From 66ad6936e18a13fc11b0d47dfe337ee4d4ead1f7 Mon Sep 17 00:00:00 2001 From: Gwyn Ciesla Date: Tue, 7 Dec 2021 14:28:28 +0000 Subject: [PATCH 01/61] Added the README --- README.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..b11f5d3 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# java-17-openjdk + +The java-17-openjdk package From f32499609c2a8c0f4e91ecefab86feddf7585cc3 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Tue, 7 Dec 2021 15:45:09 +0100 Subject: [PATCH 02/61] Initial load --- .gitignore | 2 + NEWS | 619 +++++ TestCryptoLevel.java | 72 + TestECDSA.java | 49 + TestSecurityProperties.java | 43 + java-17-openjdk.spec | 2360 +++++++++++++++++ jconsole.desktop.in | 10 + ...e_libsyslookup_causes_tooling_issues.patch | 21 + nss.cfg.in | 5 + nss.fips.cfg.in | 6 + ...ort_fedora_rhel_system_crypto_policy.patch | 88 + pr3695-toggle_system_crypto_policy.patch | 78 + remove-intree-libraries.sh | 157 ++ ...sible_toolkit_crash_do_not_break_jvm.patch | 16 + ...ut_nss_cfg_provider_to_java_security.patch | 12 + ...va_access_bridge_privileged_security.patch | 20 + rh1655466-global_crypto_and_fips.patch | 205 ++ ...lite-libs_instead_of_pcsc-lite-devel.patch | 13 + rh1750419-redhat_alt_java.patch | 117 + rh1818909-fips_default_keystore_type.patch | 52 + rh1860986-disable_tlsv1.3_in_fips_mode.patch | 318 +++ ...lways_initialise_configurator_access.patch | 70 + ...-dont_define_unused_throwioexception.patch | 69 + rh1929465-improve_system_FIPS_detection.patch | 428 +++ rh1991003-enable_fips_keys_import.patch | 579 ++++ rh1995150-disable_non-fips_crypto.patch | 596 +++++ rh1996182-extend_security_policy.patch | 18 + rh1996182-login_to_nss_software_token.patch | 65 + ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 + sources | 2 + 30 files changed, 6109 insertions(+) create mode 100644 .gitignore create mode 100644 NEWS create mode 100644 TestCryptoLevel.java create mode 100644 TestECDSA.java create mode 100644 TestSecurityProperties.java create mode 100644 java-17-openjdk.spec create mode 100644 jconsole.desktop.in create mode 100644 jdk8276572-fake_libsyslookup_causes_tooling_issues.patch create mode 100644 nss.cfg.in create mode 100644 nss.fips.cfg.in create mode 100644 pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch create mode 100644 pr3695-toggle_system_crypto_policy.patch create mode 100644 remove-intree-libraries.sh create mode 100644 rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch create mode 100644 rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch create mode 100644 rh1648644-java_access_bridge_privileged_security.patch create mode 100644 rh1655466-global_crypto_and_fips.patch create mode 100644 rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch create mode 100644 rh1750419-redhat_alt_java.patch create mode 100644 rh1818909-fips_default_keystore_type.patch create mode 100644 rh1860986-disable_tlsv1.3_in_fips_mode.patch create mode 100644 rh1915071-always_initialise_configurator_access.patch create mode 100644 rh1929465-dont_define_unused_throwioexception.patch create mode 100644 rh1929465-improve_system_FIPS_detection.patch create mode 100644 rh1991003-enable_fips_keys_import.patch create mode 100644 rh1995150-disable_non-fips_crypto.patch create mode 100644 rh1996182-extend_security_policy.patch create mode 100644 rh1996182-login_to_nss_software_token.patch create mode 100644 rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cd592ed --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/openjdk-jdk17u-jdk-17.0.1+12.tar.xz +/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..9d37ff9 --- /dev/null +++ b/NEWS @@ -0,0 +1,619 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 17.0.1 (2021-10-19): +=========================================== +Live versions of these release notes can be found at: + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt + +* Security fixes + - JDK-8263314: Enhance XML Dsig modes + - JDK-8265167, CVE-2021-35556: Richer Text Editors + - JDK-8265574: Improve handling of sheets + - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit + - JDK-8265776: Improve Stream handling for SSL + - JDK-8266097, CVE-2021-35561: Better hashing support + - JDK-8266103: Better specified spec values + - JDK-8266109: More Resilient Classloading + - JDK-8266115: More Manifest Jar Loading + - JDK-8266137, CVE-2021-35564: Improve Keystore integrity + - JDK-8266689, CVE-2021-35567: More Constrained Delegation + - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic + - JDK-8267712: Better LDAP reference processing + - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking + - JDK-8267735, CVE-2021-35586: Better BMP support + - JDK-8268193: Improve requests of certificates + - JDK-8268199: Correct certificate requests + - JDK-8268205: Enhance DTLS client handshake + - JDK-8268500: Better specified ParameterSpecs + - JDK-8268506: More Manifest Digests + - JDK-8269618, CVE-2021-35603: Better session identification + - JDK-8269624: Enhance method selection support + - JDK-8270398: Enhance canonicalization + - JDK-8270404: Better canonicalization +* Other changes + - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations + - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" + - JDK-8263531: Remove unused buffer int + - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java + - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type + - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file + - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. + - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance + - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms + - JDK-8269297: Bump version numbers for JDK 17.0.1 + - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient + - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events + - JDK-8269763: The JEditorPane is blank after JDK-8265167 + - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers + - JDK-8269882: stack-use-after-scope in NewObjectA + - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible + - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status + - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags + - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations + - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode + - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert + - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup + - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error + - JDK-8270344: Session resumption errors + - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added + - JDK-8271276: C2: Wrong JVM state used for receiver null check + - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 + - JDK-8271589: fatal error with variable shift count integer rotate operation. + - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java + - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests + - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier + - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon + - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj + - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails + - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 + - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 + - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 + - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used + - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 + - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled + - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed + - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8271434: Removed IdenTrust Root Certificate +=============================================== +The following root certificate from IdenTrust has been removed from +the `cacerts` keystore: + +Alias Name: identrustdstx3 [jdk] +Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. + +New in release OpenJDK 17.0.0 (2021-09-14): +=========================================== +The full list of changes in the interim releases from 11u to 17u can be found at: + * https://builds.shipilev.net/backports-monitor/release-notes-12.txt + * https://builds.shipilev.net/backports-monitor/release-notes-13.txt + * https://builds.shipilev.net/backports-monitor/release-notes-14.txt + * https://builds.shipilev.net/backports-monitor/release-notes-15.txt + * https://builds.shipilev.net/backports-monitor/release-notes-16.txt + * https://builds.shipilev.net/backports-monitor/release-notes-17.txt + +Major changes are listed below. Some changes may have been backported +to earlier releases following their first appearance in OpenJDK 12 +through to 17. + +NEW FEATURES +============ + +Language Features +================= + +Switch Expressions +================== +https://openjdk.java.net/jeps/325 +https://openjdk.java.net/jeps/354 +https://openjdk.java.net/jeps/361 + +Extend the `switch` statement so that it can be used as either a +statement or an expression, and that both forms can use either a +"traditional" or "simplified" scoping and control flow behavior. Both +forms can use either traditional `case ... :` labels (with fall +through) or new `case ... ->` labels (with no fall through), with a +further new statement for yielding a value from a `switch` +expression. These changes will simplify everyday coding, and also +prepare the way for the use of pattern matching in `switch`. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 12 & 13 and became final in OpenJDK 14. + +Text Blocks +=========== +https://openjdk.java.net/jeps/355 +https://openjdk.java.net/jeps/368 +https://openjdk.java.net/jeps/378 + +Add text blocks to the Java language. A text block is a multi-line +string literal that avoids the need for most escape sequences, +automatically formats the string in a predictable way, and gives the +developer control over format when desired. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 13 & 14 and became final in OpenJDK 15. + +Pattern Matching for instanceof +=============================== +https://openjdk.java.net/jeps/305 +https://openjdk.java.net/jeps/375 +https://openjdk.java.net/jeps/394 +http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html + +Enhance the Java programming language with pattern matching for the +`instanceof` operator. Pattern matching allows common logic in a +program, namely the conditional extraction of components from objects, +to be expressed more concisely and safely. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 14 & 15 and became final in OpenJDK 16. + +Records +======= +https://openjdk.java.net/jeps/359 +https://openjdk.java.net/jeps/384 +https://openjdk.java.net/jeps/395 + +Enhance the Java programming language with records. Records provide a +compact syntax for declaring classes which are transparent holders for +shallowly immutable data. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 14 & 15 and became final in OpenJDK 16. + +Sealed Classes +============== +https://openjdk.java.net/jeps/360 +https://openjdk.java.net/jeps/397 +https://openjdk.java.net/jeps/409 +https://cr.openjdk.java.net/~briangoetz/amber/datum.html + +Enhance the Java programming language with sealed classes and +interfaces. Sealed classes and interfaces restrict which other classes +or interfaces may extend or implement them. + +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 15 & 16 and became final in OpenJDK 17. + +Restore Always-Strict Floating-Point Semantics +============================================== +https://openjdk.java.net/jeps/306 + +Make floating-point operations consistently strict, rather than have +both strict floating-point semantics (`strictfp`) and subtly different +default floating-point semantics. This will restore the original +floating-point semantics to the language and VM, matching the +semantics before the introduction of strict and default floating-point +modes in Java SE 1.2. + +Pattern Matching for switch +=========================== +https://openjdk.java.net/jeps/406 + +Enhance the Java programming language with pattern matching for +`switch` expressions and statements, along with extensions to the +language of patterns. Extending pattern matching to `switch` allows an +expression to be tested against a number of patterns, each with a +specific action, so that complex data-oriented queries can be +expressed concisely and safely. + +This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK +17. + +Library Features +================ + +JVM Constants API +================= +https://openjdk.java.net/jeps/334 + +Introduce an API to model nominal descriptions of key class-file and +run-time artifacts, in particular constants that are loadable from the +constant pool. + +Reimplement the Legacy Socket API +================================= +https://openjdk.java.net/jeps/353 + +Replace the underlying implementation used by the `java.net.Socket` +and `java.net.ServerSocket` APIs with a simpler and more modern +implementation that is easy to maintain and debug. The new +implementation will be easy to adapt to work with user-mode threads, +a.k.a. fibers, currently being explored in Project Loom +(https://openjdk.java.net/projects/loom). + +JFR Event Streaming +=================== +https://openjdk.java.net/jeps/349 + +Expose JDK Flight Recorder data for continuous monitoring. + +Non-Volatile Mapped Byte Buffers +================================ +https://openjdk.java.net/jeps/352 + +Add new JDK-specific file mapping modes so that the `FileChannel` API +can be used to create `MappedByteBuffer` instances that refer to +non-volatile memory. + +Helpful NullPointerExceptions +============================= +https://openjdk.java.net/jeps/358 + +Improve the usability of `NullPointerException`s generated by the JVM +by describing precisely which variable was `null`. + +Foreign-Memory Access API +========================= +https://openjdk.java.net/jeps/370 +https://openjdk.java.net/jeps/383 +https://openjdk.java.net/jeps/393 + +Introduce an API to allow Java programs to safely and efficiently +access foreign memory outside of the Java heap. + +This was a incubation feature (https://openjdk.java.net/jeps/11) in +OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory +API in OpenJDK 17 (see below). + +Edwards-Curve Digital Signature Algorithm (EdDSA) +================================================= +https://openjdk.java.net/jeps/339 + +Implement cryptographic signatures using the Edwards-Curve Digital +Signature Algorithm (EdDSA) as described by RFC 8032 +(https://tools.ietf.org/html/rfc8032). + +Hidden Classes +============== +https://openjdk.java.net/jeps/371 + +Introduce hidden classes, which are classes that cannot be used +directly by the bytecode of other classes. Hidden classes are intended +for use by frameworks that generate classes at run time and use them +indirectly, via reflection. A hidden class may be defined as a member +of an access control nest (https://openjdk.java.net/jeps/181), and may +be unloaded independently of other classes. + +Reimplement the Legacy DatagramSocket API +========================================= +https://openjdk.java.net/jeps/373 + +Replace the underlying implementations of the +`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with +simpler and more modern implementations that are easy to maintain and +debug. The new implementations will be easy to adapt to work with +virtual threads, currently being explored in Project Loom +(https://openjdk.java.net/projects/loom). This is a follow-on to JEP +353 (see above), which already reimplemented the legacy Socket API. + +Vector API +========== +https://openjdk.java.net/jeps/338 +https://openjdk.java.net/jeps/414 + +Provide an initial iteration of an incubator module, +`jdk.incubator.vector`, to express vector computations that reliably +compile at runtime to optimal vector hardware instructions on +supported CPU architectures and thus achieve superior performance to +equivalent scalar computations. