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel BuildRequires: fontconfig-devel
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gdb BuildRequires: gdb
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: libX11-devel BuildRequires: libX11-devel
BuildRequires: libXext-devel BuildRequires: libXext-devel
@ -1608,6 +1633,24 @@ BuildRequires: gcc >= 4.8.3-8
BuildRequires: systemtap-sdt-devel BuildRequires: systemtap-sdt-devel
%endif %endif
%if %{system_libs}
BuildRequires: giflib-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
Provides: bundled(lcms2) = 2.10.0
# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in jdk/src/share/native/sun/awt/libpng/png.h
Provides: bundled(libpng) = 1.6.37
# We link statically against libstdc++ to increase portability
BuildRequires: libstdc++-static
%endif
# this is always built, also during debug-only build # this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder # when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}} %{java_rpo %{nil}}
@ -1860,14 +1903,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/
# OpenJDK patches # OpenJDK patches
%if %{system_libs}
# Remove libraries that are linked # Remove libraries that are linked
sh %{SOURCE12} sh %{SOURCE12}
%endif
# System library fixes # System library fixes
%if %{system_libs}
%patch201 %patch201
%patch202 %patch202
%patch203 %patch203
%patch204 %patch204
%endif
%patch5 %patch5
@ -1900,13 +1947,14 @@ pushd %{top_level_dir_name}
%patch1001 -p1 %patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security # nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1 %patch1000 -p1
# cacerts patch; must follow FIPS patch as it also alters java.security
%patch539 -p1
# tzdata updates targetted for 8u362 # tzdata updates targetted for 8u362
%patch2002 -p1 %patch2002 -p1
%patch2003 -p1 %patch2003 -p1
popd popd
# RPM-only fixes # RPM-only fixes
%patch539
%patch600 %patch600
%patch1003 %patch1003
@ -1970,7 +2018,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg # Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
# Setup security policy
sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
%build %build
# How many CPU's do we have? # How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1} export NUM_PROC=${NUM_PROC:-1}
@ -2008,11 +2060,18 @@ function buildjdk() {
local buildjdk=${2} local buildjdk=${2}
local maketargets="${3}" local maketargets="${3}"
local debuglevel=${4} local debuglevel=${4}
local link_opt=${5}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures # Variable used in hs_err hook on build failures
local top_builddir_abs_path=$(pwd)/${outputdir} local top_builddir_abs_path=$(pwd)/${outputdir}
if [ "x${link_opt}" = "xbundled" ] ; then
libc_link_opt="static";
else
libc_link_opt="dynamic";
fi
echo "Checking build JDK ${buildjdk} is operational..." echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version ${buildjdk}/bin/java -version
echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}"
@ -2041,12 +2100,14 @@ function buildjdk() {
--with-debug-level=${debuglevel} \ --with-debug-level=${debuglevel} \
--disable-sysconf-nss \ --disable-sysconf-nss \
--enable-unlimited-crypto \ --enable-unlimited-crypto \
--with-zlib=system \ --with-zlib=${link_opt} \
--with-libjpeg=system \ --with-giflib=${link_opt} \
--with-giflib=system \ %if %{with system_libs}
--with-libpng=system \ --with-libjpeg=${link_opt} \
--with-lcms=system \ --with-libpng=${link_opt} \
--with-stdc++lib=dynamic \ --with-lcms=${link_opt} \
%endif
--with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \ --with-extra-asflags="$EXTRA_ASFLAGS" \
@ -2115,8 +2176,13 @@ function installjdk() {
${imagepath}/jre/lib/security/java.security ${imagepath}/jre/lib/security/java.security
# Use system-wide tzdata # Use system-wide tzdata
rm ${imagepath}/jre/lib/tzdb.dat mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
# Rename OpenJDK cacerts database
mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
# Install cacerts symlink needed by some apps which hard-code the path
ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
# add alt-java man page # add alt-java man page
pushd ${imagepath} pushd ${imagepath}
@ -2152,6 +2218,7 @@ builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir} bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix} installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir} bootinstalldir=boot${installdir}
link_opt="%{link_type}"
# Debug builds don't need same targets as release for # Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these # build speed-up. We also avoid bootstrapping these
@ -2165,13 +2232,13 @@ else
fi fi
if ${run_bootstrap} ; then if ${run_bootstrap} ; then
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir} installjdk ${bootbuilddir} ${bootinstalldir}
buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir} installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}} %{!?with_artifacts:rm -rf ${bootinstalldir}}
else else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir} installjdk ${builddir} ${installdir}
fi fi
@ -2212,14 +2279,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif %endif
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
# Check translations are available for new timezones # Check translations are available for new timezones
$JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/javac -d . %{SOURCE18}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
# Check debug symbols are present and can identify code # Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
do do
@ -2335,13 +2402,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien
done done
%endif %endif
# Remove empty cacerts database
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts
# Install cacerts symlink needed by some apps which hardcode the path
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security
ln -sf /etc/pki/java/cacerts .
