Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package java-25-openjdk for openSUSE:Factory
checked in at 2026-03-25 21:17:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/java-25-openjdk (Old)
and /work/SRC/openSUSE:Factory/.java-25-openjdk.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "java-25-openjdk"
Wed Mar 25 21:17:17 2026 rev:6 rq:1342270 version:25.0.2.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/java-25-openjdk/java-25-openjdk.changes
2026-01-28 15:05:16.557326652 +0100
+++
/work/SRC/openSUSE:Factory/.java-25-openjdk.new.8177/java-25-openjdk.changes
2026-03-27 06:41:46.706832677 +0100
@@ -1,0 +2,40 @@
+Tue Mar 24 16:31:28 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Migrate to the new logic of FIPS patch developed by RedHat in
+ https://github.com/rh-openjdk/jdk/tree/fips-25u
+- Add the sources of /nss-native-fips-key-import-export-adapter
+ * This native library is an adapter for OpenJDK to use the NSS
+ PKCS #11 software token (libsoftokn3.so) in FIPS mode. It
+ provides support to import and export secret and private key
+ material in plain. This enables Java applications to manage
+ PKCS #12 key stores through the java.security.KeyStore API and
+ benefit from FIPS-certified cryptography. Note: this library
+ replaces the Java FIPS Key Importer Exporter in previous
+ versions of this package (FIPSKeyImporter.java).
+- Modified patch:
+ * fips.patch
+ + diff the https://github.com/rh-openjdk/jdk/tree/fips-25u
+ to the release tag jdk-25.0.2-ga and adapt for SUSE
+- Added patches:
+ * nssadapter-Allow-overriding-of-gcc-name.patch
+ + Allow specifying CC variables on system where the default
+ gcc is too old for the features needed in the nssadapter
+ * nssadapter-Fix-build-on-openSUSE.patch
+ + make the build work well with SUSE packaging of NSS
+ * 0001-Don-t-make-missing-system-crypto-policies-fatal.patch
+ + prevent OpenJDK from throwing exception if an "include"d
+ security config file is missing.
+ + Allows the same package running on systems that don't provide
+ the crypto-policies package as well as on those that provide
+ it
+- Add create-crypto-properties-files.bash that generates during the
+ build the config files for different fips and non-fips scenarios
+- Add TestSecurityProperties.java to test the loading of system
+ security properties where applicable
+
+-------------------------------------------------------------------
+Mon Mar 16 16:04:27 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Provide the timezone-java and tzdata-java (jsc#PED-15898)
+
+-------------------------------------------------------------------
New:
----
0001-Don-t-make-missing-system-crypto-policies-fatal.patch
TestSecurityProperties.java
create-crypto-properties-files.bash
nssadapter-0.1.1.tar.xz
nssadapter-Allow-overriding-of-gcc-name.patch
nssadapter-Fix-build-on-openSUSE.patch
----------(New B)----------
New: + make the build work well with SUSE packaging of NSS
* 0001-Don-t-make-missing-system-crypto-policies-fatal.patch
+ prevent OpenJDK from throwing exception if an "include"d
New:- Added patches:
* nssadapter-Allow-overriding-of-gcc-name.patch
+ Allow specifying CC variables on system where the default
New: gcc is too old for the features needed in the nssadapter
* nssadapter-Fix-build-on-openSUSE.patch
+ make the build work well with SUSE packaging of NSS
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ java-25-openjdk.spec ++++++
--- /var/tmp/diff_new_pack.cZXW6k/_old 2026-03-27 06:41:47.802877961 +0100
+++ /var/tmp/diff_new_pack.cZXW6k/_new 2026-03-27 06:41:47.806878127 +0100
@@ -98,10 +98,19 @@
%else
%global package_version
%{featurever}.%{interimver}.%{?updatever:%{updatever}}%{!?updatever:0}.%{?patchver:%{patchver}}%{!?patchver:0}~%{buildver}