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16. + +Unix-Domain Socket Channels +=========================== +https://openjdk.java.net/jeps/380 + +Add Unix-domain (`AF_UNIX`) socket support to the socket channel and +server-socket channel APIs in the `java.nio.channels` package. Extend +the inherited channel mechanism to support Unix-domain socket channels +and server socket channels. + +Foreign Linker API (Incubator) +============================== +https://openjdk.java.net/jeps/389 + +Introduce an API that offers statically-typed, pure-Java access to +native code. This API, together with the Foreign-Memory API (see +above), will considerably simplify the otherwise error-prone process +of binding to a native library. + +This was an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 16, now superseded by the Foreign Function & +Memory API in OpenJDK 17 (see below). + +Strongly Encapsulate JDK Internals by Default +============================================= +https://openjdk.java.net/jeps/396 +https://openjdk.java.net/jeps/403 + +Strongly encapsulate all internal elements of the JDK by default, +except for critical internal APIs such as `sun.misc.Unsafe`. It will +no longer be possible to relax the strong encapsulation of internal +elements via a single command-line option, as was possible in OpenJDK +9 through 16. + +Enhanced Pseudo-Random Number Generators +======================================== +https://openjdk.java.net/jeps/356 + +Provide new interface types and implementations for pseudo-random +number generators (PRNGs), including jumpable PRNGs and an additional +class of splittable PRNG algorithms (LXM). + +Foreign Function & Memory API +============================= +https://openjdk.java.net/jeps/412 + +Introduce an API by which Java programs can interoperate with code and +data outside of the Java runtime. By efficiently invoking foreign +functions (i.e., code outside the JVM), and by safely accessing +foreign memory (i.e., memory not managed by the JVM), the API enables +Java programs to call native libraries and process native data without +the brittleness and danger of JNI. + +This API is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 17, and is an evolution of the Foreign Memory +Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK +16) (see above). + +Context-Specific Deserialization Filters +======================================== +https://openjdk.java.net/jeps/415 + +Allow applications to configure context-specific and +dynamically-selected deserialization filters via a JVM-wide filter +factory that is invoked to select a filter for each individual +deserialization operation. + +Tools +===== + +Packaging Tool +============== +https://openjdk.java.net/jeps/343 +https://openjdk.java.net/jeps/392 + +Provide the `jpackage` tool, for packaging self-contained Java +applications. + +JVM Features +============ + +Shenandoah: A Low-Pause-Time Garbage Collector +============================================== +https://openjdk.java.net/jeps/189 +https://openjdk.java.net/jeps/379 + +Add a new garbage collection (GC) algorithm named Shenandoah which +reduces GC pause times by doing evacuation work concurrently with the +running Java threads. Pause times with Shenandoah are independent of +heap size, meaning you will have the same consistent pause times +whether your heap is 200 MB or 200 GB. + +Shenandoah has been provided in Red Hat builds of OpenJDK 8 since +8u131 in April 2017 and in all 11u builds. + +Upstream, it was introduced in OpenJDK 12 as an experimental feature +and became a production feature in OpenJDK 15. It was backported to +OpenJDK 11 with the 11.0.9 release in October 2020. + +Abortable Mixed Collections for G1 +================================== +https://openjdk.java.net/jeps/344 + +Make G1 mixed collections abortable if they might exceed the pause +target. + +Promptly Return Unused Committed Memory from G1 +=============================================== +https://openjdk.java.net/jeps/346 + +Enhance the G1 garbage collector to automatically return Java heap +memory to the operating system when idle. + +Dynamic CDS Archives +==================== +https://openjdk.java.net/jeps/310 +https://openjdk.java.net/jeps/350 + +Extend application class-data sharing to allow the dynamic archiving +of classes at the end of Java application execution. The archived +classes will include all loaded application classes and library +classes that are not present in the default, base-layer CDS archive. + +ZGC: Uncommit Unused Memory (Experimental) +========================================== +https://openjdk.java.net/jeps/351 + +Enhance ZGC to return unused heap memory to the operating system. + +NUMA-Aware Memory Allocation for G1 +=================================== +https://openjdk.java.net/jeps/345 + +Improve G1 performance on large machines by implementing NUMA-aware +memory allocation. + +ZGC on macOS (Experimental) +=========================== +https://openjdk.java.net/jeps/364 + +Port the ZGC garbage collector to macOS. + +ZGC on Windows (Experimental) +============================= +https://openjdk.java.net/jeps/365 + +Port the ZGC garbage collector to Windows. + +ZGC: A Scalable Low-Latency Garbage Collector (Production) +========================================================== +https://openjdk.java.net/jeps/377 + +Change the Z Garbage Collector from an experimental feature into a +product feature. + +ZGC: Concurrent Thread-Stack Processing +======================================= +https://openjdk.java.net/jeps/376 + +Move ZGC thread-stack processing from safepoints to a concurrent +phase. + +Elastic Metaspace +================= +https://openjdk.java.net/jeps/387 + +Return unused HotSpot class-metadata (i.e., metaspace) memory to the +operating system more promptly, reduce metaspace footprint, and +simplify the metaspace code in order to reduce maintenance costs. + +Ports +===== + +Alpine Linux Port +================= +https://openjdk.java.net/jeps/386 + +Port the JDK to Alpine Linux, and to other Linux distributions that +use musl as their primary C library, on both the x64 and AArch64 +architectures, + +Windows/AArch64 Port +==================== +https://openjdk.java.net/jeps/388 + +Port the JDK to Windows/AArch64. + +New macOS Rendering Pipeline +============================ +https://openjdk.java.net/jeps/382 + +Implement a Java 2D internal rendering pipeline for macOS using the +Apple Metal API as alternative to the existing pipeline, which uses +the deprecated Apple OpenGL API. + +macOS/AArch64 Port +================== +https://openjdk.java.net/jeps/391 + +Port the JDK to macOS/AArch64. + +DEPRECATIONS +============ + +Deprecate the ParallelScavenge + SerialOld GC Combination +========================================================= +https://openjdk.java.net/jeps/366 + +Deprecate the combination of the Parallel Scavenge and Serial Old +garbage collection algorithms. + +Deprecate and Disable Biased Locking +==================================== +https://openjdk.java.net/jeps/374 + +Disable biased locking by default, and deprecate all related +command-line options. + +Warnings for Value-Based Classes +================================ +https://openjdk.java.net/jeps/390 + +Designate the primitive wrapper classes as value-based and deprecate +their constructors for removal, prompting new deprecation +warnings. Provide warnings about improper attempts to synchronize on +instances of any value-based classes in the Java Platform. + +Deprecate the Applet API for Removal +==================================== +https://openjdk.java.net/jeps/398 + +Deprecate the Applet API for removal. It is essentially irrelevant +since all web-browser vendors have either removed support for Java +browser plug-ins or announced plans to do so. + +Deprecate the Security Manager for Removal +========================================== +https://openjdk.java.net/jeps/411 + +Deprecate the Security Manager for removal in a future release. The +Security Manager dates from Java 1.0. It has not been the primary +means of securing client-side Java code for many years, and it has +rarely been used to secure server-side code. To move Java forward, we +intend to deprecate the Security Manager for removal in concert with +the legacy Applet API (see above). . + +REMOVALS +======== + +Remove the Concurrent Mark Sweep (CMS) Garbage Collector +======================================================== +https://openjdk.java.net/jeps/363 + +Remove the Concurrent Mark Sweep (CMS) garbage collector. + +Remove the Pack200 Tools and API +================================ +https://openjdk.java.net/jeps/336 +https://openjdk.java.net/jeps/367 + +Remove the `pack200` and `unpack200` tools, and the `Pack200` API in +the `java.util.jar` package. These tools and API were deprecated for +removal in OpenJDK 11 with the express intent to remove them in a +future release. + +Remove the Nashorn JavaScript Engine +==================================== +https://openjdk.java.net/jeps/372 + +Remove the Nashorn JavaScript script engine and APIs, and the `jjs` +tool. The engine, the APIs, and the tool were deprecated for removal +in OpenJDK 11 with the express intent to remove them in a future +release. + +Remove the Solaris and SPARC Ports +================================== +https://openjdk.java.net/jeps/362 +https://openjdk.java.net/jeps/381 + +Remove the source code and build support for the Solaris/SPARC, +Solaris/x64, and Linux/SPARC ports. These ports were deprecated for +removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). + +Remove RMI Activation +===================== +https://openjdk.java.net/jeps/385 +https://openjdk.java.net/jeps/407 +https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html + +Remove the Remote Method Invocation (RMI) Activation mechanism, while +preserving the rest of RMI. RMI Activation is an obsolete part of RMI +that has been optional since OpenJDK 8 and was deprecated in OpenJDK +15. + +Remove the Experimental AOT and JIT Compiler +============================================ +https://openjdk.java.net/jeps/410 + +Remove the experimental Java-based ahead-of-time (AOT) and +just-in-time (JIT) compiler. This compiler has seen little use since +its introduction and the effort required to maintain it is +significant. Retain the experimental Java-level JVM compiler +interface (JVMCI) so that developers can continue to use +externally-built versions of the compiler for JIT compilation. diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/TestECDSA.java b/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec new file mode 100644 index 0000000..bd2d867 --- /dev/null +++ b/java-17-openjdk.spec @@ -0,0 +1,2360 @@ +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-17-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug --without fastdebug + +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs + +# Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} +%define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# With LTO flags enabled, debuginfo checks fail for some reason. Disable +# LTO for a passing build. This really needs to be looked at. +%define _lto_cflags %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build debug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{debug_arches} %{arm} +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler +%global aot_arches x86_64 %{aarch64} +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# See https://bugzilla.redhat.com/show_bug.cgi?id=513605 +# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT +%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures for which java has short vector math library (libsvml.so) +%global svml_arches x86_64 + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable both builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif + +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images + + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _build_cpu +%ifarch x86_64 +%global archinstall amd64 +%endif +%ifarch ppc +%global archinstall ppc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%endif +%ifarch %{ix86} +%global archinstall i686 +%endif +%ifarch ia64 +%global archinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%endif +%ifarch %{arm} +%global archinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%endif +%ifnarch %{jit_arches} +%global archinstall %{_arch} +%endif + + + +%ifarch %{systemtap_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global featurever 17 +%global interimver 0 +%global updatever 1 +%global patchver 0 +# If you bump featurever, you must also bump vendor_version_string +# Used via new version scheme. JDK 17 was +# GA'ed in September 2021 => 21.9 +%global vendor_version_string 21.9 +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, +# and this it is better to change it here, on single place +%global buildjdkver 17 +# We don't add any LTS designator for STS packages (this package). +# Neither for Fedora nor EPEL which would have %%{rhel} macro defined. + %global lts_designator "" + %global lts_designator_zip "" + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 6.0.0pre00-c848b93a8598 + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{origin} +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 12 +%global rpmrelease 8 +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit +%if %is_system_jdk +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} + +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global build_type GA +%global expected_ea_designator "" +%global ea_designator_zip "" +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global build_type EA +%global expected_ea_designator ea +%global ea_designator_zip -%{expected_ea_designator} +%global extraver .%{expected_ea_designator} +%global eaprefix 0. +%endif + +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global bugs https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{featurever}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for any debug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global alt_java_name alt-java + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka build_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +exit 0 +} + +%define alternatives_java_install() %{expand: +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_mandir}/man1/java.1$ext java.1$ext \\ + %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ + %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ + %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + +for X in %{origin} %{javaver} ; do + alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +} + +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +# see pretrans where this file is declared +# also see that pretrans is only for non-debug +if [ ! "%{?1}" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} + fi +fi + +exit 0 +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + + +%define postun_headless() %{expand: + alternatives --remove java %{jrebindir -- %{?1}}/java + alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} +} + +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + + +%define alternatives_javac_install() %{expand: +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{sa_arches} + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ + %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ + %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ + %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ + %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ + %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ + %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ + %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ + %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ + %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ + %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ + %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\ + %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ + %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ + %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ + %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ + %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + +for X in %{origin} %{javaver} ; do + alternatives \\ + --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +} + +%define post_devel() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +exit 0 +} + +%define postun_devel() %{expand: + alternatives --remove javac %{sdkbindir -- %{?1}}/javac + alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + +%define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} +%{update_desktop_icons} +} + +%define alternatives_javadoc_install() %{expand: +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc() %{expand: + alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +exit 0 +} + +%define alternatives_javadoczip_install() %{expand: +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc_zip() %{expand: + alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +exit 0 +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%{_jvmdir}/%{jrelnk -- %{?1}} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so +%ifarch %{svml_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ +%ifarch %{share_arches} +%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/sdp +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# This is a config template, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_bindir}/%{alt_java_name} +%ghost %{_jvmdir}/jre +%ghost %{_bindir}/keytool +%ghost %{_bindir}/pack200 +%ghost %{_bindir}/rmid +%ghost %{_bindir}/rmiregistry +%ghost %{_bindir}/unpack200 +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz + +%if %{with_systemtap} +%dir %{tapsetroot} +%dir %{tapsetdirttapset} +%dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_jvmdir}/%{alt_java_name} +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%ghost %{_jvmdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +%{_jvmdir}/%{sdkdir -- %{?1}}/sample +} + +%define files_src() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_static_libs() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%endif +%endif +} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +%if 0%{?rhel} >= 8 +Recommends: gtk3%{?_isa} +%endif + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +# Require zone-info data provided by tzdata-java sub-package +Requires: tzdata-java >= 2015d +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} +# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, +# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be +# considered as regression +Requires: copy-jdk-configs >= 4.0 +OrderWithRequires: copy-jdk-configs +%endif +# for printing support +Requires: cups-libs +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} +# for optional support of kernel stream control, card reader and printing bindings +Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{alternatives_requires} + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + +%define java_jmods_rpo() %{expand: +# Requires devel package +# as jmods are bytecode, they should be OK without any _isa +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_javadoc_rpo() %{expand: +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install javadoc alternative +Requires(post): %{alternatives_requires} +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{alternatives_requires} + +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +Name: java-17-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{featurever} Runtime Environment +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + + +# to regenerate source0 (jdk) run update_package.sh +# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives +Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (6.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# nss fips configuration file +Source17: nss.fips.cfg.in + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# NSS via SunPKCS11 Provider (disabled comment +# due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) +Patch600: rh1750419-redhat_alt_java.patch + +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# Restrict access to java-atk-wrapper classes +Patch2: rh1648644-java_access_bridge_privileged_security.patch +Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +# Follow system wide crypto policy RHBZ#1249083 +Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch +# PR3695: Allow use of system crypto policy to be disabled by the user +Patch5: pr3695-toggle_system_crypto_policy.patch +# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo +Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch + +# FIPS support patches +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +Patch1002: rh1818909-fips_default_keystore_type.