aliases, int[] m) {
+- register(new Descriptor(type, algorithm, className, aliases, m));
++ register(new Descriptor(type, algorithm, className, aliases, m, null));
++ }
++
++ private static void d(String type, String algorithm, String className,
++ int[] m, int[] requiredMechs) {
++ register(new Descriptor(type, algorithm, className, null, m,
++ requiredMechs));
++ }
++ private static void dA(String type, String algorithm, String className,
++ int[] m, int[] requiredMechs) {
++ register(new Descriptor(type, algorithm, className,
++ getAliases(algorithm), m, requiredMechs));
+ }
+
+ private static void dA(String type, String algorithm, String className,
+ int[] m) {
+ register(new Descriptor(type, algorithm, className,
+- getAliases(algorithm), m));
++ getAliases(algorithm), m, null));
+ }
+
+ private static void register(Descriptor d) {
+@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider {
+ String P11Cipher = "sun.security.pkcs11.P11Cipher";
+ String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
+ String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
++ String P11PBECipher = "sun.security.pkcs11.P11PBECipher";
+ String P11Signature = "sun.security.pkcs11.P11Signature";
+ String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
+
+@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider {
+ d(MAC, "SslMacSHA1", P11Mac,
+ m(CKM_SSL3_SHA1_MAC));
+
++ if (systemFipsEnabled) {
++ /*
++ * PBA HMacs
++ *
++ * KeyDerivationMech must be supported
++ * for these services to be available.
++ *
++ */
++ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC),
++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC));
++ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC),
++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN));
++ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC),
++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN));
++ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC),
++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN));
++ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC),
++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN));
++ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC),
++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN));
++ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC),
++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN));
++ }
++
+ d(KPG, "RSA", P11KeyPairGenerator,
+ getAliases("PKCS1"),
+ m(CKM_RSA_PKCS_KEY_PAIR_GEN));
+@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider {
+ d(SKF, "ChaCha20", P11SecretKeyFactory,
+ m(CKM_CHACHA20_POLY1305));
+
++ if (systemFipsEnabled) {
++ /*
++ * PBE Secret Key Factories
++ *
++ * KeyDerivationPrf must be supported for these services
++ * to be available.
++ *
++ */
++ d(SKF, "PBEWithHmacSHA1AndAES_128",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC));
++ d(SKF, "PBEWithHmacSHA224AndAES_128",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC));
++ d(SKF, "PBEWithHmacSHA256AndAES_128",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC));
++ d(SKF, "PBEWithHmacSHA384AndAES_128",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC));
++ d(SKF, "PBEWithHmacSHA512AndAES_128",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC));
++ d(SKF, "PBEWithHmacSHA1AndAES_256",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC));
++ d(SKF, "PBEWithHmacSHA224AndAES_256",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC));
++ d(SKF, "PBEWithHmacSHA256AndAES_256",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC));
++ d(SKF, "PBEWithHmacSHA384AndAES_256",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC));
++ d(SKF, "PBEWithHmacSHA512AndAES_256",
++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC));
++ /*
++ * PBA Secret Key Factories
++ */
++ d(SKF, "HmacPBESHA1", P11SecretKeyFactory,
++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC));
++ d(SKF, "HmacPBESHA224", P11SecretKeyFactory,
++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN));
++ d(SKF, "HmacPBESHA256", P11SecretKeyFactory,
++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN));
++ d(SKF, "HmacPBESHA384", P11SecretKeyFactory,
++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN));
++ d(SKF, "HmacPBESHA512", P11SecretKeyFactory,
++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN));
++ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory,
++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN));
++ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory,
++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN));
++ /*
++ * PBKDF2 Secret Key Factories
++ */
++ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory,
++ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC));
++ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory,
++ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC));
++ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory,
++ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC));
++ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory,
++ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC));
++ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory,
++ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC));
++ }
++
+ // XXX attributes for Ciphers (supported modes, padding)
+ dA(CIP, "ARCFOUR", P11Cipher,
+ m(CKM_RC4));
+@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider {
+ d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
+ m(CKM_RSA_X_509));
+
++ if (systemFipsEnabled) {
++ /*
++ * PBE Ciphers
++ *
++ * KeyDerivationMech and KeyDerivationPrf must be supported
++ * for these services to be available.
++ *
++ */
++ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC));
++ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC));
++ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC));
++ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC));
++ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC));
++ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC));
++ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC));
++ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC));
++ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC));
++ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher,
++ m(CKM_AES_CBC_PAD, CKM_AES_CBC),
++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC));
++ }
++
+ d(SIG, "RawDSA", P11Signature,
+ List.of("NONEwithDSA"),
+ m(CKM_DSA));
+@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider {
+ if (ds == null) {
+ continue;
+ }
++ descLoop:
+ for (Descriptor d : ds) {
+ Integer oldMech = supportedAlgs.get(d);
+ if (oldMech == null) {
++ if (d.requiredMechs != null) {
++ // Check that other mechanisms required for the
++ // service are supported before listing it as
++ // available for the first time.
++ for (int requiredMech : d.requiredMechs) {
++ if (token.getMechanismInfo(
++ requiredMech & 0xFFFFFFFFL) == null) {
++ continue descLoop;
++ }
++ }
++ }
+ supportedAlgs.put(d, integerMech);
+ continue;
+ }
+@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider {
+ } else if (algorithm.endsWith("GCM/NoPadding") ||
+ algorithm.startsWith("ChaCha20-Poly1305")) {
+ return new P11AEADCipher(token, algorithm, mechanism);
++ } else if (algorithm.startsWith("PBE")) {
++ return new P11PBECipher(token, algorithm, mechanism);
+ } else {
+ return new P11Cipher(token, algorithm, mechanism);
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
+index 88ff8a71fc3..47a2f97eddf 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java
+@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS {
+ }
+
+ /**
+- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS.
+ *
+- * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++ * @return the string representation of CK_ECDH1_DERIVE_PARAMS
+ */
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
+index 0c9ebb289c1..b4b2448464d 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
+@@ -160,6 +160,18 @@ public class CK_MECHANISM {
+ init(mechanism, params);
+ }
+
++ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) {
++ init(mechanism, params);
++ }
++
++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) {
++ init(mechanism, params);
++ }
++
++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) {
++ init(mechanism, params);
++ }
++
+ // For PSS. the parameter may be set multiple times, use the
+ // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS)
+ // methods instead of creating yet another constructor
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
+index e8b048869c4..a25fa1c39e5 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
+@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper;
+
+
+ /**
+- * class CK_PBE_PARAMS provides all of the necessary information required byte
++ * class CK_PBE_PARAMS provides all the necessary information required by
+ * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.