%endif
-%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
%if 0%{?gcc_version} < 11
%global with_gcc 11
%endif
+# Define nssadapter variables
+%global nssadapter_version 0.1.1
+%global nssadapter_name nssadapter-%{nssadapter_version}
+# Prevent TestSecurityProperties from failing on distros that
+# don't have system crypto-policies package
+%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
+%global crypto_policy_active true
+%else
+%global crypto_policy_active false
+%endif
%bcond_with zero
%if ! %{with zero}
%global with_systemtap 1
@@ -128,24 +137,30 @@
Version: %{package_version}
Release: 0
Summary: OpenJDK %{featurever} Runtime Environment
-License: Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND
GPL-2.0-only AND GPL-2.0-only WITH Classpath-exception-2.0 AND LGPL-2.0-only
AND MPL-1.0 AND MPL-1.1 AND SUSE-Public-Domain AND W3C
+License: Apache-1.1 AND Apache-2.0 AND GPL-1.0-or-later AND
GPL-2.0-only AND GPL-2.0-only WITH Classpath-exception-2.0 AND LGPL-2.0-only
AND MPL-1.0 AND MPL-1.1 AND LicenseRef-SUSE-Public-Domain AND W3C
Group: Development/Languages/Java
URL: https://openjdk.java.net/
# Sources from upstream OpenJDK project.
Source0:
https://github.com/openjdk/%{openjdk_repo}/archive/%{openjdk_tag}.tar.gz
+# FIPS support sources.
+Source1:
https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/%{nssadapter_name}.tar.xz
# Systemtap tapsets. Zipped up to keep it small.
Source10: systemtap-tapset.tar.xz
# Desktop files. Adapated from IcedTea.
Source11: jconsole.desktop.in
# Ensure we aren't using the limited crypto policy
-Source14: TestCryptoLevel.java
+Source13: TestCryptoLevel.java
# Ensure ECDSA is working
-Source15: TestECDSA.java
+Source14: TestECDSA.java
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
# Fresh config.guess and config.sub files
# wget -O config.guess
'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD'
Source100: config.guess
# wget -O config.sub
'http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD'
Source101: config.sub
+# script to generate the infrastructure for FIPS support
+Source200: create-crypto-properties-files.bash
# RHBZ 808293
Patch4: PStack-808293.patch
# Allow multiple initialization of PKCS11 libraries
@@ -160,6 +175,7 @@
Patch13: implicit-pointer-decl.patch
Patch15: system-pcsclite.patch
Patch16: fips.patch
+Patch17: 0001-Don-t-make-missing-system-crypto-policies-fatal.patch
#
Patch20: loadAssistiveTechnologies.patch
#
@@ -169,6 +185,9 @@
#
Patch302: disable-doclint-by-default.patch
#
+Patch400: nssadapter-Fix-build-on-openSUSE.patch
+Patch401: nssadapter-Allow-overriding-of-gcc-name.patch
+#
BuildRequires: alsa-lib-devel
BuildRequires: autoconf
BuildRequires: automake
@@ -195,7 +214,8 @@
BuildRequires: libpng-devel
BuildRequires: libtool
BuildRequires: libxslt
-BuildRequires: mozilla-nss-devel >= 3.53
+# libnssadapter.so build requirements
+BuildRequires: mozilla-nss-devel
BuildRequires: pkgconfig
BuildRequires: unzip
BuildRequires: xorg-x11-proto-devel
@@ -265,14 +285,14 @@
Summary: OpenJDK %{featurever} Runtime Environment
Group: Development/Languages/Java
Requires: jpackage-utils
-Requires: mozilla-nss
# Post requires update-alternatives to install tool update-alternatives.
Requires(post): update-alternatives
Requires(posttrans): java-ca-certificates
# Postun requires update-alternatives to uninstall tool update-alternatives.
Requires(postun): update-alternatives
-Recommends: mozilla-nss-sysinit
Obsoletes: %{name}-accessibility
+Provides: timezone-java
+Provides: tzdata-java
%if 0%{?suse_version} > 1315 || 0%{?java_bootstrap}
# Standard JPackage base provides.
Provides: java-%{javaver}-headless = %{version}-%{release}
@@ -364,7 +384,7 @@
The OpenJDK %{featurever} API documentation.