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1007: rh1915071-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1008: rh1929465-improve_system_FIPS_detection.patch +Patch1011: rh1929465-dont_define_unused_throwioexception.patch +# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers +Patch1009: rh1995150-disable_non-fips_crypto.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1010: rh1996182-login_to_nss_software_token.patch +Patch1012: rh1996182-extend_security_policy.patch +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +Patch1013: rh1991003-enable_fips_keys_import.patch + +############################################# +# +# OpenJDK patches in need of upstreaming +# +############################################# +# JDK-8276572: Fake libsyslookup.so library causes tooling issues +Patch2000: jdk8276572-fake_libsyslookup_causes_tooling_issues.patch + + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: javapackages-filesystem +BuildRequires: java-latest-openjdk-devel +# Zero-assembler build requirement +%ifnarch %{jit_arches} +BuildRequires: libffi-devel +%endif +BuildRequires: tzdata-java >= 2015d +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif +BuildRequires: make + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} %{featurever} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} %{featurever} runtime environment. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} %{featurever} runtime environment. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{featurever} Development Environment +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} %{featurever} development tools. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} %{featurever} development tools. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} development tools . +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} %{featurever} libraries for static linking + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} %{featurever} libraries for static linking. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{fastdebug_warning} +%endif + +# staticlibs +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{featurever} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice} %{featurever}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{featurever} %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{featurever}. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +Group: Development/Tools + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{featurever}. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} %{featurever} Demos +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} %{featurever} demos. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} %{featurever} demos. +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} %{featurever} demos. +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} %{featurever} Source Bundle +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_src_rpo %{nil}} + +%description src +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if 0%{?rhel} <= 8 +Group: Development/Languages +%endif + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. +%endif + +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +Group: Development/Languages + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. +%endif + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{featurever} API documentation +%if 0%{?rhel} <= 8 +Group: Documentation +%endif +Requires: javapackages-filesystem +Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling + +%{java_javadoc_rpo %{nil}} + +%description javadoc +The %{origin_nice} %{featurever} API documentation. +%endif + +%if %{include_normal_build} +%package javadoc-zip +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if 0%{?rhel} <= 8 +Group: Documentation +%endif +Requires: javapackages-filesystem +Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling + +%{java_javadoc_rpo %{nil}} + +%description javadoc-zip +The %{origin_nice} %{featurever} API documentation compressed in a single archive. +%endif + +%prep +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} + +# Patch the JDK +pushd %{top_level_dir_name} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +popd # openjdk + +%patch1000 +%patch600 +%patch1001 +%patch1002 +%patch1004 +%patch1007 +%patch1008 +%patch1009 +%patch1010 +%patch1011 +%patch1012 +%patch1013 +%patch2000 + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 + sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE +%else + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg + +%build +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags" +EXTRA_CPP_FLAGS="%ourcppflags" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +export EXTRA_CFLAGS + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # The OpenJDK version file includes the current + # upstream version information. For some reason, + # configure does not automatically use the + # default pre-version supplied there (despite + # what the file claims), so we pass it manually + # to configure + VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf + if [ -f ${VERSION_FILE} ] ; then + EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) + else + echo "Could not find OpenJDK version file."; + exit 16 + fi + if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then + echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; + exit 17 + fi + + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}" + + mkdir -p ${outputdir} + pushd ${outputdir} + + bash ${top_dir_abs_src_path}/configure \ +%ifnarch %{jit_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{ppc64le} + --with-jobs=1 \ +%endif + --with-version-build=%{buildver} \ + --with-version-pre="${EA_DESIGNATOR}" \ + --with-version-opt=%{lts_designator} \ + --with-vendor-version-string="%{vendor_version_string}" \ + --with-vendor-name="Red Hat, Inc." \ + --with-vendor-url="https://www.redhat.com/" \ + --with-vendor-bug-url="%{bugs}" \ + --with-vendor-vm-bug-url="%{bugs}" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ + --enable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=system \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ + --with-stdc++lib=dynamic \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --with-source-date="${SOURCE_DATE_EPOCH}" \ + --disable-javac-server \ +%ifarch %{zgc_arches} + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors + + cat spec.gmk + + make \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + + popd +} + +function installjdk() { + local imagepath=${1} + + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ + + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd +} + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + + systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + + if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Use system libraries + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + rm -rf ${bootbuilddir} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + + done # end of main / staticlibs loop + + # Final setup on the main image + top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + +# build cycles +done # end of release / debug cycle loop + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +%endif + +so_suffix="so" +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < 0 +# This fails on s390x for some reason. Disable for now. See: +# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 +%ifnarch s390x +grep 'JavaCallWrapper::JavaCallWrapper' gdb.out +%endif +%endif + +# Check src.zip has all sources. See RHBZ#1130490 +$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + +# Check class files include useful debugging information +$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + +# Check generated class files include useful debugging information +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +# build cycles check +done + +%install +STRIP_KEEP_SYMTAB=libjvm* + +for suffix in %{build_loop} ; do + +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif +jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Install the jdk +mkdir -p $RPM_BUILD_ROOT%{_jvmdir} +cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} + +pushd ${jdk_image} + +%if %{with_systemtap} + # Install systemtap support files + install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset + # note, that uniquesuffix is in BUILD dir in this case + cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ + pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ + tapsetFiles=`ls *.stp` + popd + install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir} + for name in $tapsetFiles ; do + targetName=`echo $name | sed "s/.stp/$suffix.stp/"` + ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName + done +%endif + + # Remove empty cacerts database + rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts + # Install cacerts symlink needed by some apps which hard-code the path + pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security + ln -sf /etc/pki/java/cacerts . + popd + + # Install version-ed symlinks + pushd $RPM_BUILD_ROOT%{_jvmdir} + ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} + popd + + # Install man pages + install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1 + for manpage in man/man1/* + do + # Convert man pages to UTF8 encoding + iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp + mv -f $manpage.tmp $manpage + install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \ + $manpage .1)-%{uniquesuffix -- $suffix}.1 + done + # Remove man pages from jdk image + rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man + +popd +# Install static libs artefacts +%if %{include_staticlibs} +mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc +cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ + $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc +%endif + +if ! echo $suffix | grep -q "debug" ; then + # Install Javadoc documentation + install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} + cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ +fi + +# Install release notes +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} +install -d -m 755 ${commondocdir} +cp -a %{SOURCE10} ${commondocdir} + +# Install icons and menu entries +for s in 16 24 32 48 ; do + install -D -p -m 644 \ + %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ + $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png +done + +# Install desktop files +install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps} +for e in jconsole$suffix ; do + desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \ + --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop +done + +# Install /etc/.java/.systemPrefs/ directory +# See https://bugzilla.redhat.com/show_bug.cgi?id=741821 +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs + +# copy samples next to demos; samples are mostly js files +cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ + + +# moving config files to /etc +mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} +mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib +mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} +mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib +pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix} + ln -s %{etcjavadir -- $suffix}/conf ./conf +popd +pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib + ln -s %{etcjavadir -- $suffix}/lib/security ./security +popd +# end moving files to /etc + +# stabilize permissions +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; + +# end, dual install +done + +%if %{include_normal_build} +# intentionally only for non-debug +%pretrans headless -p +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre +-- if copy-jdk-configs is in transaction, it installs in pretrans to temp +-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is +-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends +-- whether copy-jdk-configs is installed or not. If so, then configs are copied +-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all +local posix = require "posix" + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end + +SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" +SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" + +local stat1 = posix.stat(SOURCE1, "type"); +local stat2 = posix.stat(SOURCE2, "type"); + + if (stat1 ~= nil) then + if (debug) then + print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") + end; + package.path = package.path .. ";" .. SOURCE1 +else + if (stat2 ~= nil) then + if (debug) then + print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") + end; + package.path = package.path .. ";" .. SOURCE2 + else + if (debug) then + print(SOURCE1 .." does NOT exists") + print(SOURCE2 .." does NOT exists") + print("No config files will be copied") + end + return + end +end +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) + +%post +%{post_script %{nil}} + +%post headless +%{post_headless %{nil}} + +%postun +%{postun_script %{nil}} + +%postun headless +%{postun_headless %{nil}} + +%posttrans +%{posttrans_script %{nil}} + +%posttrans headless +%{alternatives_java_install %{nil}} + +%post devel +%{post_devel %{nil}} + +%postun devel +%{postun_devel %{nil}} + +%posttrans devel +%{posttrans_devel %{nil}} + +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} + +%postun javadoc +%{postun_javadoc %{nil}} + +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} + +%postun javadoc-zip +%{postun_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} + +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} + +%postun headless-slowdebug +%{postun_headless -- %{debug_suffix_unquoted}} + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + + +%if %{include_normal_build} +%files headless +# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +# all config/noreplace files (and more) have to be declared in pretrans. See pretrans +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%if %{include_staticlibs} +%files static-libs +%{files_static_libs %{nil}} +%endif + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} +%endif + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} +%endif + +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif + +%changelog +* Thu Nov 18 2021 Jiri Vanek - 1:17.0.0.0.35-8 +- inital import + diff --git a/jconsole.desktop.in b/jconsole.desktop.in new file mode 100644 index 0000000..8a3b04d --- /dev/null +++ b/jconsole.desktop.in @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) +Comment=Monitor and manage OpenJDK applications +Exec=_SDKBINDIR_/jconsole +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling;Java; +Version=1.0 diff --git a/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch b/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch new file mode 100644 index 0000000..dee144b --- /dev/null +++ b/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch @@ -0,0 +1,21 @@ +commit a4724332098cd8bff44ee27e9190fd28fa5c1865 +Author: Andrew John Hughes +Date: Fri Nov 5 21:05:42 2021 +0000 + + 8276572: Fake libsyslookup.so library causes tooling issues + + Reviewed-by: shade, mcimadamore + +diff --git openjdk.orig/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c openjdk/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c +index fdf99866786..b1f543bfdb7 100644 +--- openjdk.orig/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c ++++ openjdk/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c +@@ -26,3 +26,8 @@ + // Note: the include below is not strictly required, as dependencies will be pulled using linker flags. + // Adding at least one #include removes unwanted warnings on some platforms. + #include ++ ++// Simple dummy function so this library appears as a normal library to tooling. ++char* syslookup() { ++ return "syslookup"; ++} diff --git a/nss.cfg.in b/nss.cfg.in new file mode 100644 index 0000000..377a39c --- /dev/null +++ b/nss.cfg.in @@ -0,0 +1,5 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility +handleStartupErrors = ignoreMultipleInitialisation diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..1aff153 --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = sql:/etc/pki/nssdb +nssDbMode = readOnly +nssModule = fips + diff --git a/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch new file mode 100644 index 0000000..4efbe9a --- /dev/null +++ b/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch @@ -0,0 +1,88 @@ + +# HG changeset patch +# User andrew +# Date 1478057514 0 +# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c +# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a +PR3183: Support Fedora/RHEL system crypto policy +diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100 ++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000 +@@ -43,6 +43,9 @@ + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ +@@ -52,6 +55,10 @@ + private static final Debug sdebug = + Debug.getInstance("properties"); + ++ /* System property file*/ ++ private static final String SYSTEM_PROPERTIES = ++ "/etc/crypto-policies/back-ends/java.config"; ++ + /* The java.security properties */ + private static Properties props; + +@@ -93,6 +100,7 @@ + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -114,6 +122,31 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ ++ if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security +--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100 ++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000 +@@ -276,6 +276,13 @@ + security.overridePropertiesFile=true + + # ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ ++# + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. + # diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch new file mode 100644 index 0000000..3799237 --- /dev/null +++ b/pr3695-toggle_system_crypto_policy.patch @@ -0,0 +1,78 @@ +# HG changeset patch +# User andrew +# Date 1545198926 0 +# Wed Dec 19 05:55:26 2018 +0000 +# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 +# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c +PR3695: Allow use of system crypto policy to be disabled by the user +Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile + +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -125,31 +125,6 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); +- loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } +- } +- } +- +- if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +@@ -215,6 +190,33 @@ + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if (disableSystemProps == null && ++ "true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ + if (!loadedProps) { + initializeStatic(); + if (sdebug != null) { diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh new file mode 100644 index 0000000..e999c7e --- /dev/null +++ b/remove-intree-libraries.sh @@ -0,0 +1,157 @@ +#!