+ * PKCS#11 structure:
+ *
+ * typedef struct CK_PBE_PARAMS {
+- * CK_CHAR_PTR pInitVector;
+- * CK_CHAR_PTR pPassword;
++ * CK_BYTE_PTR pInitVector;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+- * CK_CHAR_PTR pSalt;
++ * CK_BYTE_PTR pSalt;
+ * CK_ULONG ulSaltLen;
+ * CK_ULONG ulIteration;
+ * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pInitVector;
++ * CK_BYTE_PTR pInitVector;
+ *
+ */
+- public char[] pInitVector;
++ public byte[] pInitVector;
+
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pPassword;
++ * CK_UTF8CHAR_PTR pPassword;
+ * CK_ULONG ulPasswordLen;
+ *
+ */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+ /**
+ * PKCS#11:
+ *
+- * CK_CHAR_PTR pSalt
++ * CK_BYTE_PTR pSalt
+ * CK_ULONG ulSaltLen;
+ *
+ */
+- public char[] pSalt;
++ public byte[] pSalt;
+
+ /**
+ * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+ */
+ public long ulIteration;
+
++ public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++ this.pPassword = pPassword;
++ this.pSalt = pSalt;
++ this.ulIteration = ulIteration;
++ }
++
+ /**
+ * Returns the string representation of CK_PBE_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+
+ package sun.security.pkcs11.wrapper;
+
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+ /**
+ * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+ * PKCS#11 structure:
+ *
+ * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ * CK_VOID_PTR pSaltSourceData;
+ * CK_ULONG ulSaltSourceDataLen;
+ * CK_ULONG iterations;
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ * CK_VOID_PTR pPrfData;
+ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG_PTR ulPasswordLen;
+ * } CK_PKCS5_PBKD2_PARAMS;
+ *
+ *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+ */
+ public byte[] pPrfData;
+
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG_PTR ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
+ /**
+ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+ *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.
++ * PKCS#11 structure:
++ *
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ * CK_ULONG iterations;
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ * CK_UTF8CHAR_PTR pPassword;
++ * CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ *
++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *
++ */
++ public long saltSource;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pSaltSourceData;
++ * CK_ULONG ulSaltSourceDataLen;
++ *
++ */
++ public byte[] pSaltSourceData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_ULONG iterations;
++ *
++ */
++ public long iterations;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *
++ */
++ public long prf;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_VOID_PTR pPrfData;
++ * CK_ULONG ulPrfDataLen;
++ *
++ */
++ public byte[] pPrfData;
++
++ /**
++ * PKCS#11:
++ *
++ * CK_UTF8CHAR_PTR pPassword
++ * CK_ULONG ulPasswordLen;
++ *
++ */
++ public char[] pPassword;
++
++ public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++ long iterations, long prf) {
++ this.pPassword = pPassword;
++ this.pSaltSourceData = pSalt;
++ this.iterations = iterations;
++ this.prf = prf;
++ this.saltSource = CKZ_SALT_SPECIFIED;
++ }
++
++ /**
++ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++ *
++ * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++ */
++ public String toString() {
++ StringBuilder sb = new StringBuilder();
++
++ sb.append(Constants.INDENT);
++ sb.append("saltSource: ");
++ sb.append(saltSource);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pSaltSourceData: ");
++ sb.append(Functions.toHexString(pSaltSourceData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulSaltSourceDataLen: ");
++ sb.append(pSaltSourceData.length);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("iterations: ");
++ sb.append(iterations);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("prf: ");
++ sb.append(prf);
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("pPrfData: ");
++ sb.append(Functions.toHexString(pPrfData));
++ sb.append(Constants.NEWLINE);
++
++ sb.append(Constants.INDENT);
++ sb.append("ulPrfDataLen: ");
++ sb.append(pPrfData.length);
++
++ return sb.toString();
++ }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+ public byte[] pPublicData;
+
+ /**
+- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++ * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+ *
+- * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++ * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+ */
+ public String toString() {
+ StringBuilder sb = new StringBuilder();
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 5c0aacd1a67..5fbf8addcba 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -113,6 +116,8 @@ public class PKCS11 {
+
+ private long pNativeData;
+
++ private CK_INFO pInfo;
++
+ /**
+ * This method does the initialization of the native library. It is called
+ * exactly once for this class.
+@@ -145,23 +150,49 @@ public class PKCS11 {
+ * @postconditions
+ */
+ PKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ connect(pkcs11ModulePath, functionListName);
+ this.pkcs11ModulePath = pkcs11ModulePath;
++ pInfo = C_GetInfo();
++ }
++
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null, null);
+ }
+
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter,
++ MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null &&
++ fipsKeyExporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter, fipsKeyExporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -179,6 +210,14 @@ public class PKCS11 {
+ return pkcs11;
+ }
+
++ /**
++ * Returns the CK_INFO structure fetched at initialization with
++ * C_GetInfo. This structure represent Cryptoki library information.
++ */
++ public CK_INFO getInfo() {
++ return pInfo;
++ }
++
+ /**
+ * Connects this object to the specified PKCS#11 library. This method is for
+ * internal use only.
+@@ -1625,7 +1664,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+
+ SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+- throws IOException {
++ throws IOException, PKCS11Exception {
+ super(pkcs11ModulePath, functionListName);
+ }
+
+@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(PKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ FIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.PKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException, PKCS11Exception {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ SynchronizedFIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++
++ public synchronized void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++ MethodHandle fipsKeyExporter, long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ Map sensitiveAttrs = new HashMap<>();
++ List nonSensitiveAttrs = new LinkedList<>();
++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++ sensitiveAttrs, nonSensitiveAttrs);
++ try {
++ if (sensitiveAttrs.size() > 0) {
++ long keyClass = -1L;
++ long keyType = -1L;
++ try {
++ // Secret and private keys have both class and type
++ // attributes, so we can query them at once.
++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++ new CK_ATTRIBUTE(CKA_CLASS),
++ new CK_ATTRIBUTE(CKA_KEY_TYPE),
++ };
++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++ keyClass = queryAttrs[0].getLong();
++ keyType = queryAttrs[1].getLong();
++ } catch (PKCS11Exception e) {
++ // If the query fails, the object is neither a secret nor a
++ // private key. As this case won't be handled with the FIPS
++ // Key Exporter, we keep keyClass initialized to -1L.