%prep
-%setup -q -n %{openjdk_dir}
+%setup -q -n %{openjdk_dir} -a1
# Replace config.sub and config.guess with fresh versions
cp %{SOURCE100} make/autoconf/build-aux/
@@ -393,6 +413,7 @@
%endif
%patch -P 16 -p1
+%patch -P 17 -p1
%patch -P 20 -p1
@@ -400,6 +421,12 @@
%patch -P 302 -p1
+# Patch NSS adapter
+pushd %{nssadapter_name}
+%patch -P 400 -p1
+%patch -P 401 -p1
+popd # nssadapter
+
# Extract systemtap tapsets
%if %{with_systemtap}
@@ -445,7 +472,7 @@
--with-version-pre="" \
%endif
--with-version-build="%{buildver}" \
- --with-version-opt="suse-%{suse_version}-%{_arch}" \
+ --with-version-opt="suse-0%{?suse_version}-%{_arch}" \
%if %{with zero}
--with-jvm-variants=zero \
%else
@@ -480,8 +507,17 @@
popd >& /dev/null
+%if 0%{?with_gcc}
+CC="gcc-%{with_gcc}" \
+%endif
+%{make} -C %{nssadapter_name}
+
export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
+# FIPS stuff
+install %{nssadapter_name}/bin/libnssadapter.so $JAVA_HOME/lib/
+bash -xe %{SOURCE200} $JAVA_HOME/conf/security
%{_jvmdir}/%{sdkdir}/lib/libnssadapter.so
+
# cacerts are generated in runtime in openSUSE
if [ -f %{buildoutputdir}/%{imagesdir}/jdk/lib/security/cacerts ]; then
rm %{buildoutputdir}/%{imagesdir}/jdk/lib/security/cacerts
@@ -502,13 +538,22 @@
fi
# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED
TestCryptoLevel
# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") || true
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-#FIXME make it run after system NSS support?
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE15})|sed "s|\.java||") || true
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} %{crypto_policy_active}
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Dsystem.crypto-policies=true ${PROG}
%{crypto_policy_active}
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Dsystem.crypto-policies=false ${PROG} false
%install
export LANG=en_US.UTF-8
@@ -761,9 +806,11 @@
%dir %{_jvmdir}/%{sdkdir}/conf/management
%dir %{_jvmdir}/%{sdkdir}/conf/sdp
%dir %{_jvmdir}/%{sdkdir}/conf/security
+%dir %{_jvmdir}/%{sdkdir}/conf/security/false
%dir %{_jvmdir}/%{sdkdir}/conf/security/policy
%dir %{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited
%dir %{_jvmdir}/%{sdkdir}/conf/security/policy/limited
+%dir %{_jvmdir}/%{sdkdir}/conf/security/true
%dir %{_jvmdir}/%{sdkdir}
%{_jvmdir}/%{jrelnk}
@@ -782,7 +829,7 @@
%{_jvmdir}/%{sdkdir}/conf/management/management.properties
%{_jvmdir}/%{sdkdir}/conf/net.properties
%{_jvmdir}/%{sdkdir}/conf/sdp/sdp.conf.template
-#{_jvmdir}/%{sdkdir}/conf/security/java.policy
+%{_jvmdir}/%{sdkdir}/conf/security/crypto-policies.properties
%{_jvmdir}/%{sdkdir}/conf/security/java.security
%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/default_local.policy
%{_jvmdir}/%{sdkdir}/conf/security/policy/limited/default_US_export.policy
@@ -790,6 +837,10 @@
%{_jvmdir}/%{sdkdir}/conf/security/policy/README.txt
%{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited/default_local.policy
%{_jvmdir}/%{sdkdir}/conf/security/policy/unlimited/default_US_export.policy
+%{_jvmdir}/%{sdkdir}/conf/security/true/fips.properties
+%{_jvmdir}/%{sdkdir}/conf/security/true/crypto-policies.properties
+%{_jvmdir}/%{sdkdir}/conf/security/false/fips.properties
+%{_jvmdir}/%{sdkdir}/conf/security/false/crypto-policies.properties
%{_jvmdir}/%{sdkdir}/conf/sound.properties
%{_jvmdir}/%{sdkdir}/lib/desktop/jconsole.desktop
%{_jvmdir}/%{sdkdir}/lib/jexec
@@ -825,10 +876,10 @@
%{_jvmdir}/%{sdkdir}/lib/libmlib_image.so
%{_jvmdir}/%{sdkdir}/lib/libnet.so