/bin/sh + +# Arguments: +TREE=${1} +TYPE=${2} + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} + +echo "Removing built-in libs (they will be linked)" + +# On full runs, allow for zlib having already been deleted by minimal +echo "Removing zlib" +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} + +# Minimal is limited to just zlib so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch new file mode 100644 index 0000000..3042186 --- /dev/null +++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -0,0 +1,16 @@ +diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java +--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200 ++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200 +@@ -595,7 +595,11 @@ + toolkit = new HeadlessToolkit(toolkit); + } + if (!GraphicsEnvironment.isHeadless()) { +- loadAssistiveTechnologies(); ++ try { ++ loadAssistiveTechnologies(); ++ } catch (AWTError error) { ++ // ignore silently ++ } + } + } + return toolkit; diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch new file mode 100644 index 0000000..7be1fae --- /dev/null +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -0,0 +1,12 @@ +diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security +index 534bdae5a16..2df2b59cbf6 100644 +--- openjdk/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI + security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 ++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # A list of preferred providers for specific algorithms. These providers will diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch new file mode 100644 index 0000000..53026ad --- /dev/null +++ b/rh1648644-java_access_bridge_privileged_security.patch @@ -0,0 +1,20 @@ +--- openjdk/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -304,6 +304,8 @@ + # + package.access=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # List of comma-separated packages that start with or equal this string +@@ -316,6 +318,8 @@ + # + package.definition=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # Determines whether this properties file can be appended to diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..80cd91c --- /dev/null +++ b/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,205 @@ +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -196,26 +196,8 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); ++ if (SystemConfigurator.configure(props)) { + loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } + } + } + +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,151 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (fipsEnabled) { ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -87,6 +87,14 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch new file mode 100644 index 0000000..5e2b254 --- /dev/null +++ b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch @@ -0,0 +1,13 @@ +--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:12.038189968 +0100 ++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java 2013-03-01 10:48:11.913188505 +0100 +@@ -48,8 +48,8 @@ + + private final static String PROP_NAME = "sun.security.smartcardio.library"; + +- private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so"; +- private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so"; ++ private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1"; ++ private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1"; + private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC"; + + PlatformPCSC() { diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..88f5e5a --- /dev/null +++ b/rh1750419-redhat_alt_java.patch @@ -0,0 +1,117 @@ +diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk +index 700ddefda49..2882de68eb2 100644 +--- openjdk.orig/make/modules/java.base/Launcher.gmk ++++ openjdk/make/modules/java.base/Launcher.gmk +@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \ + OPTIMIZATION := HIGH, \ + )) + ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ ++ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ + ifeq ($(call isTargetOs, windows), true) + $(eval $(call SetupBuildLauncher, javaw, \ + CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ +diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h +new file mode 100644 +index 00000000000..697df2898ac +--- /dev/null ++++ openjdk/src/java.base/share/native/launcher/alt_main.h +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c +index b734fe2ba78..79dc8307650 100644 +--- openjdk.orig/src/java.base/share/native/launcher/main.c ++++ openjdk/src/java.base/share/native/launcher/main.c +@@ -34,6 +34,14 @@ + #include "jli_util.h" + #include "jni.h" + ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) ++#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 + diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch new file mode 100644 index 0000000..ff34f3e --- /dev/null +++ b/rh1818909-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 +@@ -299,6 +299,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..8dcd9a8 --- /dev/null +++ b/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,318 @@ +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index f9baf8c9742..60fa75cab45 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ import java.nio.file.Path; + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; ++import jdk.internal.access.SharedSecrets; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ import sun.security.util.Debug; + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ class SystemConfigurator { + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ class SystemConfigurator { + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ class SystemConfigurator { + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -160,13 +164,30 @@ class SystemConfigurator { + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..a31e93ec02e +--- /dev/null ++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index f6d3638c3dd..5a2c9eb0c46 100644 +--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -81,6 +81,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -442,4 +443,12 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index 6ffdfeda18d..775b185fb06 100644 +--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -32,6 +32,7 @@ import java.security.cert.*; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { + private static final List serverDefaultCipherSuites; + + static { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10, +- ProtocolVersion.SSL30, +- ProtocolVersion.SSL20Hello +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + // Use the customized TLS protocols. + candidates = +diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index 894e26dfad8..8b16378b96b 100644 +--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + + /** +@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + List.of("SSL"), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch new file mode 100644 index 0000000..513fbbf --- /dev/null +++ b/rh1915071-always_initialise_configurator_access.patch @@ -0,0 +1,70 @@ +diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index f1633afb627..ce32c939253 100644 +--- openjdk/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -74,6 +75,15 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -194,9 +204,8 @@ public final class Security { + } + + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { + loadedProps = true; + } +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 60fa75cab45..10b54aa4ce4 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -38,8 +38,6 @@ import java.util.Map.Entry; + import java.util.Properties; + import java.util.regex.Pattern; + +-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; +-import jdk.internal.access.SharedSecrets; + import sun.security.util.Debug; + + /** +@@ -65,16 +63,6 @@ final class SystemConfigurator { + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and diff --git a/rh1929465-dont_define_unused_throwioexception.patch b/rh1929465-dont_define_unused_throwioexception.patch new file mode 100644 index 0000000..eba090f --- /dev/null +++ b/rh1929465-dont_define_unused_throwioexception.patch @@ -0,0 +1,69 @@ +commit 90e344e7d4987af610fa0054c92d18fe1c2edd41 +Author: Andrew Hughes +Date: Sat Aug 28 01:15:28 2021 +0100 + + RH1929465: Don't define unused throwIOException function when using NSS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 6f4656bfcb6..38919d6bb0f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -34,14 +34,34 @@ + + #include "java_security_SystemConfigurator.h" + +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" + #define MSG_MAX_SIZE 96 + + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read ++#ifndef SYSCONF_NSS ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++#endif ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + /* + * Class: java_security_SystemConfigurator +@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + + #endif // SYSCONF_NSS + } +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } +-} diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch new file mode 100644 index 0000000..4dfd1d4 --- /dev/null +++ b/rh1929465-improve_system_FIPS_detection.patch @@ -0,0 +1,428 @@ +diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..b2b1c1787da +--- /dev/null ++++ openjdk/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,84 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +index a65d91ee974..a8f054c1397 100644 +--- openjdk/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +index 29445c8c24f..9b1b512a34a 100644 +--- openjdk/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk +index 5658ff342e5..cb7a56852f7 100644 +--- openjdk/make/modules/java.base/Lib.gmk ++++ openjdk/make/modules/java.base/Lib.gmk +@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..6f4656bfcb6 +--- /dev/null ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -0,0 +1,168 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} +diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 10b54aa4ce4..6aa1419dfd0 100644 +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,13 +30,9 @@ import java.io.BufferedInputStream; + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -58,11 +54,23 @@ final class SystemConfigurator { + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; +- + private static boolean systemFipsEnabled = false; + ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and +@@ -170,16 +178,34 @@ final class SystemConfigurator { + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch new file mode 100644 index 0000000..79d2743 --- /dev/null +++ b/rh1991003-enable_fips_keys_import.patch @@ -0,0 +1,579 @@ +commit abcd0954643eddbf826d96291d44a143038ab750 +Author: Martin Balao +Date: Sun Oct 10 18:14:01 2021 +0100 + + RH1991003: Enable the import of plain keys into the NSS software token. + + This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index ce32c939253..dc7020ce668 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -82,6 +82,10 @@ public final class Security { + public boolean isSystemFipsEnabled() { + return SystemConfigurator.isSystemFipsEnabled(); + } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } + }); + + // doPrivileged here because there are multiple +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 6aa1419dfd0..ecab722848e 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -55,6 +55,7 @@ final class SystemConfigurator { + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + + private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; + + private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; + +@@ -150,6 +151,16 @@ final class SystemConfigurator { + } + loadedProps = true; + systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } + } + } catch (Exception e) { + if (sdebug != null) { +@@ -177,6 +188,19 @@ final class SystemConfigurator { + return systemFipsEnabled; + } + ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ + /* + * OpenJDK FIPS mode will be enabled only if the com.redhat.fips + * system property is true (default) and the system is in FIPS mode. +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +index a31e93ec02e..3f3caac64dc 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -27,4 +27,5 @@ package jdk.internal.access; + + public interface JavaSecuritySystemConfiguratorAccess { + boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); + } +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..bee3a1e1537 +--- /dev/null ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,291 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 5d3963ea893..42c72b393fd 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider { + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 5c0aacd1a67..4d80145cb91 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -152,16 +153,28 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +index e2d6d371bec..dc5e7eefdd3 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception { + return "0x" + Functions.toFullHexString((int)errorCode); + } + ++ /** ++ * Constructor taking the error code (the CKR_* constants in PKCS#11) with ++ * no extra info for the error message. ++ */ ++ public PKCS11Exception(long errorCode) { ++ this(errorCode, null); ++ } ++ + /** + * Constructor taking the error code (the CKR_* constants in PKCS#11) and + * extra info for error message. diff --git a/rh1995150-disable_non-fips_crypto.patch b/rh1995150-disable_non-fips_crypto.patch new file mode 100644 index 0000000..b3d0ae7 --- /dev/null +++ b/rh1995150-disable_non-fips_crypto.patch @@ -0,0 +1,596 @@ +diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 9d4a794de1a..39e69362458 100644 +--- openjdk/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.net, +diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..c5e13c98bd9 100644 +--- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,147 +99,149 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); ++ ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ ++ /* ++ * Algorithm Parameter Generator engines ++ */ ++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", ++ "sun.security.provider.DSAParameterGenerator", attrs); ++ attrs.remove("KeySize"); ++ ++ /* ++ * Algorithm Parameter engines ++ */ ++ addWithAlias(p, "AlgorithmParameters", "DSA", ++ "sun.security.provider.DSAParameters", attrs); ++ ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); ++ ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); + } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); +- +- attrs.remove("KeySize"); +- +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); +- /* +- * Key Pair Generator engines +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("KeySize", "2048"); // for DSA KPG and APG only +- +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); +- +- /* +- * Algorithm Parameter Generator engines +- */ +- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", +- "sun.security.provider.DSAParameterGenerator", attrs); +- attrs.remove("KeySize"); +- +- /* +- * Algorithm Parameter engines +- */ +- addWithAlias(p, "AlgorithmParameters", "DSA", +- "sun.security.provider.DSAParameters", attrs); +- +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); +- +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); + + /* + * Certificates +diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 8c9e4f9dbe6..9eeb3013e0d 100644 +--- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAAlgorithmParameters; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; +@@ -56,6 +57,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -249,85 +254,86 @@ public final class SunEC extends Provider { + + putXDHEntries(); + putEdDSAEntries(); +- +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderService(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", +- List.of("EllipticCurve"), ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ++ List.of("EllipticCurve"), ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -344,23 +350,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -375,21 +383,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..7622622 --- /dev/null +++ b/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit bfd7c5dae9c15266799cb885b8c60199217b65b9 +Author: Andrew Hughes +Date: Mon Aug 30 16:14:14 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index 8356e56367b..23925f048be 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..475c521 --- /dev/null +++ b/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,65 @@ +commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923 +Author: Martin Balao +Date: Sat Aug 28 00:35:44 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 39e69362458..aeb5fc2eb46 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -151,6 +151,7 @@ module java.base { + java.management, + java.naming, + java.rmi, ++ jdk.crypto.cryptoki, + jdk.crypto.ec, + jdk.jartool, + jdk.jlink, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..5d3963ea893 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch new file mode 100644 index 0000000..1b706a1 --- /dev/null +++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch @@ -0,0 +1,19 @@ +Remove uses of FAR in jpeg code + +Upstream libjpeg-trubo removed the (empty) FAR macro: +http://sourceforge.net/p/libjpeg-turbo/code/1312/ + +Adjust our code to not use the undefined FAR macro anymore. + +diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +@@ -1385,7 +1385,7 @@ + /* and fill it in */ + dst_ptr = icc_data; + for (seq_no = first; seq_no < last; seq_no++) { +- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; ++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; + unsigned int length = + icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; + diff --git a/sources b/sources new file mode 100644 index 0000000..dadd1ed --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (openjdk-jdk17u-jdk-17.0.1+12.tar.xz) = d9503de1001e42657ddb2600e1141d4169e333f0592ce3ad3c4ce14f817ca73a6bf6fb867e15930150c7b55e8fd4c4cd73d43984979e721df481a9ac7919580c +SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 From 108126b081dcb467cb7d10d3e9a6e1aa84e1ed0a Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Tue, 7 Dec 2021 15:52:30 +0100 Subject: [PATCH 03/61] Added missing files from latest and 11 --- .gitignore | 20 ++++ README.md | 11 ++- generate_source_tarball.sh | 156 ++++++++++++++++++++++++++++++ icedtea_sync.sh | 192 +++++++++++++++++++++++++++++++++++++ 4 files changed, 377 insertions(+), 2 deletions(-) create mode 100755 generate_source_tarball.sh create mode 100755 icedtea_sync.sh diff --git a/.gitignore b/.gitignore index cd592ed..1cf80ea 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,22 @@ +/jdk-jdk12-jdk-12+33.tar.xz +/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz +/jdk-updates-jdk12u-jdk-12.0.1+12.tar.xz +/jdk-jdk13-jdk-13+27.tar.xz +/jdk-jdk13-jdk-13+28.tar.xz +/jdk-jdk13-jdk-13+33.tar.xz +/jdk-updates-jdk13u-jdk-13.0.1+9.tar.xz +/jdk-updates-jdk13u-jdk-13.0.2+8.tar.xz +/jdk-jdk14-jdk-14+36.tar.xz +/jdk-updates-jdk14u-jdk-14.0.1+7.tar.xz +/jdk-updates-jdk14u-jdk-14.0.2+12.tar.xz +/jdk-jdk15-jdk-15+36.tar.xz +/jdk-updates-jdk15u-jdk-15.0.1+9.tar.xz +/tapsets-icedtea-3.15.0.tar.xz +/jdk-updates-jdk15u-jdk-15.0.2+7.tar.xz +/openjdk-jdk16-jdk-16+36.tar.xz +/openjdk-jdk16u-jdk-16.0.1+9.tar.xz +/openjdk-jdk17-jdk-17+26.tar.xz +/openjdk-jdk17-jdk-17+33.tar.xz +/openjdk-jdk17-jdk-17+35.tar.xz /openjdk-jdk17u-jdk-17.0.1+12.tar.xz /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/README.md b/README.md index b11f5d3..079e78c 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,10 @@ -# java-17-openjdk +Package of LTS OpenJDK 17 +OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. -The java-17-openjdk package +JDK17 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/17/ and is landing to your Fedora. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. + +See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html +See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf + +https://fedoraproject.org/wiki/Changes/Java17 +https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh new file mode 100755 index 0000000..1a019ff --- /dev/null +++ b/generate_source_tarball.sh @@ -0,0 +1,156 @@ +#!/bin/bash +# Generates the 'source tarball' for JDK projects. +# +# Example: +# When used from local repo set REPO_ROOT pointing to file:// with your repo +# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL +# If you want to use a local copy of patch PR3788, set the path to it in the PR3788 variable +# +# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: +# PROJECT_NAME=openjdk +# REPO_NAME=jdk16 +# VERSION=HEAD +# or to eg prepare systemtap: +# icedtea7's jstack and other tapsets +# VERSION=6327cf1cea9e +# REPO_NAME=icedtea7-2.6 +# PROJECT_NAME=release +# OPENJDK_URL=http://icedtea.classpath.org/hg/ +# TO_COMPRESS="*/tapset" +# +# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set) + +# This script creates a single source tarball out of the repository +# based on the given tag and removes code not allowed in fedora/rhel. For +# consistency, the source tarball will always contain 'openjdk' as the top +# level folder, name is created, based on parameter +# + +if [ ! "x$PR3823" = "x" ] ; then + if [ ! -f "$PR3823" ] ; then + echo "You have specified PR3823 as $PR3823 but it does not exist. Exiting" + exit 1 + fi +fi + +set -e + +OPENJDK_URL_DEFAULT=https://github.com +COMPRESSION_DEFAULT=xz + +if [ "x$1" = "xhelp" ] ; then + echo -e "Behaviour may be specified by setting the following variables:\n" + echo "VERSION - the version of the specified OpenJDK project" + echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)" + echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)" + echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" + echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" + echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" + echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" + echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)" + exit 1; +fi + + +if [ "x$VERSION" = "x" ] ; then + echo "No VERSION specified" + exit -2 +fi +echo "Version: ${VERSION}" + +# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT +if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then + if [ "x$PROJECT_NAME" = "x" ] ; then + echo "No PROJECT_NAME specified" + exit -1 + fi + echo "Project name: ${PROJECT_NAME}" + if [ "x$REPO_NAME" = "x" ] ; then + echo "No REPO_NAME specified" + exit -3 + fi + echo "Repository name: ${REPO_NAME}" +fi + +if [ "x$OPENJDK_URL" = "x" ] ; then + OPENJDK_URL=${OPENJDK_URL_DEFAULT} + echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}" +else + echo "OpenJDK URL: ${OPENJDK_URL}" +fi + +if [ "x$COMPRESSION" = "x" ] ; then + # rhel 5 needs tar.gz + COMPRESSION=${COMPRESSION_DEFAULT} +fi +echo "Creating a tar.${COMPRESSION} archive" + +if [ "x$FILE_NAME_ROOT" = "x" ] ; then + FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION} + echo "No file name root specified; default to ${FILE_NAME_ROOT}" +fi +if [ "x$REPO_ROOT" = "x" ] ; then + REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git" + echo "No repository root specified; default to ${REPO_ROOT}" +fi; + +if [ "x$TO_COMPRESS" = "x" ] ; then + TO_COMPRESS="openjdk" + echo "No to be compressed targets specified, ; default to ${TO_COMPRESS}" +fi; + +if [ -d ${FILE_NAME_ROOT} ] ; then + echo "exists exists exists exists exists exists exists " + echo "reusing reusing reusing reusing reusing reusing " + echo ${FILE_NAME_ROOT} +else + mkdir "${FILE_NAME_ROOT}" + pushd "${FILE_NAME_ROOT}" + echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" + git clone -b ${VERSION} ${REPO_ROOT} openjdk + popd +fi +pushd "${FILE_NAME_ROOT}" + if [ -d openjdk/src ]; then + pushd openjdk + echo "Removing EC source code we don't build" + CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl + rm -vf ${CRYPTO_PATH}/ec2.h + rm -vf ${CRYPTO_PATH}/ec2_163.c + rm -vf ${CRYPTO_PATH}/ec2_193.c + rm -vf ${CRYPTO_PATH}/ec2_233.c + rm -vf ${CRYPTO_PATH}/ec2_aff.c + rm -vf ${CRYPTO_PATH}/ec2_mont.c + rm -vf ${CRYPTO_PATH}/ecp_192.c + rm -vf ${CRYPTO_PATH}/ecp_224.c + + echo "Syncing EC list with NSS" + if [ "x$PR3823" = "x" ] ; then + # originally for 8: + # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag + # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) + echo "PR3823 not found. Downloading..." + wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch + echo "Applying ${PWD}/pr3823.patch" + patch -Np1 < pr3823.patch + rm pr3823.patch + else + echo "Applying ${PR3823}" + patch -Np1 < $PR3823 + fi; + find . -name '*.orig' -exec rm -vf '{}' ';' + popd + fi + + echo "Compressing remaining forest" + if [ "X$COMPRESSION" = "Xxz" ] ; then + SWITCH=cJf + else + SWITCH=czf + fi + tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS + mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. +popd +echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." + + diff --git a/icedtea_sync.sh b/icedtea_sync.sh new file mode 100755 index 0000000..e5c54f3 --- /dev/null +++ b/icedtea_sync.sh @@ -0,0 +1,192 @@ +#!/bin/bash + +# Copyright (C) 2019 Red Hat, Inc. +# Written by Andrew John Hughes . +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +ICEDTEA_USE_VCS=true + +ICEDTEA_VERSION=3.15.0 +ICEDTEA_URL=https://icedtea.classpath.org/download/source +ICEDTEA_SIGNING_KEY=CFDA0F9B35964222 + +ICEDTEA_HG_URL=https://icedtea.classpath.org/hg/icedtea11 + +set -e + +RPM_DIR=${PWD} +if [ ! -f ${RPM_DIR}/jconsole.desktop.in ] ; then + echo "Not in RPM source tree."; + exit 1; +fi + +if test "x${TMPDIR}" = "x"; then + TMPDIR=/tmp; +fi +WORKDIR=${TMPDIR}/it.sync + +echo "Using working directory ${WORKDIR}" +mkdir ${WORKDIR} +pushd ${WORKDIR} + +if test "x${WGET}" = "x"; then + WGET=$(which wget); + if test "x${WGET}" = "x"; then + echo "wget not found"; + exit 1; + fi +fi + +if test "x${TAR}" = "x"; then + TAR=$(which tar) + if test "x${TAR}" = "x"; then + echo "tar not found"; + exit 2; + fi +fi + +echo "Dependencies:"; +echo -e "\tWGET: ${WGET}"; +echo -e "\tTAR: ${TAR}\n"; + +if test "x${ICEDTEA_USE_VCS}" = "xtrue"; then + echo "Mode: Using VCS"; + + if test "x${GREP}" = "x"; then + GREP=$(which grep); + if test "x${GREP}" = "x"; then + echo "grep not found"; + exit 3; + fi + fi + + if test "x${CUT}" = "x"; then + CUT=$(which cut); + if test "x${CUT}" = "x"; then + echo "cut not found"; + exit 4; + fi + fi + + if test "x${TR}" = "x"; then + TR=$(which tr); + if test "x${TR}" = "x"; then + echo "tr not found"; + exit 5; + fi + fi + + if test "x${HG}" = "x"; then + HG=$(which hg); + if test "x${HG}" = "x"; then + echo "hg not found"; + exit 6; + fi + fi + + echo "Dependencies:"; + echo -e "\tGREP: ${GREP}"; + echo -e "\tCUT: ${CUT}"; + echo -e "\tTR: ${TR}"; + echo -e "\tHG: ${HG}"; + + echo "Checking out repository from VCS..."; + ${HG} clone ${ICEDTEA_HG_URL} icedtea + + echo "Obtaining version from configure.ac..."; + ROOT_VER=$(${GREP} '^AC_INIT' icedtea/configure.ac|${CUT} -d ',' -f 2|${TR} -d '[][:space:]') + echo "Root version from configure: ${ROOT_VER}"; + + VCS_REV=$(${HG} log -R icedtea --template '{node|short}' -r tip) + echo "VCS revision: ${VCS_REV}"; + + ICEDTEA_VERSION="${ROOT_VER}-${VCS_REV}" + echo "Creating icedtea-${ICEDTEA_VERSION}"; + mkdir icedtea-${ICEDTEA_VERSION} + echo "Copying required files from checkout to icedtea-${ICEDTEA_VERSION}"; + # Commented out for now as IcedTea 6's jconsole.desktop.in is outdated + #cp -a icedtea/jconsole.desktop.in ../icedtea-${ICEDTEA_VERSION} + cp -a ${RPM_DIR}/jconsole.desktop.in icedtea-${ICEDTEA_VERSION} + cp -a icedtea/tapset icedtea-${ICEDTEA_VERSION} + + rm -rf icedtea +else + echo "Mode: Using tarball"; + + if test "x${ICEDTEA_VERSION}" = "x"; then + echo "No IcedTea version specified for tarball download."; + exit 3; + fi + + if test "x${CHECKSUM}" = "x"; then + CHECKSUM=$(which sha256sum) + if test "x${CHECKSUM}" = "x"; then + echo "sha256sum not found"; + exit 4; + fi + fi + + if test "x${PGP}" = "x"; then + PGP=$(which gpg) + if test "x${PGP}" = "x"; then + echo "gpg not found"; + exit 5; + fi + fi + + echo "Dependencies:"; + echo -e "\tCHECKSUM: ${CHECKSUM}"; + echo -e "\tPGP: ${PGP}\n"; + + echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}..."; + if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then + echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed."; + exit 6; + fi + + echo "Downloading IcedTea release tarball..."; + ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz + echo "Downloading IcedTea tarball signature..."; + ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig + echo "Downloading IcedTea tarball checksums..."; + ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256 + + echo "Verifying checksums..."; + ${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256 + + echo "Checking signature..."; + ${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig + + echo "Extracting files..."; + ${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \ + icedtea-${ICEDTEA_VERSION}/tapset \ + icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in + + rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz + rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig + rm -vf icedtea-${ICEDTEA_VERSION}.sha256 +fi + +echo "Replacing desktop files..."; +mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in ${RPM_DIR} + +echo "Creating new tapset tarball..."; +mv -v icedtea-${ICEDTEA_VERSION} openjdk +${TAR} cJf ${RPM_DIR}/tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk + +rm -rvf openjdk + +popd +rm -rf ${WORKDIR} From 7ae5d5bd64a15e2e84d785dc56b5fb9e62ea113a Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Fri, 5 Nov 2021 22:46:45 +0000 Subject: [PATCH 04/61] Handle Fedora in distro conditionals that currently only pertain to RHEL. --- java-17-openjdk.spec | 57 +++++++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 19 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index bd2d867..00a6c16 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 8 +%global rpmrelease 9 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -937,7 +937,8 @@ Requires: libXcomposite%{?_isa} Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # for java-X-openjdk package's desktop binding -%if 0%{?rhel} >= 8 +# Where recommendations are available, recommend Gtk+ for the Swing look and feel +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Recommends: gtk3%{?_isa} %endif @@ -978,8 +979,11 @@ Requires: cups-libs Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# for optional support of kernel stream control, card reader and printing bindings +# Where suggestions are available, recommend the sctp and pcsc libraries +# for optional support of kernel stream control and card reader +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} +%endif # Standard JPackage base provides Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} @@ -1091,7 +1095,8 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} Epoch: 1 Summary: %{origin_nice} %{featurever} Runtime Environment -%if 0%{?rhel} <= 8 +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1254,7 +1259,7 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1267,7 +1272,7 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_fastdebug_build} %package fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1280,7 +1285,7 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_normal_build} %package headless Summary: %{origin_nice} %{featurever} Headless Runtime Environment -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1293,7 +1298,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_debug_build} %package headless-slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_headless_rpo -- %{debug_suffix_unquoted}} @@ -1305,7 +1312,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_fastdebug_build} %package headless-fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_headless_rpo -- %{fastdebug_suffix_unquoted}} @@ -1317,7 +1326,7 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_normal_build} %package devel Summary: %{origin_nice} %{featurever} Development Environment -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1330,7 +1339,7 @@ The %{origin_nice} %{featurever} development tools. %if %{include_debug_build} %package devel-slowdebug Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1344,7 +1353,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_fastdebug_build} %package devel-fastdebug Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools +%endif %{java_devel_rpo -- %{fastdebug_suffix_unquoted}} @@ -1393,7 +1404,7 @@ The %{origin_nice} %{featurever} libraries for static linking. %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{featurever} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1406,7 +1417,7 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_debug_build} %package jmods-slowdebug Summary: JMods for %{origin_nice} %{featurever} %{debug_on} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1420,7 +1431,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_fastdebug_build} %package jmods-fastdebug Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools +%endif %{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} @@ -1432,7 +1445,7 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_normal_build} %package demo Summary: %{origin_nice} %{featurever} Demos -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1445,7 +1458,7 @@ The %{origin_nice} %{featurever} demos. %if %{include_debug_build} %package demo-slowdebug Summary: %{origin_nice} %{featurever} Demos %{debug_on} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1459,7 +1472,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_fastdebug_build} %package demo-fastdebug Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_demo_rpo -- %{fastdebug_suffix_unquoted}} @@ -1471,7 +1486,7 @@ The %{origin_nice} %{featurever} demos. %if %{include_normal_build} %package src Summary: %{origin_nice} %{featurever} Source Bundle -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1485,7 +1500,7 @@ class library source code for use by IDE indexers and debuggers. %if %{include_debug_build} %package src-slowdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1499,7 +1514,9 @@ The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_n %if %{include_fastdebug_build} %package src-fastdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_src_rpo -- %{fastdebug_suffix_unquoted}} @@ -1511,7 +1528,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{featurever} API documentation -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Documentation %endif Requires: javapackages-filesystem @@ -1526,7 +1543,7 @@ The %{origin_nice} %{featurever} API documentation. %if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive -%if 0%{?rhel} <= 8 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Documentation %endif Requires: javapackages-filesystem @@ -2355,6 +2372,8 @@ cjc.mainProgram(args) %endif %changelog -* Thu Nov 18 2021 Jiri Vanek - 1:17.0.0.0.35-8 -- inital import +* Mov Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9 +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +* Thu Nov 18 2021 Jiri Vanek - 1:17.0.0.0.35-8 +-- inital import From 915934814ca2c16f0285e85cf520bc46cb9d4fbf Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Tue, 7 Dec 2021 14:30:53 +0100 Subject: [PATCH 05/61] Removing tabs in whitespaced specfile for rpmlint --- java-17-openjdk.spec | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 00a6c16..c602399 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 9 +%global rpmrelease 10 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1712,14 +1712,14 @@ function buildjdk() { # to configure VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf if [ -f ${VERSION_FILE} ] ; then - EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) + EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) else - echo "Could not find OpenJDK version file."; - exit 16 + echo "Could not find OpenJDK version file."; + exit 16 fi if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then - echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; - exit 17 + echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; + exit 17 fi echo "Using output directory: ${outputdir}"; @@ -2372,7 +2372,10 @@ cjc.mainProgram(args) %endif %changelog -* Mov Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9 +* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-10.rolling +- replaced tabs by sets of spaces to make rpmlint happy + +* Mov Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9.rolling - Handle Fedora in distro conditionals that currently only pertain to RHEL. * Thu Nov 18 2021 Jiri Vanek - 1:17.0.0.0.35-8 From e6063703b69ade63c42f5ca99075bdbfcd67cd42 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Tue, 7 Dec 2021 14:08:08 +0100 Subject: [PATCH 06/61] Providing proper provides for javadoc-zip subpk Before this patch, the java-17-openjdk-javadoc-zip was not existing, and instead of that, javadoc was provided by both Factm, that both subpkgs should provide javadoc, should be kept --- java-17-openjdk.spec | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index c602399..25234bf 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 10 +%global rpmrelease 11 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1058,10 +1058,10 @@ Requires(post): %{alternatives_requires} Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1534,7 +1534,7 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. @@ -1549,7 +1549,8 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. @@ -2372,6 +2373,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-11.rolling +- javadoc-zip got its own provides next to plain javadoc ones + * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-10.rolling - replaced tabs by sets of spaces to make rpmlint happy From 3940005c1cc6c50a223c0e7ebf31f03d37be2ba3 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Thu, 2 Dec 2021 13:15:46 +0100 Subject: [PATCH 07/61] family extracted to globals --- java-17-openjdk.spec | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 25234bf..47e8a26 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 11 +%global rpmrelease 12 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -408,6 +408,9 @@ %global alternatives_requires %{_sbindir}/alternatives %endif +%global family %{name}.