++ }
++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++ sensitiveAttrs);
++ if (nonSensitiveAttrs.size() > 0) {
++ CK_ATTRIBUTE[] pNonSensitiveAttrs =
++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++ int i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ pNonSensitiveAttrs[i++] = nonSensAttr;
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject,
++ pNonSensitiveAttrs);
++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++ // update the reference on the previous CK_ATTRIBUTEs
++ i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++ }
++ }
++ return;
++ }
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++ Map sensitiveAttrs,
++ List nonSensitiveAttrs) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ long type = attr.type;
++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++ type == CKA_COEFFICIENT) {
++ sensitiveAttrs.put(type, attr);
++ } else {
++ nonSensitiveAttrs.add(attr);
++ }
++ }
++ }
++}
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index d22844cfba8..9e02958b4b0 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+ public static final long CKD_BLAKE2B_384_KDF = 0x00000019L;
+ public static final long CKD_BLAKE2B_512_KDF = 0x0000001aL;
+
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
+- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
+-
+- public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
+-
+ public static final long CK_OTP_VALUE = 0x00000000L;
+ public static final long CK_OTP_PIN = 0x00000001L;
+ public static final long CK_OTP_CHALLENGE = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+ public static final long CKF_HKDF_SALT_KEY = 0x00000004L;
+ */
+
++ // PBKDF2 support, used in P11Util
++ public static final long CKZ_SALT_SPECIFIED = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L;
++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L;
++
+ // private NSS attribute (for DSA and DH private keys)
+ public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L;
+
+ // base number of NSS private attributes
+ public static final long CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+- = 0xCE534350L;
++ /* now known as CKM_NSS ^ */ = 0xCE534350L;
+
+ // object type for NSS trust
+ public static final long CKO_NETSCAPE_TRUST = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+ = 0xCE534355L;
+ public static final long CKT_NETSCAPE_VALID = 0xCE53435AL;
+ public static final long CKT_NETSCAPE_VALID_DELEGATOR = 0xCE53435BL;
++
++ // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++ public static final long CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++ /* (CKM_NSS + 29) */ = 0xCE53436DL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++ /* (CKM_NSS + 30) */ = 0xCE53436EL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++ /* (CKM_NSS + 31) */ = 0xCE53436FL;
++ public static final long CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++ /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index 666c5eb9b3b..5523dafcdb4 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+ ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+ break;
+ case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ // retrieve java values
+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+ if (jPbeParamsClass == NULL) { return NULL; }
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+ if (fieldID == NULL) { return NULL; }
+ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+
+ // populate using java values
+ ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+- jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++ jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++ jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++ jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+ }
+ }
+
++#define PBKD2_PARAM_SET(member, value) \
++ do { \
++ if(ckParamPtr->version == PARAMS) { \
++ ckParamPtr->params.v1.member = value; \
++ } else { \
++ ckParamPtr->params.v2.member = value; \
++ } \
++ } while(0)
++
++#define PBKD2_PARAM_ADDR(member) \
++ ( \
++ (ckParamPtr->version == PARAMS) ? \
++ (void*) &ckParamPtr->params.v1.member : \
++ (void*) &ckParamPtr->params.v2.member \
++ )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+ * pointer
+ *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+ * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+ */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+- CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++ VersionedPbkd2ParamsPtr ckParamPtr;
++ ParamVersion paramVersion;
++ CK_ULONG_PTR pUlPasswordLen;
+ jclass jPkcs5Pbkd2ParamsClass;
+ jfieldID fieldID;
+ jlong jSaltSource, jIteration, jPrf;
+- jobject jSaltSourceData, jPrfData;
++ jobject jSaltSourceData, jPrfData, jPassword;
+
+ if (pLength != NULL) {
+ *pLength = 0L;
+ }
+
+ // retrieve java values
+- jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+- if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++ if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS;
++ } else if ((jPkcs5Pbkd2ParamsClass =
++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++ paramVersion = PARAMS2;
++ } else {
++ return NULL;
++ }
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+ if (fieldID == NULL) { return NULL; }
+ jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+ if (fieldID == NULL) { return NULL; }
+ jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++ if (fieldID == NULL) { return NULL; }
++ jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+
+- // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+- ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++ // allocate memory for VersionedPbkd2Params and store the structure version
++ ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+ if (ckParamPtr == NULL) {
+ throwOutOfMemoryError(env, 0);
+ return NULL;
+ }
++ ckParamPtr->version = paramVersion;
+
+ // populate using java values
+- ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+- jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++ PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++ jByteArrayToCKByteArray(env, jSaltSourceData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++ PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+- ckParamPtr->iterations = jLongToCKULong(jIteration);
+- ckParamPtr->prf = jLongToCKULong(jPrf);
+- jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+- &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++ PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++ PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++ jByteArrayToCKByteArray(env, jPrfData,
++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++ PBKD2_PARAM_ADDR(ulPrfDataLen));
++ if ((*env)->ExceptionCheck(env)) {
++ goto cleanup;
++ }
++ if (ckParamPtr->version == PARAMS) {
++ pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++ if (pUlPasswordLen == NULL) {
++ throwOutOfMemoryError(env, 0);
++ goto cleanup;
++ }
++ ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++ } else {
++ pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++ }
++ jCharArrayToCKUTF8CharArray(env, jPassword,
++ (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++ pUlPasswordLen);
+ if ((*env)->ExceptionCheck(env)) {
+ goto cleanup;
+ }
+
+ if (pLength != NULL) {
+- *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++ *pLength = (ckParamPtr->version == PARAMS ?
++ sizeof(ckParamPtr->params.v1) :
++ sizeof(ckParamPtr->params.v2));
+ }
++ // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+ return ckParamPtr;
+ cleanup:
+- free(ckParamPtr->pSaltSourceData);
+- free(ckParamPtr->pPrfData);
++ FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+ free(ckParamPtr);
+ return NULL;
+
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+ case CKM_CAMELLIA_CTR:
+ // params do not contain pointers
+ break;
++ case CKM_PKCS5_PBKD2:
++ // get the versioned structure from behind memory
++ TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++ "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++ "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++ FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++ break;
++ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++ free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++ free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++ break;
+ default:
+ // currently unsupported mechs by SunPKCS11 provider
+ // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+ // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+- // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++ // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+ // PBE mechs, WTLS mechs, CMS mechs,
+ // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+ // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+ jboolean* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+ jbyte* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+ jlong* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+ jchar* jpTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jpTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+ jchar* jTemp;
+ CK_ULONG i;
+
+- if(jArray == NULL) {
++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++ if(*ckpLength == 0L) {
+ *ckpArray = NULL_PTR;
+- *ckpLength = 0L;
+ return;
+ }
+- *ckpLength = (*env)->GetArrayLength(env, jArray);
+ jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+ if (jTemp == NULL) {
+ throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+
+ #define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350)
++/* ^ now known as CKM_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB 0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL 0x80000373
+
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 32)
++
+ /*
+
+ Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+ jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++ union {