%{_jvmdir}/%{sdkdir}/lib/libnio.so
+%{_jvmdir}/%{sdkdir}/lib/libnssadapter.so
%{_jvmdir}/%{sdkdir}/lib/libprefs.so
%{_jvmdir}/%{sdkdir}/lib/librmi.so
%{_jvmdir}/%{sdkdir}/lib/libsctp.so
-%{_jvmdir}/%{sdkdir}/lib/libsystemconf.so
%ifarch x86_64
%{_jvmdir}/%{sdkdir}/lib/libjsvml.so
%{_jvmdir}/%{sdkdir}/lib/libsimdsort.so
@@ -849,8 +900,7 @@
%{_jvmdir}/%{sdkdir}/lib/*/classes*.jsa
%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blocked.certs
-%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.fips.cfg
-#{_jvmdir}/%{sdkdir}/lib/security/default.policy
+%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/SunPKCS11-FIPS.cfg
%{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
%files devel
++++++ 0001-Don-t-make-missing-system-crypto-policies-fatal.patch ++++++
>From 3edab51e940f5567aaf8799e0241d8416a88a051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <[email protected]>
Date: Wed, 18 Mar 2026 01:05:24 +0100
Subject: [PATCH] Don't make missing system crypto-policies fatal
---
src/java.base/share/classes/java/security/Security.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/java.base/share/classes/java/security/Security.java
b/src/java.base/share/classes/java/security/Security.java
index 4501d5971c4..bb54ae74bb4 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -257,8 +257,9 @@ static void loadInclude(String propFile) {
}
loadFromPath(path, LoadingMode.APPEND);
} catch (IOException | InvalidPathException e) {
- throw new InternalError("Unable to include '" + expPropFile +
- "'", e);
+ if (sdebug != null) {
+ sdebug.println("Unable to include '" + expPropFile + "'");
+ }
}
}
--
2.53.0
++++++ TestSecurityProperties.java ++++++
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
import java.util.Properties;
public class TestSecurityProperties {
private static final String JAVA_HOME = System.getProperty("java.home");
// JDK 11
private static final String JDK_PROPS_FILE_JDK_11 = JAVA_HOME +
"/conf/security/java.security";
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = JAVA_HOME +
"/lib/security/java.security";
// JDK 25
// Omit fips.properties files since they are not relevant to this test.
// Omit JAVA_HOME + "/conf/security/crypto-policies.properties" which
simply includes
// true/crypto-policies.properties in case system.crypto-policies is left
undefined.
private static final String[] JDK_PROPS_FILES_JDK_25_ENABLED = {
JAVA_HOME + "/conf/security/true/crypto-policies.properties",
"/etc/crypto-policies/back-ends/java.config"
};
private static final String[] JDK_PROPS_FILES_JDK_25_DISABLED = {
JAVA_HOME + "/conf/security/false/crypto-policies.properties"
};
private static final String POLICY_FILE =
"/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
private static final String javaVersion =
System.getProperty("java.version");
// float for java 1.8
private static final float JAVA_FEATURE =
Float.parseFloat(System.getProperty("java.specification.version"));
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security
properties should be enabled.");
System.err.println("Invoke with 'false' if system security
properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: "
+ enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps, enabled);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key : jdkProps.keySet()) {
String sKey = (String) key;
if (JAVA_FEATURE >= 25 && sKey.equals("include")) {
// Avoid the following exception on 25:
IllegalArgumentException: Key 'include' is
// reserved and cannot be used as a Security property name.