popd
# Install versioned symlinks # Install versioned symlinks
pushd $RPM_BUILD_ROOT%{_jvmdir} pushd $RPM_BUILD_ROOT%{_jvmdir}
ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix} ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix}
@ -2672,31 +2732,52 @@ cjc.mainProgram(args)
%changelog %changelog
* Sun Oct 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-2 * Sun Oct 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-2
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Add test to ensure timezones can be translated
- Related: rhbz#2133695
* Fri Oct 14 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-1
- Update to shenandoah-jdk8u352-b08 (GA) - Update to shenandoah-jdk8u352-b08 (GA)
- Update release notes for shenandoah-8u352-b08. - Update release notes for shenandoah-8u352-b08.
- Rebase FIPS patch against 8u352-b07 - Rebase FIPS patch against 8u352-b07
- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Add test to ensure timezones can be translated
- Resolves: rhbz#2133695 - Resolves: rhbz#2133695
* Wed Aug 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-1 * Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-5
- Allow the default keystore to be configured using security.systemCACerts
- Use of the property can now be disabled using -Dsecurity.systemCACerts=
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Resolves: rhbz#2077006
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-4
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2121273
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:1.8.0.345.b01-3
- Disable copy-jdk-configs for Flatpak builds
- Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102727
* Wed Aug 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-2
- Update to shenandoah-jdk8u345-b01 (GA) - Update to shenandoah-jdk8u345-b01 (GA)
- Update release notes for 8u345-b01. - Update release notes for 8u345-b01.
- Resolves: rhbz#2115463 - Resolves: rhbz#2112405
* Sun Jul 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.342.b07-2
- Update to shenandoah-jdk8u342-b07 (GA)
- Update release notes for 8u342-b07.
- Switch to GA mode for final release.
- Resolves: rhbz#2106509
* Mon Jul 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.342.b07-1 * Sun Jul 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.342.b06-0.1.ea
- Update to shenandoah-jdk8u342-b07 - Update to shenandoah-jdk8u342-b06 (EA)
- Update release notes for shenandoah-8u342-b07. - Update release notes for shenandoah-8u342-b06.
- Switch to EA mode for 8u342 pre-release builds.
- Print release file during build, which should now include a correct SOURCE value from .src-rev - Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation - Update tarball script with IcedTea GitHub URL and .src-rev generation
- Use "git apply" with patches in the tarball script to allow binary diffs - Use "git apply" with patches in the tarball script to allow binary diffs
- Remove redundant "REPOS" variable from tarball script - Remove redundant "REPOS" variable from tarball script
- Include script to generate bug list for release notes - Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350 - Update tzdata requirement to 2022a to match JDK-8283350
- Resolves: rhbz#2083322
* Sun Jul 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-3
- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository - Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together - * RH2090378: Revert to disabling system security properties and FIPS mode support together
@ -2706,19 +2787,29 @@ cjc.mainProgram(args)
- Improve security properties test to check both enabled and disabled behaviour - Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on - Run security properties test with property debugging on
- Explicitly require crypto-policies during build and runtime for system security properties - Explicitly require crypto-policies during build and runtime for system security properties
- Resolves: rhbz#2099916 - Resolves: rhbz#2099801
- Resolves: rhbz#2107958 - Resolves: rhbz#2100678
- Resolves: rhbz#2084776
- Resolves: rhbz#2106508
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:1.8.0.332.b09-2 * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:1.8.0.332.b09-2
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2107956 - Resolves: rhbz#2102435
* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-1 * Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-1
- Update to shenandoah-jdk8u332-b09 (GA) - Update to shenandoah-jdk8u332-b09 (GA)
- Update release notes for 8u332-b09. - Update release notes for 8u332-b09.
- Resolves: rhbz#2074649 - Switch to GA mode for final release.
- Resolves: rhbz#2074650
* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b06-0.1.ea
- Update to shenandoah-jdk8u332-b06 (EA)
- Update release notes for shenandoah-8u332-b06.
- Resolves: rhbz#2050457
* Sun Apr 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b01-0.1.ea
- Update to shenandoah-jdk8u332-b01 (EA)
- Update release notes for shenandoah-8u332-b01.
- Switch to EA mode.
- Related: rhbz#2050457
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-9 * Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-9
- Remove 'java --version' test as this is not supported on java-1.8.0-openjdk - Remove 'java --version' test as this is not supported on java-1.8.0-openjdk

Write Preview
Loading…
Cancel
Save