++ CK_PKCS5_PBKD2_PARAMS v1;
++ CK_PKCS5_PBKD2_PARAMS2 v2;
++ } params;
++ ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr) \
++ do { \
++ if ((verParamsPtr)->version == PARAMS) { \
++ free((verParamsPtr)->params.v1.pSaltSourceData); \
++ free((verParamsPtr)->params.v1.pPrfData); \
++ free((verParamsPtr)->params.v1.pPassword); \
++ free((verParamsPtr)->params.v1.ulPasswordLen); \
++ } else { \
++ free((verParamsPtr)->params.v2.pSaltSourceData); \
++ free((verParamsPtr)->params.v2.pPrfData); \
++ free((verParamsPtr)->params.v2.pPassword); \
++ } \
++ } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+index 8c9e4f9dbe6..883dc04758e 100644
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -38,6 +38,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.List;
+
++import jdk.internal.access.SharedSecrets;
+ import sun.security.ec.ed.EdDSAAlgorithmParameters;
+ import sun.security.ec.ed.EdDSAKeyFactory;
+ import sun.security.ec.ed.EdDSAKeyPairGenerator;
+@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
+
+ private static final long serialVersionUID = -2279741672933606418L;
+
++ private static final boolean systemFipsEnabled =
++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled();
++
+ private static class ProviderServiceA extends ProviderService {
+ ProviderServiceA(Provider p, String type, String algo, String cn,
+ HashMap attrs) {
+@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
+
+ putXDHEntries();
+ putEdDSAEntries();
+-
+- /*
+- * Signature engines
+- */
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+- null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+- ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "NONEwithECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$RawinP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA1withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+-
+- putService(new ProviderService(this, "Signature",
+- "SHA3-224withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-256withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-384withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+- putService(new ProviderService(this, "Signature",
+- "SHA3-512withECDSAinP1363Format",
+- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+-
+- /*
+- * Key Pair Generator engine
+- */
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EC", "sun.security.ec.ECKeyPairGenerator",
+- List.of("EllipticCurve"), ATTRS));
+-
+- /*
+- * Key Agreement engine
+- */
+- putService(new ProviderService(this, "KeyAgreement",
+- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ if (!systemFipsEnabled) {
++ /*
++ * Signature engines
++ */
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
++ null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
++ ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "NONEwithECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$RawinP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA1withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
++
++ putService(new ProviderService(this, "Signature",
++ "SHA3-224withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-256withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-384withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
++ putService(new ProviderService(this, "Signature",
++ "SHA3-512withECDSAinP1363Format",
++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
++
++ /*
++ * Key Pair Generator engine
++ */
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EC", "sun.security.ec.ECKeyPairGenerator",
++ List.of("EllipticCurve"), ATTRS));
++
++ /*
++ * Key Agreement engine
++ */
++ putService(new ProviderService(this, "KeyAgreement",
++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
++ }
+ }
+
+ private void putXDHEntries() {
+@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
+ "X448", "sun.security.ec.XDHKeyFactory.X448",
+ ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "KeyAgreement",
+- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyAgreement",
+- "X448", "sun.security.ec.XDHKeyAgreement.X448",
+- ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
++ ATTRS));
++
++ putService(new ProviderService(this, "KeyAgreement",
++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyAgreement",
++ "X448", "sun.security.ec.XDHKeyAgreement.X448",
++ ATTRS));
++ }
+ }
+
+ private void putEdDSAEntries() {
+@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
+ putService(new ProviderServiceA(this, "KeyFactory",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
+
+- putService(new ProviderService(this, "KeyPairGenerator",
+- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+- ATTRS));
+- putService(new ProviderServiceA(this, "KeyPairGenerator",
+- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+- ATTRS));
+-
+- putService(new ProviderService(this, "Signature",
+- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+- putService(new ProviderServiceA(this, "Signature",
+- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ if (!systemFipsEnabled) {
++ putService(new ProviderService(this, "KeyPairGenerator",
++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
++ ATTRS));
++ putService(new ProviderServiceA(this, "KeyPairGenerator",
++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
++ ATTRS));
++
++ putService(new ProviderService(this, "Signature",
++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
++ putService(new ProviderServiceA(this, "Signature",
++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
++ }
+
+ }
+ }
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
new file mode 100755
index 0000000..eb99e1a
--- /dev/null
+++ b/generate_source_tarball.sh
@@ -0,0 +1,163 @@
+#!/bin/bash
+# Generates the 'source tarball' for JDK projects.
+#
+# Example:
+# When used from local repo set REPO_ROOT pointing to file:// with your repo
+# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
+# If you want to use a local copy of patch PR3788, set the path to it in the PR3788 variable
+#
+# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
+# PROJECT_NAME=openjdk
+# REPO_NAME=jdk17u
+# VERSION=jdk-17.0.3+5
+# or to eg prepare systemtap:
+# icedtea7's jstack and other tapsets
+# VERSION=6327cf1cea9e
+# REPO_NAME=icedtea7-2.6
+# PROJECT_NAME=release
+# OPENJDK_URL=http://icedtea.classpath.org/hg/
+# TO_COMPRESS="*/tapset"
+#
+# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
+
+# This script creates a single source tarball out of the repository
+# based on the given tag and removes code not allowed in fedora/rhel. For
+# consistency, the source tarball will always contain 'openjdk' as the top
+# level folder, name is created, based on parameter
+#
+
+if [ ! "x$PR3823" = "x" ] ; then
+ if [ ! -f "$PR3823" ] ; then
+ echo "You have specified PR3823 as $PR3823 but it does not exist. Exiting"
+ exit 1
+ fi
+fi
+
+set -e
+
+OPENJDK_URL_DEFAULT=https://github.com
+COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=12.0
+
+if [ "x$1" = "xhelp" ] ; then
+ echo -e "Behaviour may be specified by setting the following variables:\n"
+ echo "VERSION - the version of the specified OpenJDK project"
+ echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
+ echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
+ echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
+ echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
+ echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
+ echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
+ echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)"
+ exit 1;
+fi
+
+
+if [ "x$VERSION" = "x" ] ; then
+ echo "No VERSION specified"
+ exit -2
+fi
+echo "Version: ${VERSION}"
+
+# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
+if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
+ if [ "x$PROJECT_NAME" = "x" ] ; then
+ echo "No PROJECT_NAME specified"
+ exit -1
+ fi
+ echo "Project name: ${PROJECT_NAME}"
+ if [ "x$REPO_NAME" = "x" ] ; then
+ echo "No REPO_NAME specified"
+ exit -3
+ fi
+ echo "Repository name: ${REPO_NAME}"
+fi
+
+if [ "x$OPENJDK_URL" = "x" ] ; then
+ OPENJDK_URL=${OPENJDK_URL_DEFAULT}
+ echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}"
+else
+ echo "OpenJDK URL: ${OPENJDK_URL}"
+fi
+
+if [ "x$COMPRESSION" = "x" ] ; then
+ # rhel 5 needs tar.gz
+ COMPRESSION=${COMPRESSION_DEFAULT}
+fi
+echo "Creating a tar.${COMPRESSION} archive"
+
+if [ "x$FILE_NAME_ROOT" = "x" ] ; then
+ FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+ echo "No file name root specified; default to ${FILE_NAME_ROOT}"
+fi
+if [ "x$REPO_ROOT" = "x" ] ; then
+ REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git"
+ echo "No repository root specified; default to ${REPO_ROOT}"
+fi;
+
+if [ "x$TO_COMPRESS" = "x" ] ; then
+ TO_COMPRESS="openjdk"
+ echo "No to be compressed targets specified, ; default to ${TO_COMPRESS}"
+fi;
+
+if [ -d ${FILE_NAME_ROOT} ] ; then
+ echo "exists exists exists exists exists exists exists "
+ echo "reusing reusing reusing reusing reusing reusing "
+ echo ${FILE_NAME_ROOT}
+else
+ mkdir "${FILE_NAME_ROOT}"
+ pushd "${FILE_NAME_ROOT}"
+ echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
+ git clone -b ${VERSION} ${REPO_ROOT} openjdk
+ popd
+fi
+pushd "${FILE_NAME_ROOT}"
+ if [ -d openjdk/src ]; then
+ pushd openjdk
+ echo "Removing EC source code we don't build"
+ CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl
+ rm -vf ${CRYPTO_PATH}/ec2.h
+ rm -vf ${CRYPTO_PATH}/ec2_163.c
+ rm -vf ${CRYPTO_PATH}/ec2_193.c
+ rm -vf ${CRYPTO_PATH}/ec2_233.c
+ rm -vf ${CRYPTO_PATH}/ec2_aff.c
+ rm -vf ${CRYPTO_PATH}/ec2_mont.c
+ rm -vf ${CRYPTO_PATH}/ecp_192.c
+ rm -vf ${CRYPTO_PATH}/ecp_224.c
+
+ echo "Syncing EC list with NSS"
+ if [ "x$PR3823" = "x" ] ; then
+ # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ # Do not push it or publish it
+ echo "PR3823 not found. Downloading..."