Hard-code the includes
// in JDK_PROPS_FILES_JDK_25_ENABLED and
JDK_PROPS_FILES_JDK_25_DISABLED instead.
continue;
}
System.out.println(MSG_PREFIX + "Checking " + sKey);
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!jdkSecVal.equals(securityVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as
expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadPropertiesFile(Properties props, String propsFile) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadProperties(Properties props, boolean enabled) {
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
loadPropertiesFile(props, propsFile);
if (JAVA_FEATURE >= 25) {
for (String file : enabled ? JDK_PROPS_FILES_JDK_25_ENABLED :
JDK_PROPS_FILES_JDK_25_DISABLED) {
System.out.println(MSG_PREFIX + "Loading " + file);
loadPropertiesFile(props, file);
}
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}
/*
* Local Variables:
* compile-command: "\
* /usr/lib/jvm/java-25-openjdk/bin/javac TestSecurityProperties.java \
* && (/usr/lib/jvm/java-25-openjdk/bin/java
TestSecurityProperties false ; [[ $? == 1 ]]) \
* && (/usr/lib/jvm/java-25-openjdk/bin/java -Dsystem.crypto-policies=true
TestSecurityProperties false ; [[ $? == 1 ]]) \
* && (/usr/lib/jvm/java-25-openjdk/bin/java -Dsystem.crypto-policies=false
TestSecurityProperties true ; [[ $? == 1 ]]) \
* && /usr/lib/jvm/java-25-openjdk/bin/java
TestSecurityProperties true \
* && /usr/lib/jvm/java-25-openjdk/bin/java -Dsystem.crypto-policies=true
TestSecurityProperties true \
* && /usr/lib/jvm/java-25-openjdk/bin/java -Dsystem.crypto-policies=false
TestSecurityProperties false" \
* fill-column: 124
* End:
*/
++++++ create-crypto-properties-files.bash ++++++
#!/bin/bash
#
# Create Red Hat OpenJDK security properties directory hierarchy.
#
# Copyright (C) 2025 IBM Corporation. All rights reserved.
#
# Written by:
# Francisco Ferrari Bihurriet <[email protected]>
# Thomas Fitzsimmons <[email protected]>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Usage:
#
# bash create-suse-properties-files.bash <target directory> <nssadapter path>
#
# Example usage in spec file:
#
# bash -x create-suse-properties-files.bash ${installdir}/conf/security \
# %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
#
# When you make changes to the file set here, also update the %files
# section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
# in TestSecurityProperties.java.
[[ $# == 2 ]] || exit 1
SECURITY="${1}"
NSSADAPTER="${2}"
VENDOR="${SECURITY}"
install --directory --mode=755 "${VENDOR}"
install --directory --mode=755 "${VENDOR}"/true
install --directory --mode=755 "${VENDOR}"/false
# /usr/lib/jvm/java-25-openjdk/conf/security/SunPKCS11-FIPS.cfg
install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
name = FIPS
library = ${NSSADAPTER}
slot = 3
nssUseSecmod = false
attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/false/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties
<<'EOF'
# Empty on purpose, for ${system.crypto-policies}=false
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/true/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties
<<'EOF'
#
# Apply the system-wide crypto policy
#
include /etc/crypto-policies/back-ends/java.config
#
# Apply the FIPS-specific security properties, if needed
#
include ../${__fips_enabled__}/fips.properties
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
#
# Default choice for the crypto-policies setup
#
include true/crypto-policies.properties
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/false/fips.properties
install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
# Empty on purpose, for when FIPS is disabled.
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/true/fips.properties
install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
#
# Enable the downstream-patch FIPSFilter code
#
__fips_filter__=true
#
# FIPS mode Security Providers List
#
security.provider.1=SunPKCS11 ${java.home}/conf/security/SunPKCS11-FIPS.cfg
security.provider.2=SUN
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunRsaSign
security.provider.7=XMLDSig
security.provider.8=
# ^ empty on purpose, to finish the Providers List
#
# FIPS mode default keystore type
#
keystore.type=pkcs12
EOF
# Make sure java.security exists before appending
test -e "${SECURITY}"/java.security || ( echo "${SECURITY}/java.security not
found" && false )
cat >> "${SECURITY}"/java.security <<'EOF'
