rpms / java-11-openjdk

Clone
Source Code
GIT

#139 Fix FIPS issues in native code and with initialisation of java.security.Security
Merged 2 years ago by ahughes. Opened 2 years ago by ahughes.
rpms/ ahughes/java-11-openjdk fips  into  rawhide

file modified
+9 -1 
@@ -345,7 +345,7 @@ 
 

  %global top_level_dir_name   %{origin}
 

  %global top_level_dir_name_backup %{top_level_dir_name}-backup
 

  %global buildver        8
 

- %global rpmrelease      1
 

+ %global rpmrelease      2
 

  #%%global tagsuffix     %%{nil}
 

  # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 

  %if %is_system_jdk
 
@@ -1239,6 +1239,9 @@ 
 

  Patch1009: rh1996182-login_to_nss_software_token.patch
 

  # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
 

  Patch1011: rh1991003-enable_fips_keys_import.patch
 

+ # RH2021263: Resolve outstanding FIPS issues
 

+ Patch1014: rh2021263-fips_ensure_security_initialised.patch
 

+ Patch1015: rh2021263-fips_missing_native_returns.patch
 

  

  #############################################
 

  #
 
@@ -1676,6 +1679,8 @@ 
 

  %patch1008
 

  %patch1009
 

  %patch1011
 

+ %patch1014
 

+ %patch1015
 

  

  # Extract systemtap tapsets
 

  %if %{with_systemtap}
 
@@ -2469,6 +2474,9 @@ 
 

  %endif
 

  

  %changelog
 

+ * Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.2.ea
 

+ - Fix FIPS issues in native code and with initialisation of java.security.Security
 

+ 

  * Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.1.ea
 

  - Sync gdb test with java-1.8.0-openjdk and disable for now until gdb is fixed.

file added
+28 
@@ -0,0 +1,28 @@ 
 

+ commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
 

+ Author: Andrew Hughes <gnu.andrew@redhat.com>
 

+ Date:   Tue Jan 18 02:00:55 2022 +0000
 

+ 

+     RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
 

+ 

+ diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
 

+ index 2ec51d57806..8489b940c43 100644
 

+ --- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
 

+ +++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
 

+ @@ -36,6 +36,7 @@ import java.io.FilePermission;
 

+  import java.io.ObjectInputStream;
 

+  import java.io.RandomAccessFile;
 

+  import java.security.ProtectionDomain;
 

+ +import java.security.Security;
 

+  import java.security.Signature;
 

+  

+  /** A repository of "shared secrets", which are a mechanism for
 

+ @@ -368,6 +369,9 @@ public class SharedSecrets {
 

+      }
 

+  

+      public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
 

+ +        if (javaSecuritySystemConfiguratorAccess == null) {
 

+ +            unsafe.ensureClassInitialized(Security.class);
 

+ +        }
 

+          return javaSecuritySystemConfiguratorAccess;
 

+      }
 

+  }

file added
+24 
@@ -0,0 +1,24 @@ 
 

+ commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
 

+ Author: Fridrich Strba <fstrba@suse.com>
 

+ Date:   Mon Jan 17 19:44:03 2022 +0000
 

+ 

+     RH2021263: Return in C code after having generated Java exception
 

+ 

+ diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
 

+ index 6f4656bfcb6..34d0ff0ce91 100644
 

+ --- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
 

+ +++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
 

+ @@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
 

+      dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
 

+      if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
 

+          throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
 

+ +        return JNI_FALSE;
 

+      }
 

+      fips_enabled = fgetc(fe);
 

+      fclose(fe);
 

+      if (fips_enabled == EOF) {
 

+          throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
 

+ +        return JNI_FALSE;
 

+      }
 

+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 

+              " read character is '%c'", fips_enabled);

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

This looks good.

Thanks.

Pull-Request has been merged by ahughes
2 years ago
Metadata
None
No Tags
Changes Summary 3
+9 -1
file changed
java-11-openjdk.spec
+28
file added
rh2021263-fips_ensure_security_initialised.patch
+24
file added
rh2021263-fips_missing_native_returns.patch
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.