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch
+ echo "Applying ${PWD}/pr3823.patch"
+ patch -Np1 < pr3823.patch
+ rm pr3823.patch
+ else
+ echo "Applying ${PR3823}"
+ patch -Np1 < $PR3823
+ fi;
+ find . -name '*.orig' -exec rm -vf '{}' ';'
+ popd
+ fi
+
+ # Generate .src-rev so build has knowledge of the revision the tarball was created from
+ mkdir build
+ pushd build
+ sh ${PWD}/../openjdk/configure
+ make store-source-revision
+ popd
+ rm -rf build
+
+ echo "Compressing remaining forest"
+ if [ "X$COMPRESSION" = "Xxz" ] ; then
+ SWITCH=cJf
+ else
+ SWITCH=czf
+ fi
+ tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS
+ mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} ..
+popd
+echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
diff --git a/icedtea_sync.sh b/icedtea_sync.sh
new file mode 100755
index 0000000..e5c54f3
--- /dev/null
+++ b/icedtea_sync.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+
+# Copyright (C) 2019 Red Hat, Inc.
+# Written by Andrew John Hughes .
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see .
+
+ICEDTEA_USE_VCS=true
+
+ICEDTEA_VERSION=3.15.0
+ICEDTEA_URL=https://icedtea.classpath.org/download/source
+ICEDTEA_SIGNING_KEY=CFDA0F9B35964222
+
+ICEDTEA_HG_URL=https://icedtea.classpath.org/hg/icedtea11
+
+set -e
+
+RPM_DIR=${PWD}
+if [ ! -f ${RPM_DIR}/jconsole.desktop.in ] ; then
+ echo "Not in RPM source tree.";
+ exit 1;
+fi
+
+if test "x${TMPDIR}" = "x"; then
+ TMPDIR=/tmp;
+fi
+WORKDIR=${TMPDIR}/it.sync
+
+echo "Using working directory ${WORKDIR}"
+mkdir ${WORKDIR}
+pushd ${WORKDIR}
+
+if test "x${WGET}" = "x"; then
+ WGET=$(which wget);
+ if test "x${WGET}" = "x"; then
+ echo "wget not found";
+ exit 1;
+ fi
+fi
+
+if test "x${TAR}" = "x"; then
+ TAR=$(which tar)
+ if test "x${TAR}" = "x"; then
+ echo "tar not found";
+ exit 2;
+ fi
+fi
+
+echo "Dependencies:";
+echo -e "\tWGET: ${WGET}";
+echo -e "\tTAR: ${TAR}\n";
+
+if test "x${ICEDTEA_USE_VCS}" = "xtrue"; then
+ echo "Mode: Using VCS";
+
+ if test "x${GREP}" = "x"; then
+ GREP=$(which grep);
+ if test "x${GREP}" = "x"; then
+ echo "grep not found";
+ exit 3;
+ fi
+ fi
+
+ if test "x${CUT}" = "x"; then
+ CUT=$(which cut);
+ if test "x${CUT}" = "x"; then
+ echo "cut not found";
+ exit 4;
+ fi
+ fi
+
+ if test "x${TR}" = "x"; then
+ TR=$(which tr);
+ if test "x${TR}" = "x"; then
+ echo "tr not found";
+ exit 5;
+ fi
+ fi
+
+ if test "x${HG}" = "x"; then
+ HG=$(which hg);
+ if test "x${HG}" = "x"; then
+ echo "hg not found";
+ exit 6;
+ fi
+ fi
+
+ echo "Dependencies:";
+ echo -e "\tGREP: ${GREP}";
+ echo -e "\tCUT: ${CUT}";
+ echo -e "\tTR: ${TR}";
+ echo -e "\tHG: ${HG}";
+
+ echo "Checking out repository from VCS...";
+ ${HG} clone ${ICEDTEA_HG_URL} icedtea
+
+ echo "Obtaining version from configure.ac...";
+ ROOT_VER=$(${GREP} '^AC_INIT' icedtea/configure.ac|${CUT} -d ',' -f 2|${TR} -d '[][:space:]')
+ echo "Root version from configure: ${ROOT_VER}";
+
+ VCS_REV=$(${HG} log -R icedtea --template '{node|short}' -r tip)
+ echo "VCS revision: ${VCS_REV}";
+
+ ICEDTEA_VERSION="${ROOT_VER}-${VCS_REV}"
+ echo "Creating icedtea-${ICEDTEA_VERSION}";
+ mkdir icedtea-${ICEDTEA_VERSION}
+ echo "Copying required files from checkout to icedtea-${ICEDTEA_VERSION}";
+ # Commented out for now as IcedTea 6's jconsole.desktop.in is outdated
+ #cp -a icedtea/jconsole.desktop.in ../icedtea-${ICEDTEA_VERSION}
+ cp -a ${RPM_DIR}/jconsole.desktop.in icedtea-${ICEDTEA_VERSION}
+ cp -a icedtea/tapset icedtea-${ICEDTEA_VERSION}
+
+ rm -rf icedtea
+else
+ echo "Mode: Using tarball";
+
+ if test "x${ICEDTEA_VERSION}" = "x"; then
+ echo "No IcedTea version specified for tarball download.";
+ exit 3;
+ fi
+
+ if test "x${CHECKSUM}" = "x"; then
+ CHECKSUM=$(which sha256sum)
+ if test "x${CHECKSUM}" = "x"; then
+ echo "sha256sum not found";
+ exit 4;
+ fi
+ fi
+
+ if test "x${PGP}" = "x"; then
+ PGP=$(which gpg)
+ if test "x${PGP}" = "x"; then
+ echo "gpg not found";
+ exit 5;
+ fi
+ fi
+
+ echo "Dependencies:";
+ echo -e "\tCHECKSUM: ${CHECKSUM}";
+ echo -e "\tPGP: ${PGP}\n";
+
+ echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}...";
+ if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then
+ echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed.";
+ exit 6;
+ fi
+
+ echo "Downloading IcedTea release tarball...";
+ ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz
+ echo "Downloading IcedTea tarball signature...";
+ ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+ echo "Downloading IcedTea tarball checksums...";
+ ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256
+
+ echo "Verifying checksums...";
+ ${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256
+
+ echo "Checking signature...";
+ ${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+
+ echo "Extracting files...";
+ ${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \
+ icedtea-${ICEDTEA_VERSION}/tapset \
+ icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in
+
+ rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz
+ rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+ rm -vf icedtea-${ICEDTEA_VERSION}.sha256
+fi
+
+echo "Replacing desktop files...";
+mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in ${RPM_DIR}
+
+echo "Creating new tapset tarball...";
+mv -v icedtea-${ICEDTEA_VERSION} openjdk
+${TAR} cJf ${RPM_DIR}/tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk
+
+rm -rvf openjdk
+
+popd
+rm -rf ${WORKDIR}
diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
new file mode 100644
index 0000000..173459c
--- /dev/null
+++ b/java-17-openjdk-portable.spec
@@ -0,0 +1,1708 @@
+#FOR TESTING ONLY! REMOVE!