#
# System-wide crypto-policies and FIPS setup
#
# The following crypto-policies setup automatically detects when the system
# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
# ignore the system and disable its FIPS setup, just disable the usage of
# the system crypto-policies, by any of the methods described below.
#
# The system.crypto-policies system property is a boolean switch that
# controls the usage on a per-run basis. For example, pass
# -Dsystem.crypto-policies=false to disable the system crypto-policies.
#
# This setup consists of the following files in $JAVA_HOME/conf/security:
#
# 'false/crypto-policies.properties' (policies usage disabled file)
# Empty file, applied when the boolean switch is passed as false.
#
# 'true/crypto-policies.properties' (policies usage enabled file)
# Performs the crypto-policies and FIPS setup, applied when the boolean
# switch is passed as true.
#
# 'crypto-policies.properties' (policies usage default file)
# Determines the default choice by including one of the previous files,
# applied when the boolean switch is not passed.
# The system crypto-policies usage is enabled by default:
# include true/crypto-policies.properties
#
# To enable or disable the usage of the crypto-policies on a per-deployment
# basis, edit the policies usage default file, changing the included file.
# For example, execute the following command to persistently disable the
# crypto-policies:
# sed -i s/true/false/ $JAVA_HOME/conf/security/crypto-policies.properties
# Applications can still override this on a per-run basis, for example by
# passing -Dsystem.crypto-policies=true.
#
# To disable the system.crypto-policies boolean switch, modify the following
# include directive as follows. Replace ${system.crypto-policies} by true to
# force-apply the system crypto-policies:
# include true/crypto-policies.properties
# Remove or comment out the include directive to force-disable the setup:
# #include ${system.crypto-policies}/crypto-policies.properties
#
include ./${system.crypto-policies}/crypto-policies.properties
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# WARNING: anything placed after this include directive will apply on top
# of the described setup. Adding properties below this section is strongly
# discouraged, as it poses a risk of overriding the system crypto-policies
# or invalidating the FIPS deployment.
EOF
# Local Variables:
# compile-command: "shellcheck create-suse-properties-files.bash"
# End:
++++++ fips.patch ++++++
++++ 3030 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/java-25-openjdk/fips.patch
++++ and /work/SRC/openSUSE:Factory/.java-25-openjdk.new.8177/fips.patch
++++++ nssadapter-Allow-overriding-of-gcc-name.patch ++++++
>From 111cc0d03a3876b9ac87c6cbb217436cd3513074 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <[email protected]>
Date: Mon, 16 Mar 2026 19:16:14 +0100
Subject: [PATCH 2/2] Allow overriding of gcc name
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index bbdc671..957cc54 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ BIN_DIR := bin
OUTPUT := $(BIN_DIR)/lib$(NAME).so
DBG_SENTINEL := $(BIN_DIR)/_built_in_debug_mode_
-CC = gcc
+CC ?= gcc
DEVEL_PKGS = nss
LIB_DIR = $(shell pkg-config --variable=libdir nss)
SHARED_LIBS = pthread softokn3 nss3
--
2.53.0
++++++ nssadapter-Fix-build-on-openSUSE.patch ++++++
>From 28f0505d0f9a02fd6533314be64ddadaf3f36b76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <[email protected]>
Date: Mon, 16 Mar 2026 18:06:46 +0100
Subject: [PATCH 1/2] Fix build on openSUSE
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 9f90e5f..bbdc671 100644
--- a/Makefile
+++ b/Makefile
@@ -10,8 +10,8 @@ OUTPUT := $(BIN_DIR)/lib$(NAME).so
DBG_SENTINEL := $(BIN_DIR)/_built_in_debug_mode_
CC = gcc
-DEVEL_PKGS = nss nss-softokn
-LIB_DIR = $(shell pkg-config --variable=libdir nss-softokn)
+DEVEL_PKGS = nss
+LIB_DIR = $(shell pkg-config --variable=libdir nss)
SHARED_LIBS = pthread softokn3 nss3
STATIC_LIBS = freebl
STATIC_OBJS = $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS)))
--
2.53.0