+%define rhel %{nil}
+
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# portable jdk 17 specific bug, _jvmdir being missing
+%define _jvmdir /usr/lib/jvm
+%endif
+
+# debug_package %%{nil} is portable-jdks specific
+%define debug_package %{nil}
+
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+#
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
+
+
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# This is RHEL 7 specific as it doesn't seem to have the
+# __brp_strip_static_archive macro.
+%define __os_install_post %{nil}
+%endif
+
+%global unpacked_licenses %{_datarootdir}/licenses
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libsvml.so)
+%global svml_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+# s390x fails on RHEL 7 so we exclude it there
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
+%else
+%global gdb_arches %{jit_arches} %{zero_arches}
+%endif
+
+# By default, we build a debug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%else
+%global use_shenandoah_hotspot 0
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
+%global debug_symbols internal
+
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images legacy-jre-image
+%global release_targets images docs-zip legacy-jre-image
+# No docs nor bootcycle for debug builds
+%global debug_targets images legacy-jre-image
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+# always off for portable builds
+%ifarch %{systemtap_arches}
+%global with_systemtap 0
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 6
+%global patchver 0
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver %{featurever}
+# We don't add any LTS designator for STS packages (Fedora and EPEL).
+# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
+%if 0%{?rhel} && !0%{?epel}
+ %global lts_designator "LTS"
+ %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 0bd5ca9ccc5
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 1
+%global rpmrelease 1
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 0
+%if %{is_ga}
+%global build_type GA
+%global ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global build_type EA
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# installation directory for static libraries
+%global static_libs_root lib/static
+%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
+%global static_libs_install_dir %{static_libs_arch_dir}/glibc
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+# portable only declarations
+%global jreimage jre
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\\(_[0-9]\\)*;portable%{1}.jre.;g" | sed "s;openjdkportable;el;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\\(_[0-9]\\)*;portable%{1}.jdk.;g" | sed "s;openjdkportable;el;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\\(_[0-9]\\)*;portable%{1}.static-libs.;g" | sed "s;openjdkportable;el;g")
+%else
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\\([0-9]\\)*;\\0.portable%{1}.jre;g" | sed "s;openjdkportable;el;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\\([0-9]\\)*;\\0.portable%{1}.jdk;g" | sed "s;openjdkportable;el;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\\([0-9]\\)*;\\0.portable%{1}.static-libs;g" | sed "s;openjdkportable;el;g")
+%endif
+%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz}
+%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz}
+%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz}
+%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}}
+%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
+# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
+# top of the JDK archive
+%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka target_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
+%endif
+
+# x86 is no longer supported
+%if 0%{?java_arches:1}
+ExclusiveArch: %{java_arches}
+%else
+ExcludeArch: %{ix86}
+%endif
+
+# Portables have no rpo (requires/provides), but thsoe are awesome for orientation in spec
+# also scriptlets are hapily missing and files are handled old fashion
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+}
+
+%define java_devel_rpo() %{expand:
+}
+
+%define java_static_libs_rpo() %{expand:
+}
+
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+# portables have grown out of its component, moving back to java-x-vendor
+# this expression, when declared as global, filled component with java-x-vendor portable
+%define component %(echo %{name} | sed "s;-portable;;g")
+
+Name: java-%{javaver}-%{origin}-portable
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition
+# Groups are only used up to RHEL 8 and on Fedora versions prior to F30
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+# Disabled in portables
+#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+# Disabled in portables
+#Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+# Disabled in portables
+#Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# boot jdk for portable build root on
+Source1001: ojdk17-aarch64-17.35.tar.gz
+Source1002: ojdk17-ppc64le-17.35.tar.gz
+Source1003: ojdk17-x86_64-17.35.tar.gz
+Source1004: ojdk17-s390x-17.35.tar.gz
+%endif
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# NSS via SunPKCS11 Provider (disabled comment
+# due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
+# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
+Patch1001: fips-17u-%{fipsver}.patch
+
+#############################################
+#
+# OpenJDK patches in need of upstreaming
+#
+#############################################
+
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
+#
+#############################################
+# JDK-8293834: Update CLDR data following tzdata 2022c update
+Patch2001: jdk8293834-kyiv_cldr_update.patch
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: freetype-devel
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+BuildRequires: devtoolset-8-gcc
+BuildRequires: devtoolset-8-gcc-c++
+%else
+BuildRequires: gcc
+# gcc-c++ is already needed
+BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
+BuildRequires: gcc-c++
+BuildRequires: gdb
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# rhel7 only, portables only. Rhel8 have gtk3, rpms have runtime recommends of gtk
+BuildRequires: gtk2-devel
+%endif
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
+# Requirement for system security property test
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+BuildRequires: crypto-policies
+%endif
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+# to pack portable tarballs
+BuildRequires: tar
+BuildRequires: unzip
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# No javapackages-filesystem on el7,nor is needed for portables
+%else
+BuildRequires: javapackages-filesystem
+BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
+
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# 2022e required as of JDK-8295173
+BuildRequires: tzdata-java >= 2022e
+
+# cacerts build requirement in portable mode
+BuildRequires: ca-certificates
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment - portable edition.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment portable edition.
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on}
+%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
+Group: Development/Tools
+%endif
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools - portable edition.
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition.
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%prep
+
+echo "Preparing %{oj_vendor_version}"
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+ %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+
+%if %{system_libs}
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+%endif
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch6 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
+# tzdata updates targetted for 17.0.6
+%patch2001 -p1
+popd # openjdk
+
+%patch600
+
+# The OpenJDK version file includes the current
+# upstream version information. For some reason,
+# configure does not automatically use the
+# default pre-version supplied there (despite
+# what the file claims), so we pass it manually
+# to configure
+VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
+if [ -f ${VERSION_FILE} ] ; then
+ UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
+else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+fi
+if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
+ echo "WARNING: Designator mismatch";
+ echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
+ echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
+ exit 17
+fi
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+ sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
+%else
+ sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
+%endif
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# Portables do not have desktop integration
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+
+%build
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+mkdir bootjdk
+pushd bootjdk
+%ifarch %{aarch64}
+tar --strip-components=1 -xf %{SOURCE1001}
+%endif
+%ifarch %{ppc64le}
+tar --strip-components=1 -xf %{SOURCE1002}
+%endif
+%ifarch x86_64
+tar --strip-components=1 -xf %{SOURCE1003}
+%endif
+%ifarch s390x
+tar --strip-components=1 -xf %{SOURCE1004}
+%endif
+BOOT_JDK=$PWD
+popd
+%else
+BOOT_JDK=%{bootjdk}
+%endif
+
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+EXTRA_CFLAGS="%ourcppflags"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS
+
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+ # This must be set using the global, so that the
+ # static libraries still use a dynamic stdc++lib
+ if [ "x%{link_type}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+
+ # Note: zlib and freetype use %{link_type}
+ # rather than ${link_opt} as the system versions
+ # are always used in a system_libs build, even
+ # for the static library build
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+ scl enable devtoolset-8 -- bash ${top_dir_abs_src_path}/configure \
+%else
+ bash ${top_dir_abs_src_path}/configure \
+%endif
+%ifarch %{zero_arches}
+ --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+%endif
+ --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \
+ --with-version-build=%{buildver} \
+ --with-version-pre="%{ea_designator}" \
+ --with-version-opt=%{lts_designator} \
+ --with-vendor-version-string="%{oj_vendor_version}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="%{debug_symbols}" \
+ --disable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=%{link_type} \
+ --with-freetype=%{link_type} \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=${libc_link_opt} \
+ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+ --with-extra-cflags="$EXTRA_CFLAGS" \
+ --with-extra-ldflags="%{ourldflags}" \
+ --with-num-cores="$NUM_PROC" \
+ --with-source-date="${SOURCE_DATE_EPOCH}" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+%endif
+ --disable-warnings-as-errors
+
+ cat spec.gmk
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+ scl enable devtoolset-8 -- make \
+%else
+ make \
+%endif
+ LOG=trace \
+ WARNINGS_ARE_ERRORS="-Wno-error" \
+ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
+ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+
+ popd
+}
+
+function installjdk() {
+ local imagepath=${1}
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
+
+ # Rename OpenJDK cacerts database
+ mv ${imagepath}/lib/security/cacerts{,.upstream}
+ # Install cacerts symlink needed by some apps which hard-code the path
+ ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+ fi
+}
+
+# Checks on debuginfo must be performed before the files are stripped
+# by the RPM installation stage
+function debugcheckjdk() {
+ local imagepath=${1}
+
+ if [ -d ${imagepath} ] ; then
+
+ so_suffix="so"
+ # Check debug symbols are present and can identify code
+ find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+ do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp and .S files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+ done
+
+ # Make sure gdb can do a backtrace based on line numbers on libjvm.so
+ # javaCalls.cpp:58 should map to:
+ # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+ # Using line number 1 might cause build problems. See:
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+ gdb -q "${imagepath}/bin/java" < ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum
+ tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"}
+ sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum
+ # copy licenses so they are avialable out of tarball
+ cp -rf %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal
+ mv %{jdkportablename -- "$nameSuffix"} %{jdkimage}
+ mv %{jreportablename -- "$nameSuffix"} %{jreimage}
+ popd #images
+%if %{include_staticlibs}
+ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}
+ pushd ${top_dir_abs_staticlibs_build_path}/images
+ # Static libraries (needed for building graal vm with native image)
+ # Tar as overlay. Transform to the JDK name, since we just want to "add"
+ # static libraries to that folder
+ portableJDKname=%{staticlibsportablename -- "$nameSuffix"}
+ tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+ sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum
+ popd #staticlibs-images
+%endif
+################################################################################
+# note, currently no debuginfo, consult portbale spec for external (zipped) debuginfo, being tarred alone
+################################################################################
+
+# build cycles
+done # end of release / debug cycle loop
+
+%install
+STRIP_KEEP_SYMTAB=libjvm*
+
+
+for suffix in %{build_loop} ; do
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+if [ "fixme" == "todo" ] ; then #todo, extract some parts to build, drop the rest - but keep it in rpms after repack
+
+# done in build
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+# tbd in rpms
+# Install the jdk
+mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
+
+pushd ${jdk_image}
+
+# tbd in rpms
+%if %{with_systemtap}
+ # Install systemtap support files
+ install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
+ # note, that uniquesuffix is in BUILD dir in this case
+ cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+ pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+ tapsetFiles=`ls *.stp`
+ popd
+ install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
+ for name in $tapsetFiles ; do
+ targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
+ ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
+ done
+%endif
+
+# tbd in rpms
+ # Install version-ed symlinks
+ pushd $RPM_BUILD_ROOT%{_jvmdir}
+ ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
+ popd
+
+# todo fix in build
+ # Install man pages
+ install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1
+ for manpage in man/man1/*
+ do
+ # Convert man pages to UTF8 encoding
+ iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp
+ mv -f $manpage.tmp $manpage
+ install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \
+ $manpage .1)-%{uniquesuffix -- $suffix}.1
+ done
+ # Remove man pages from jdk image
+ rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
+
+popd
+
+# done in build
+# Install static libs artefacts
+%if %{include_staticlibs}
+mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
+cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
+ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
+%endif
+
+# todo fix in build
+if ! echo $suffix | grep -q "debug" ; then
+ # Install Javadoc documentation
+ install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
+ cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+ built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+ cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \
+ $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/
+fi
+
+# todo fix in build
+# Install release notes
+commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
+install -d -m 755 ${commondocdir}
+cp -a %{SOURCE10} ${commondocdir}
+
+# Install icons and menu entries
+for s in 16 24 32 48 ; do
+ install -D -p -m 644 \
+ %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
+ $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
+done
+
+# tbd in rpms
+# Install desktop files
+install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps}
+for e in jconsole$suffix ; do
+ desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \
+ --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop
+done
+
+# tbd in rpms
+# Install /etc/.java/.systemPrefs/ directory
+# See https://bugzilla.redhat.com/show_bug.cgi?id=741821
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs
+
+# todo fix in build
+# copy samples next to demos; samples are mostly js files
+cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/
+
+
+# tbd in rpms
+# moving config files to /etc
+mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
+mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
+mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
+mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
+pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
+ ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf
+popd
+pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
+ ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security
+popd
+# end moving files to /etc
+
+# todo fix in build
+# stabilize permissions
+find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
+find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
+find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+
+fi # fixme, todo
+
+################################################################################
+ if [ "x$suffix" == "x" ] ; then
+ nameSuffix=""
+ else
+ nameSuffix=`echo "$suffix"| sed s/-/./`
+ fi
+ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+ mv ../%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ../%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ../%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ../%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+%if %{include_staticlibs}
+ mv ../%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+ mv ../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+%endif
+ if [ "x$suffix" == "x" ] ; then
+ dnameSuffix="$nameSuffix".debuginfo
+# todo handle debuginfo, see note at build (we will need to pack one stripped and one unstripped release build)
+# mv ../%{jdkportablearchive -- "$dnameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+# mv ../%{jdkportablearchive -- "$dnameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+ fi
+################################################################################
+# end, dual install
+done
+################################################################################
+# the licenses are packed onloy once and shared
+mkdir -p $RPM_BUILD_ROOT%{unpacked_licenses}
+mv ../%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablearchive -- "%{normal_suffix}"}
+# To show sha in the build log
+for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do ls -l $file ; cat $file ; done
+################################################################################
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+# Tests in the check stage are performed on the installed image
+# rpmbuild operates as follows: build -> install -> test
+# however in portbales, we test built image instead of installed one
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_main_build_path}/../../%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}/images/static-libs/lib/
+readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
+%endif
+
+# Check src.zip has all sources. See RHBZ#1130490
+$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
+
+# Check class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+
+# Check generated class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+
+# build cycles check
+done
+
+%if %{include_normal_build}
+%files
+# main package builds always
+%{_jvmdir}/%{jreportablearchive -- %%{nil}}
+%{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+%else
+%files
+# placeholder
+%endif
+
+%files devel
+%{_jvmdir}/%{jdkportablearchive -- %%{nil}}
+#%{_jvmdir}/%{jdkportablearchive -- .debuginfo}
+%{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum
+#%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+
+%if %{include_staticlibs}
+%files static-libs
+%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}
+%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+%endif
+
+%if %{include_debug_build}
+%files slowdebug
+%{_jvmdir}/%{jreportablearchive -- .slowdebug}
+%{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+
+%files devel-slowdebug
+%{_jvmdir}/%{jdkportablearchive -- .slowdebug}
+%{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}
+%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+%endif
+%endif
+
+%if %{include_fastdebug_build}
+%files fastdebug
+%{_jvmdir}/%{jreportablearchive -- .fastdebug}
+%{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+
+%files devel-fastdebug
+%{_jvmdir}/%{jdkportablearchive -- .fastdebug}
+%{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}
+%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
+%endif
+%endif
+
+%changelog
+* Mon Oct 31 2022 Jiri Vanek - 1:17.0.5.0.8-2
+- initial import
+
diff --git a/jconsole.desktop.in b/jconsole.desktop.in
new file mode 100644
index 0000000..8a3b04d
--- /dev/null
+++ b/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
+Exec=_SDKBINDIR_/jconsole
+Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0
diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch
new file mode 100644
index 0000000..b8dda24
--- /dev/null
+++ b/jdk8293834-kyiv_cldr_update.patch
@@ -0,0 +1,51 @@
+diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml
+index 41ff6d236c8..e703020dcdd 100644
+--- a/make/data/cldr/common/bcp47/timezone.xml
++++ b/make/data/cldr/common/bcp47/timezone.xml
+@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html
+
+
+
+-
++
+
+
+
+diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+index eb56c087ad6..e398af3c151 100644
+--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
++++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+@@ -23,7 +23,7 @@
+
+ /*
+ * @test
+- * @bug 8181157 8202537 8234347 8236548 8261279
++ * @bug 8181157 8202537 8234347 8236548 8261279 8293834
+ * @modules jdk.localedata
+ * @summary Checks CLDR time zone names are generated correctly at runtime
+ * @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest
+@@ -102,6 +102,24 @@ public class TimeZoneNamesTest {
+ "UTC+04:00",
+ "heure : Astrakhan",
+ "UTC+04:00"},
++ {"Europe/Kyiv", Locale.US, "Eastern European Standard Time",
++ "GMT+02:00",
++ "Eastern European Summer Time",
++ "GMT+03:00",
++ "Eastern European Time",
++ "GMT+02:00"},
++ {"Europe/Kyiv", Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est",
++ "UTC+02:00",
++ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est",
++ "UTC+03:00",
++ "heure d\u2019Europe de l\u2019Est",
++ "UTC+02:00"},
++ {"Europe/Kyiv", Locale.GERMANY, "Osteurop\u00e4ische Normalzeit",
++ "OEZ",
++ "Osteurop\u00e4ische Sommerzeit",
++ "OESZ",
++ "Osteurop\u00e4ische Zeit",
++ "OEZ"},
+ {"Europe/Saratov", Locale.US, "Saratov Standard Time",
+ "GMT+04:00",
+ "Saratov Daylight Time",
diff --git a/nss.cfg.in b/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
new file mode 100644
index 0000000..2d9ec35
--- /dev/null
+++ b/nss.fips.cfg.in
@@ -0,0 +1,8 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = sql:/etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips
+
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/openjdk_news.sh b/openjdk_news.sh
new file mode 100755
index 0000000..560b356
--- /dev/null
+++ b/openjdk_news.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes , 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see .
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+SUBDIR=$3
+REPO=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+ echo "No subdirectory specified; using .";
+ SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+ echo "No repository specified; using ${PWD}"
+ REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+ TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+ TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+ TYPE=hg;
+else
+ echo "No Mercurial or Git repository detected.";
+ exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+ echo "ERROR: Need to specify old and new release";
+ exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+ if test "x$TYPE" = "xhg"; then
+ hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \
+ sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2;
+ hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3;
+ else
+ git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+ sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2;
+ touch ${TMPDIR}/fixes3 ; # unused
+ fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
new file mode 100644
index 0000000..25c2fc8
--- /dev/null
+++ b/remove-intree-libraries.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+# Arguments:
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib & freetype having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+ echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
+
+# Minimal is limited to just zlib and freetype so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..3042186
--- /dev/null
+++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+ toolkit = new HeadlessToolkit(toolkit);
+ }
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..6d2342a
--- /dev/null
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,12 @@
+diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
+index adfaf57d29e..abf89bbf327 100644
+--- a/src/java.base/share/conf/security/java.security
++++ b/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
+ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # Security providers used when FIPS mode support is active
diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # Determines whether this properties file can be appended to
diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
new file mode 100644
index 0000000..5e2b254
--- /dev/null
+++ b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@@ -0,0 +1,13 @@
+--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100
++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+
+ private final static String PROP_NAME = "sun.security.smartcardio.library";
+
+- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+ private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+
+ PlatformPCSC() {
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch
new file mode 100644
index 0000000..88f5e5a
--- /dev/null
+++ b/rh1750419-redhat_alt_java.patch
@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+ OPTIMIZATION := HIGH, \
+ ))
+
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++ OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+ $(eval $(call SetupBuildLauncher, javaw, \
+ CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL 52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL 53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS 0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED 0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++ if ( prctl(PR_SET_SPECULATION_CTRL,
++ PR_SPEC_STORE_BYPASS,
++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++ return;
++ }
++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+
diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+ /* and fill it in */
+ dst_ptr = icc_data;
+ for (seq_no = first; seq_no < last; seq_no++) {
+- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ unsigned int length =
+ icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+
diff --git a/sources b/sources
new file mode 100644
index 0000000..a4137ba
--- /dev/null
+++ b/sources
@@ -0,0 +1,2 @@
+SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
+SHA512 (openjdk-jdk17u-jdk-17.0.6+1.tar.xz) = eceba28c43d2b5b3172df828faca2a8068067d133a14ca003978bae6405c0ac00d34dafa0f1b123049b13df1555b1b38af0ae89969ac927c1a2a441ed0b3febc