%{_arch} +%global family_noarch %{name} + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -440,7 +443,7 @@ fi ext=.gz alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ @@ -455,10 +458,10 @@ alternatives \\ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} done -alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} } %define post_headless() %{expand: @@ -510,7 +513,7 @@ fi ext=.gz alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ @@ -577,10 +580,10 @@ alternatives \\ for X in %{origin} %{javaver} ; do alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} } %define post_devel() %{expand: @@ -618,7 +621,7 @@ fi alternatives \\ --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{name} + $PRIORITY --family %{family_noarch} exit 0 } @@ -635,7 +638,7 @@ fi alternatives \\ --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{name} + $PRIORITY --family %{family_noarch} exit 0 } @@ -2373,6 +2376,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling +- Family extracted to globals + * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-11.rolling - javadoc-zip got its own provides next to plain javadoc ones From 6368e50bb8bcf0c89d8bda91b0c535ec4d575c62 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Mon, 13 Dec 2021 18:17:21 +0100 Subject: [PATCH 08/61] Storing and restoring alterntives during update manually Fixing: Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE The move of alternatives creation to posttrans to fix: Bug 1200302 - dnf reinstall breaks alternatives Had caused the alternatives to be removed, and then created again, instead of being added, and then removing the old, and thus persisting the selection in family Thus this fix, is storing the family of manually selected master, and if stored, then it is restoring the family of the master --- java-17-openjdk.spec | 147 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 121 insertions(+), 26 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 47e8a26..9b78b14 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 12 +%global rpmrelease 13 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -428,6 +428,50 @@ # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + %define post_script() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -436,14 +480,18 @@ exit 0 } %define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=java alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ @@ -457,11 +505,17 @@ alternatives \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} } %define post_headless() %{expand: @@ -494,10 +548,14 @@ exit 0 %define postun_headless() %{expand: - alternatives --remove java %{jrebindir -- %{?1}}/java - alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} } %define posttrans_script() %{expand: @@ -506,14 +564,18 @@ exit 0 %define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=javac alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ @@ -576,14 +638,19 @@ alternatives \\ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} for X in %{origin} %{javaver} ; do - alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} } %define post_devel() %{expand: @@ -594,10 +661,14 @@ exit 0 } %define postun_devel() %{expand: - alternatives --remove javac %{sdkbindir -- %{?1}}/javac - alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -614,36 +685,49 @@ exit 0 } %define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -alternatives \\ - --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{family_noarch} +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc() %{expand: - alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } %define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi - -alternatives \\ - --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{family_noarch} +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc_zip() %{expand: - alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -2376,6 +2460,17 @@ cjc.mainProgram(args) %endif %changelog +* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master + * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling - Family extracted to globals From 7364be54874ce0dbad7306e6d96f361c1bf68288 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 13:40:02 +0000 Subject: [PATCH 09/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- java-17-openjdk.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 9b78b14..69c0fee 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -1169,7 +1169,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2460,6 +2460,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 1:17.0.1.0.12-13.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling - Storing and restoring alterntives during update manually - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE From 33cde0f7b63842fd24085d95036749005f6c7de0 Mon Sep 17 00:00:00 2001 From: Jiri Vanek Date: Mon, 24 Jan 2022 15:07:30 +0100 Subject: [PATCH 10/61] Revert "- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild" This reverts commit 7364be54874ce0dbad7306e6d96f361c1bf68288. --- java-17-openjdk.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 69c0fee..9b78b14 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -1169,7 +1169,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2460,9 +2460,6 @@ cjc.mainProgram(args) %endif %changelog -* Thu Jan 20 2022 Fedora Release Engineering - 1:17.0.1.0.12-13.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling - Storing and restoring alterntives during update manually - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE From bda1029633609d6e69564aa3a4aada67e4f6fe75 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Thu, 13 Jan 2022 01:12:07 +0000 Subject: [PATCH 11/61] Fix FIPS issues in native code and with initialisation of java.security.Security --- java-17-openjdk.spec | 15 ++++++++-- ...263-fips_ensure_security_initialised.patch | 28 +++++++++++++++++++ rh2021263-fips_missing_native_returns.patch | 24 ++++++++++++++++ 3 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 rh2021263-fips_ensure_security_initialised.patch create mode 100644 rh2021263-fips_missing_native_returns.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 9b78b14..bf6aec3 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -298,7 +298,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 13 +%global rpmrelease 14 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1281,6 +1281,9 @@ Patch1010: rh1996182-login_to_nss_software_token.patch Patch1012: rh1996182-extend_security_policy.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false Patch1013: rh1991003-enable_fips_keys_import.patch +# RH2021263: Resolve outstanding FIPS issues +Patch1014: rh2021263-fips_ensure_security_initialised.patch +Patch1015: rh2021263-fips_missing_native_returns.patch ############################################# # @@ -1700,6 +1703,9 @@ popd # openjdk %patch1011 %patch1012 %patch1013 +%patch1014 +%patch1015 + %patch2000 # Extract systemtap tapsets @@ -2460,7 +2466,10 @@ cjc.mainProgram(args) %endif %changelog -* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-12.rolling +* Thu Jan 13 2022 Andrew Hughes - 1:17.0.1.0.12-14.rolling +- Fix FIPS issues in native code and with initialisation of java.security.Security + +* Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-13.rolling - Storing and restoring alterntives during update manually - Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE -- The move of alternatives creation to posttrans to fix: @@ -2480,7 +2489,7 @@ cjc.mainProgram(args) * Thu Dec 09 2021 Jiri Vanek - 1:17.0.1.0.12-10.rolling - replaced tabs by sets of spaces to make rpmlint happy -* Mov Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9.rolling +* Mon Nov 29 2021 Andrew Hughes - 1:17.0.1.0.12-9.rolling - Handle Fedora in distro conditionals that currently only pertain to RHEL. * Thu Nov 18 2021 Jiri Vanek - 1:17.0.0.0.35-8 diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch new file mode 100644 index 0000000..8dc0122 --- /dev/null +++ b/rh2021263-fips_ensure_security_initialised.patch @@ -0,0 +1,28 @@ +commit 4ac1a03b3ec73358988553fe9e200130847ea3b4 +Author: Andrew Hughes +Date: Mon Jan 10 20:19:40 2022 +0000 + + RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance + +diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index 5a2c9eb0c46..a1ee182d913 100644 +--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -39,6 +39,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -449,6 +450,9 @@ public class SharedSecrets { + } + + public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } + return javaSecuritySystemConfiguratorAccess; + } + } diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch new file mode 100644 index 0000000..5a056ce --- /dev/null +++ b/rh2021263-fips_missing_native_returns.patch @@ -0,0 +1,24 @@ +commit 8f6e35dc9e9289aed290b36e260beeda76986bb5 +Author: Fridrich Strba +Date: Mon Jan 10 19:32:01 2022 +0000 + + RH2021263: Return in C code after having generated Java exception + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 38919d6bb0f..caf678a7dd6 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); + if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + fips_enabled = fgetc(fe); + fclose(fe); + if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; + } + msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ + " read character is '%c'", fips_enabled); From eacad27bf1734cd2abb2b46acb385b0d86278d47 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Tue, 18 Jan 2022 15:51:01 +0000 Subject: [PATCH 12/61] Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide. --- java-17-openjdk.spec | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index bf6aec3..9bac5c5 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -99,17 +99,20 @@ %global ppc64be ppc64 ppc64p7 # Set of architectures which support multiple ABIs %global multilib_arches %{power64} sparc64 x86_64 -# Set of architectures for which we build debug builds +# Set of architectures for which we build slowdebug builds %global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler %global jit_arches %{debug_arches} %{arm} +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures with a Ahead-Of-Time (AOT) compiler %global aot_arches x86_64 %{aarch64} -%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures which support the serviceability agent %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} # Set of architectures which support class data sharing @@ -124,6 +127,13 @@ %global ssbd_arches x86_64 # Set of architectures for which java has short vector math library (libsvml.so) %global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb (ideally all) +# Temporarily disable check on x86, x86_64, ppc64le and s390x as gdb crashes +# ../../gdb/objfiles.h:510: internal-error: sect_index_data not initialized +# A problem internal to GDB has been detected, +# further debugging may prove unreliable. +# See https://bugzilla.redhat.com/show_bug.cgi?id=2041970 +%global gdb_arches sparcv9 sparc64 %{aarch64} %{arm} %{zero_arches} # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -298,7 +308,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 14 +%global rpmrelease 15 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2069,20 +2079,16 @@ gdb -q "$JAVA_HOME/bin/java" < 0 -# This fails on s390x for some reason. Disable for now. See: -# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 -%ifnarch s390x +%ifarch %{gdb_arches} grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif -%endif # Check src.zip has all sources. See RHBZ#1130490 $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' @@ -2466,6 +2472,10 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jan 18 2022 Andrew Hughes - 1:17.0.1.0.12-15.rolling +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide. + * Thu Jan 13 2022 Andrew Hughes - 1:17.0.1.0.12-14.rolling - Fix FIPS issues in native code and with initialisation of java.security.Security From e3a510910e42a87b6b3d8af9e005123b69e48a4b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 13:40:37 +0000 Subject: [PATCH 13/61] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- java-17-openjdk.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 9bac5c5..34035d2 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -1179,7 +1179,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2472,6 +2472,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 1:17.0.1.0.12-15.rolling.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Tue Jan 18 2022 Andrew Hughes - 1:17.0.1.0.12-15.rolling - Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. - Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide. From 62652f81a66eb1e2d824c1b827cedb5abd1a764c Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Tue, 18 Jan 2022 02:31:53 +0000 Subject: [PATCH 14/61] Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent --- java-17-openjdk.spec | 9 +- ...3-fips_separate_policy_and_fips_init.patch | 99 +++++++++++++++++++ 2 files changed, 106 insertions(+), 2 deletions(-) create mode 100644 rh2021263-fips_separate_policy_and_fips_init.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 34035d2..5c15daf 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -308,7 +308,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 12 -%global rpmrelease 15 +%global rpmrelease 16 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1179,7 +1179,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1294,6 +1294,7 @@ Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch ############################################# # @@ -1715,6 +1716,7 @@ popd # openjdk %patch1013 %patch1014 %patch1015 +%patch1016 %patch2000 @@ -2472,6 +2474,9 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jan 24 2022 Andrew Hughes - 1:17.0.1.0.12-16.rolling +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + * Thu Jan 20 2022 Fedora Release Engineering - 1:17.0.1.0.12-15.rolling.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/rh2021263-fips_separate_policy_and_fips_init.patch b/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..b5351a8 --- /dev/null +++ b/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,99 @@ +commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 +Author: Andrew Hughes +Date: Tue Jan 18 02:09:27 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 28ab1846173..f9726741afd 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -61,10 +61,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -206,22 +202,36 @@ public final class Security { + } + } + ++ if (!loadedProps) { ++ initializeStatic(); ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties " + ++ "-- using defaults"); ++ } ++ } ++ + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { +- if (SystemConfigurator.configure(props)) { +- loadedProps = true; ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } + } + } + +- if (!loadedProps) { +- initializeStatic(); ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { +- sdebug.println("unable to load security properties " + +- "-- using defaults"); ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } + } + } +- + } + + /* +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 874c6221ebe..b7ed41acf0f 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { From ed1d0a79baeac548ced772faa4983557e327e8ec Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Mon, 24 Jan 2022 14:29:45 +0000 Subject: [PATCH 15/61] January 2022 security update to jdk 17.0.2+8 Set LTS designator on RHEL, excluding Fedora & EPEL. Rename libsvml.so to libjsvml.so following JDK-8276025 Remove JDK-8276572 patch which is now upstream. Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java --- .gitignore | 1 + NEWS | 377 ++++++++++++++++++ java-17-openjdk.spec | 32 +- ...e_libsyslookup_causes_tooling_issues.patch | 21 - rh1995150-disable_non-fips_crypto.patch | 315 +++++++-------- rh1996182-login_to_nss_software_token.patch | 6 +- sources | 2 +- 7 files changed, 558 insertions(+), 196 deletions(-) delete mode 100644 jdk8276572-fake_libsyslookup_causes_tooling_issues.patch diff --git a/.gitignore b/.gitignore index 1cf80ea..2bc3036 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /openjdk-jdk17-jdk-17+35.tar.xz /openjdk-jdk17u-jdk-17.0.1+12.tar.xz /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz +/openjdk-jdk17u-jdk-17.0.2+8.tar.xz diff --git a/NEWS b/NEWS index 9d37ff9..78938f4 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,383 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.2 (2022-01-18): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1702 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt + +* Security fixes + - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside + - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization + - JDK-8268488: More valuable DerValues + - JDK-8268494: Better inlining of inlined interfaces + - JDK-8268512: More content for ContentInfo + - JDK-8268813, CVE-2022-21283: Better String matching + - JDK-8269151: Better construction of EncryptedPrivateKeyInfo + - JDK-8269944: Better HTTP transport redux + - JDK-8270386, CVE-2022-21291: Better verification of scan methods + - JDK-8270392, CVE-2022-21293: Improve String constructions + - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps + - JDK-8270492, CVE-2022-21282: Better resolution of URIs + - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management + - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities + - JDK-8270952, CVE-2022-21277: Improve TIFF file handling + - JDK-8271962: Better TrueType font loading + - JDK-8271968: Better canonical naming + - JDK-8271987: Manifest improved manifest entries + - JDK-8272014, CVE-2022-21305: Better array indexing + - JDK-8272026, CVE-2022-21340: Verify Jar Verification + - JDK-8272236, CVE-2022-21341: Improve serial forms for transport + - JDK-8272272: Enhance jcmd communication + - JDK-8272462: Enhance image handling + - JDK-8273290: Enhance sound handling + - JDK-8273756, CVE-2022-21360: Enhance BMP image support + - JDK-8273838, CVE-2022-21365: Enhanced BMP processing + - JDK-8274096, CVE-2022-21366: Improve decoding of image files +* Other changes + - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap + - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently + - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream + - JDK-8214761: Bug in parallel Kahan summation implementation + - JDK-8223923: C2: Missing interference with mismatched unsafe accesses + - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir(). + - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name + - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) + - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled + - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic + - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol + - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null + - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert + - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream + - JDK-8263375: Support stack watermarks in Zero VM + - JDK-8263773: Reenable German localization for builds at Oracle + - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer + - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer + - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer + - JDK-8264292: Create implementation for NSAccessibilityList protocol peer + - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer + - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer + - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer + - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer + - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer + - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer + - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer + - JDK-8266239: Some duplicated javac command-line options have repeated effect + - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color + - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true + - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl + - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility + - JDK-8267387: Create implementation for NSAccessibilityOutline protocol + - JDK-8267388: Create implementation for NSAccessibilityTable protocol + - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" + - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs. + - JDK-8268361: Fix the infinite loop in next_line + - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML + - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests + - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler + - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions + - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc + - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type + - JDK-8268893: jcmd to trim the glibc heap + - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition + - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" + - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783 + - JDK-8269113: Javac throws when compiling switch (null) + - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java + - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException + - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString() + - JDK-8269481: SctpMultiChannel never releases own file descriptor + - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows + - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles + - JDK-8269687: pauth_aarch64.hpp include name is incorrect + - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 + - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts + - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked + - JDK-8270110: Shenandoah: Add test for JDK-8269661 + - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS + - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests + - JDK-8270290: NTLM authentication fails if HEAD request is used + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8270320: JDK-8270110 committed invalid copyright headers + - JDK-8270517: Add Zero support for LoongArch + - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS + - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file + - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType + - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String + - JDK-8271071: accessibility of a table on macOS lacks cell navigation + - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug + - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h + - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment + - JDK-8271215: Fix data races in G1PeriodicGCTask + - JDK-8271254: javac generates unreachable code when using empty semicolon statement + - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" + - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call + - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes + - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 + - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop + - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java + - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity + - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. + - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling + - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" + - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions + - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop + - JDK-8271605: Update JMH devkit to 1.32 + - JDK-8271718: Crash when during color transformation the color profile is replaced + - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers + - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest + - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used + - JDK-8271868: Warn user when using mac-sign option with unsigned app-image. + - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 + - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112 + - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 + - JDK-8272114: Unused _last_state in osThread_windows + - JDK-8272170: Missing memory barrier when checking active state for regions + - JDK-8272305: several hotspot runtime/modules don't check exit codes + - JDK-8272318: Improve performance of HeapDumpAllTest + - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher + - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes + - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions + - JDK-8272345: macos doesn't check `os::set_boot_path()` result + - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0" + - JDK-8272391: Undeleted debug information + - JDK-8272413: Incorrect num of element count calculation for vector cast + - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong + - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272570: C2: crash in PhaseCFG::global_code_motion + - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late + - JDK-8272639: jpackaged applications using microphone on mac + - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO + - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit + - JDK-8272783: Epsilon: Refactor tests to improve performance + - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests + - JDK-8272838: Move CriticalJNI tests out of tier1 + - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1 + - JDK-8272850: Drop zapping values in the Zap* option descriptions + - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test + - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag + - JDK-8272859: Javadoc external links should only have feature version number in URL + - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups + - JDK-8272970: Parallelize runtime/InvocationTests/ + - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop + - JDK-8273021: C2: Improve Add and Xor ideal optimizations + - JDK-8273026: Slow LoginContext.login() on multi threading application + - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 + - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert + - JDK-8273176: handle latest VS2019 in abstract_vm_version + - JDK-8273229: Update OS detection code to recognize Windows Server 2022 + - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash + - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit + - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT + - JDK-8273308: PatternMatchTest.java fails on CI + - JDK-8273314: Add tier4 test groups + - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test + - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory + - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods + - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs + - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 + - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size + - JDK-8273361: InfoOptsTest is failing in tier1 + - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero + - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop + - JDK-8273376: Zero: Disable vtable/itableStub gtests + - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP + - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record + - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} + - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java + - JDK-8273450: Fix the copyright header of SVML files + - JDK-8273451: Remove unreachable return in mutexLocker::wait + - JDK-8273483: Zero: Clear pending JNI exception check in native method handler + - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option + - JDK-8273487: Zero: Handle "zero" variant in runtime tests + - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths + - JDK-8273498: compiler/c2/Test7179138_1.java timed out + - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes + - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure + - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated + - JDK-8273592: Backout JDK-8271868 + - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image. + - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian + - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch + - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests + - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F + - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher + - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease + - JDK-8273695: Safepoint deadlock on VMOperation_lock + - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem + - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly + - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java + - JDK-8273808: Cleanup AddFontsToX11FontPath + - JDK-8273826: Correct Manifest file name and NPE checks + - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out + - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral + - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release() + - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() + - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported + - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds + - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character + - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled + - JDK-8273968: JCK javax_xml tests fail in CI + - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects + - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM + - JDK-8274083: Update testing docs to mention tiered testing + - JDK-8274087: Windows DLL path not set correctly. + - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition + - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC + - JDK-8274215: Remove globalsignr2ca root from 17.0.2 + - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86 + - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp + - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated + - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160 + - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m + - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern + - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" + - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile + - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU + - JDK-8274381: missing CAccessibility definitions in JNI code + - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread + - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API + - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" + - JDK-8274407: (tz) Update Timezone Data to 2021c + - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl + - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b + - JDK-8274468: TimeZoneTest.java fails with tzdata2021b + - JDK-8274501: c2i entry barriers read int as long on AArch64 + - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected + - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah + - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah + - JDK-8274550: c2i entry barriers read int as long on PPC + - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah + - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test + - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 + - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume. + - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily + - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers + - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform + - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST + - JDK-8274840: Update OS detection code to recognize Windows 11 + - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior + - JDK-8274851: [ppc64] Port zgc to linux on ppc64le + - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) + - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 + - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register + - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag + - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed + - JDK-8275104: IR framework does not handle client VM builds correctly + - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. + - JDK-8275131: Exceptions after a touchpad gesture on macOS + - JDK-8275141: recover corrupted line endings for the version-numbers.conf + - JDK-8275145: file.encoding system property has an incorrect value on Windows + - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges + - JDK-8275302: unexpected compiler error: cast, intersection types and sealed + - JDK-8275426: PretouchTask num_chunks calculation can overflow + - JDK-8275604: Zero: Reformat opclabels_data + - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless + - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem + - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak + - JDK-8275766: (tz) Update Timezone Data to 2021e + - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:] + - JDK-8275811: Incorrect instance to dispose + - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective + - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e + - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings + - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml + - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency + - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance + - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3 + - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly + - JDK-8276112: Inconsistent scalar replacement debug info at safepoints + - JDK-8276122: Change openjdk project in jcheck to jdk-updates + - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme + - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test + - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 + - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point + - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration + - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition + - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 + - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend + - JDK-8276572: Fake libsyslookup.so library causes tooling issues + - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie + - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah + - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager + - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32 + - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1 + - JDK-8276854: Windows GHA builds fail due to broken Cygwin + - JDK-8276864: Update boot JDKs to 17.0.1 in GHA + - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders + - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le + - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes + - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element + - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points + - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] + - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches + - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE + - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint + - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup + +Notes on individual issues: +=========================== + +core-libs/java.io:serialization: + +JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element +========================================================================================= +`java.util.Vector` is updated to correctly report +`ClassNotFoundException that occurs during deserialization using +`java.io.ObjectInputStream.GetField.get(name, object)` when the class +of an element of the Vector is not found. Without this fix, a +`StreamCorruptedException` is thrown that does not provide information +about the missing class. + +security-libs/java.security: + +JDK-8272535: Removed Google's GlobalSign Root Certificate +========================================================= +The following root certificate from Google has been removed from the +`cacerts` keystore: + +Alias Name: globalsignr2ca [jdk] +Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 + +core-libs/java.io: + +JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows +============================================================================ +The initialization of the `file.encoding` system property on non macOS +platforms has been reverted to align with the behavior on or before +JDK 11. This has been an issue especially on Windows where the system +and user's locales are not the same. + +hotspot/gc: + +JDK-8277533: ZGC: Fixed long Process Non-Strong References times +================================================================ +A bug has been fixed that could cause long "Concurrent Process +Non-Strong References" times with ZGC. The bug blocked the GC from +making significant progress, and caused both latency and throughput +issues for the Java application. + +The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g. + +[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms + +core-libs/java.time: + +JDK-8274857: Update Timezone Data to 2021c +=========================================== +IANA Time Zone Database, on which JDK's Date/Time libraries are based, +has been updated to version 2021c +(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note +that with this update, some of the time zone rules prior to the year +1970 have been modified according to the changes which were introduced +with 2021b. For more detail, refer to the announcement of 2021b +(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) + New in release OpenJDK 17.0.1 (2021-10-19): =========================================== Live versions of these release notes can be found at: diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 5c15daf..7c1bb36 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -284,7 +284,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 1 +%global updatever 2 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -294,10 +294,15 @@ # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place %global buildjdkver 17 -# We don't add any LTS designator for STS packages (this package). -# Neither for Fedora nor EPEL which would have %%{rhel} macro defined. +# We don't add any LTS designator for STS packages (Fedora and EPEL). +# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. +%if 0%{?rhel} && !0%{?epel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else %global lts_designator "" %global lts_designator_zip "" +%endif # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 @@ -307,8 +312,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 12 -%global rpmrelease 16 +%global buildver 8 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -808,7 +813,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %ifarch %{svml_arches} -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so @@ -1301,9 +1306,6 @@ Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch # OpenJDK patches in need of upstreaming # ############################################# -# JDK-8276572: Fake libsyslookup.so library causes tooling issues -Patch2000: jdk8276572-fake_libsyslookup_causes_tooling_issues.patch - BuildRequires: autoconf BuildRequires: automake @@ -1718,8 +1720,6 @@ popd # openjdk %patch1015 %patch1016 -%patch2000 - # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2474,6 +2474,16 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jan 24 2022 Andrew Hughes - 1:17.0.2.0.8-1.rolling +- January 2022 security update to jdk 17.0.2+8 +- Extend LTS check to exclude EPEL. +- Rename libsvml.so to libjsvml.so following JDK-8276025 +- Remove JDK-8276572 patch which is now upstream. +- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java + +* Mon Jan 24 2022 Severin Gehwolf - 1:17.0.2.0.8-1.rolling +- Set LTS designator. + * Mon Jan 24 2022 Andrew Hughes - 1:17.0.1.0.12-16.rolling - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent diff --git a/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch b/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch deleted file mode 100644 index dee144b..0000000 --- a/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit a4724332098cd8bff44ee27e9190fd28fa5c1865 -Author: Andrew John Hughes -Date: Fri Nov 5 21:05:42 2021 +0000 - - 8276572: Fake libsyslookup.so library causes tooling issues - - Reviewed-by: shade, mcimadamore - -diff --git openjdk.orig/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c openjdk/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c -index fdf99866786..b1f543bfdb7 100644 ---- openjdk.orig/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c -+++ openjdk/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c -@@ -26,3 +26,8 @@ - // Note: the include below is not strictly required, as dependencies will be pulled using linker flags. - // Adding at least one #include removes unwanted warnings on some platforms. - #include -+ -+// Simple dummy function so this library appears as a normal library to tooling. -+char* syslookup() { -+ return "syslookup"; -+} diff --git a/rh1995150-disable_non-fips_crypto.patch b/rh1995150-disable_non-fips_crypto.patch index b3d0ae7..de06552 100644 --- a/rh1995150-disable_non-fips_crypto.patch +++ b/rh1995150-disable_non-fips_crypto.patch @@ -1,18 +1,18 @@ -diff --git openjdk/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 9d4a794de1a..39e69362458 100644 ---- openjdk/src/java.base/share/classes/module-info.java +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 63bb580eb3a..238735c0c8c 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java -@@ -151,6 +151,7 @@ module java.base { - java.management, +@@ -152,6 +152,7 @@ module java.base { java.naming, java.rmi, + jdk.charsets, + jdk.crypto.ec, jdk.jartool, jdk.jlink, jdk.net, -diff --git openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..c5e13c98bd9 100644 ---- openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..7cb5ebcde51 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -30,6 +30,7 @@ import java.net.*; import java.util.*; @@ -52,149 +52,7 @@ index 912cad59714..c5e13c98bd9 100644 - if (NativePRNG.NonBlocking.isAvailable()) { - add(p, "SecureRandom", "NativePRNGNonBlocking", - "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); -+ -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only -+ -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ -+ /* -+ * Algorithm Parameter Generator engines -+ */ -+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -+ "sun.security.provider.DSAParameterGenerator", attrs); -+ attrs.remove("KeySize"); -+ -+ /* -+ * Algorithm Parameter engines -+ */ -+ addWithAlias(p, "AlgorithmParameters", "DSA", -+ "sun.security.provider.DSAParameters", attrs); -+ -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); -+ -+ /* -+ * Digest engines -+ */ -+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); - } +- } - attrs.put("ImplementedIn", "Software"); - add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); - add(p, "SecureRandom", "SHA1PRNG", @@ -268,30 +126,133 @@ index 912cad59714..c5e13c98bd9 100644 - attrs.clear(); - attrs.put("ImplementedIn", "Software"); - attrs.put("KeySize", "2048"); // for DSA KPG and APG only -- ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -- ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only + - /* - * Algorithm Parameter Generator engines - */ - addWithAlias(p, "AlgorithmParameterGenerator", "DSA", - "sun.security.provider.DSAParameterGenerator", attrs); - attrs.remove("KeySize"); -- ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); + - /* - * Algorithm Parameter engines - */ - addWithAlias(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", attrs); -- ++ /* ++ * Algorithm Parameter Generator engines ++ */ ++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", ++ "sun.security.provider.DSAParameterGenerator", attrs); ++ attrs.remove("KeySize"); + - /* - * Key factories - */ - addWithAlias(p, "KeyFactory", "DSA", - "sun.security.provider.DSAKeyFactory", attrs); -- ++ /* ++ * Algorithm Parameter engines ++ */ ++ addWithAlias(p, "AlgorithmParameters", "DSA", ++ "sun.security.provider.DSAParameters", attrs); + - /* - * Digest engines - */ @@ -299,7 +260,12 @@ index 912cad59714..c5e13c98bd9 100644 - add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); - addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", - attrs); -- ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); + - addWithAlias(p, "MessageDigest", "SHA-224", - "sun.security.provider.SHA2$SHA224", attrs); - addWithAlias(p, "MessageDigest", "SHA-256", @@ -320,12 +286,41 @@ index 912cad59714..c5e13c98bd9 100644 - "sun.security.provider.SHA3$SHA384", attrs); - addWithAlias(p, "MessageDigest", "SHA3-512", - "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } /* * Certificates -diff --git openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 8c9e4f9dbe6..9eeb3013e0d 100644 ---- openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 8c9e4f9dbe6..883dc04758e 100644 +--- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java @@ -38,6 +38,7 @@ import java.util.HashMap; import java.util.Iterator; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch index 475c521..96a8204 100644 --- a/rh1996182-login_to_nss_software_token.patch +++ b/rh1996182-login_to_nss_software_token.patch @@ -5,13 +5,13 @@ Date: Sat Aug 28 00:35:44 2021 +0100 RH1996182: Login to the NSS Software Token in FIPS Mode diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 39e69362458..aeb5fc2eb46 100644 +index 238735c0c8c..dbbf11bbb22 100644 --- openjdk.orig/src/java.base/share/classes/module-info.java +++ openjdk/src/java.base/share/classes/module-info.java -@@ -151,6 +151,7 @@ module java.base { - java.management, +@@ -152,6 +152,7 @@ module java.base { java.naming, java.rmi, + jdk.charsets, + jdk.crypto.cryptoki, jdk.crypto.ec, jdk.jartool, diff --git a/sources b/sources index dadd1ed..22e666f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (openjdk-jdk17u-jdk-17.0.1+12.tar.xz) = d9503de1001e42657ddb2600e1141d4169e333f0592ce3ad3c4ce14f817ca73a6bf6fb867e15930150c7b55e8fd4c4cd73d43984979e721df481a9ac7919580c SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 +SHA512 (openjdk-jdk17u-jdk-17.0.2+8.tar.xz) = 03371771574c19c38f9091eaad7c46d1638c95e5a3ab16e5ce540bf0f9dcbf8f60fd3848f75fd6fb5eb5fa35a91ca8a6a7b582ce4cf5c7cd2efe6c0957c98719 From db599045110a4f123fb7f519fce8cd65f7f5e1bd Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Fri, 4 Feb 2022 15:34:46 +0000 Subject: [PATCH 16/61] Temporarily move x86 to use Zero in order to get a working build Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. Explicitly list JIT architectures rather than relying on those with slowdebug builds Disable the serviceability agent on Zero architectures even when the architecture itself is supported --- java-17-openjdk.spec | 103 ++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 30 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7c1bb36..7fd089b 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -21,6 +21,8 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -30,6 +32,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -104,11 +113,11 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{power64} s390x sparcv9 sparc64 x86_64 # Set of architectures which use the Zero assembler port (!jit_arches) -%global zero_arches ppc s390 +%global zero_arches ppc s390 %{ix86} # Set of architectures which run a full bootstrap cycle -%global bootstrap_arches %{jit_arches} +%global bootstrap_arches %{jit_arches} %{ix86} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures with a Ahead-Of-Time (AOT) compiler @@ -176,7 +185,7 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} @@ -210,6 +219,11 @@ %global release_targets images docs-zip # No docs nor bootcycle for debug builds %global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk # Filter out flags from the optflags macro that cause problems with the OpenJDK build @@ -313,7 +327,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -595,7 +609,9 @@ alternatives \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -808,8 +824,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %ifarch %{svml_arches} @@ -901,9 +919,11 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -1340,7 +1360,7 @@ BuildRequires: zip BuildRequires: javapackages-filesystem BuildRequires: java-latest-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif BuildRequires: tzdata-java >= 2015d @@ -1798,7 +1818,12 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -export EXTRA_CFLAGS +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +export EXTRA_CFLAGS EXTRA_CPP_FLAGS function buildjdk() { local outputdir=${1} @@ -1840,7 +1865,7 @@ function buildjdk() { pushd ${outputdir} bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1891,34 +1916,46 @@ function buildjdk() { function installjdk() { local imagepath=${1} - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi } +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif + for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then @@ -1928,7 +1965,6 @@ for suffix in %{build_loop} ; do debugbuild=`echo $suffix | sed "s/-//g"` fi - systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk for loop in %{main_suffix} %{staticlibs_loop} ; do @@ -2474,6 +2510,13 @@ cjc.mainProgram(args) %endif %changelog +* Fri Feb 04 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Temporarily move x86 to use Zero in order to get a working build +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported + * Mon Jan 24 2022 Andrew Hughes - 1:17.0.2.0.8-1.rolling - January 2022 security update to jdk 17.0.2+8 - Extend LTS check to exclude EPEL. From fbc4f641987b9ea9cd628f4425c40544d8cdc9d5 Mon Sep 17 00:00:00 2001 From: Jiri Date: Fri, 4 Feb 2022 20:19:20 +0100 Subject: [PATCH 17/61] moved to become system jdk --- java-17-openjdk.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7fd089b..d2f5665 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -100,7 +100,7 @@ # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) -%global is_system_jdk 0 +%global is_system_jdk 1 %global aarch64 aarch64 arm64 armv8 # we need to distinguish between big and little endian PPC64 @@ -327,7 +327,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 2 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2510,6 +2510,9 @@ cjc.mainProgram(args) %endif %changelog +* Fri Feb 04 2022 Jiri Vanek - 1:17.0.2.0.8-4 +- moved to become system jdk + * Fri Feb 04 2022 Andrew Hughes - 1:17.0.2.0.8-2 - Temporarily move x86 to use Zero in order to get a working build - Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment From ee33a7679324c1afbeb05d0abf0978ccd3602df9 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Tue, 8 Feb 2022 02:08:49 +0000 Subject: [PATCH 18/61] Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) Need to support noarch for creating source RPMs for non-scratch builds. --- java-17-openjdk.spec | 40 ++++++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index d2f5665..aa70294 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -244,51 +244,63 @@ # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap -# does not match that given by _build_cpu +# does not match that given by _target_cpu %ifarch x86_64 %global archinstall amd64 +%global stapinstall x86_64 %endif %ifarch ppc %global archinstall ppc +%global stapinstall powerpc %endif %ifarch %{ppc64be} %global archinstall ppc64 +%global stapinstall powerpc %endif %ifarch %{ppc64le} %global archinstall ppc64le +%global stapinstall powerpc %endif %ifarch %{ix86} %global archinstall i686 +%global stapinstall i386 %endif %ifarch ia64 %global archinstall ia64 +%global stapinstall ia64 %endif %ifarch s390 %global archinstall s390 +%global stapinstall s390 %endif %ifarch s390x %global archinstall s390x +%global stapinstall s390 %endif %ifarch %{arm} %global archinstall arm +%global stapinstall arm %endif %ifarch %{aarch64} %global archinstall aarch64 +%global stapinstall arm64 %endif # 32 bit sparc, optimized for v9 %ifarch sparcv9 %global archinstall sparc +%global stapinstall %{_target_cpu} %endif # 64 bit sparc %ifarch sparc64 %global archinstall sparcv9 +%global stapinstall %{_target_cpu} %endif -%ifnarch %{jit_arches} -%global archinstall %{_arch} +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} %endif - - %ifarch %{systemtap_arches} %global with_systemtap 1 %else @@ -327,7 +339,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 4 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -448,10 +460,10 @@ # and 32 bit architectures we place the tapsets under the arch # specific dir (note that systemtap will only pickup the tapset # for the primary arch for now). Systemtap uses the machine name -# aka build_cpu as architecture specific directory name. +# aka target_cpu as architecture specific directory name. %global tapsetroot /usr/share/systemtap %global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif # not-duplicated scriptlets for normal/debug packages @@ -1680,6 +1692,14 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv %endif %prep + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else @@ -2510,6 +2530,10 @@ cjc.mainProgram(args) %endif %changelog +* Mon Feb 07 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. + * Fri Feb 04 2022 Jiri Vanek - 1:17.0.2.0.8-4 - moved to become system jdk From a4b6f5006617be092f4c9b67d9bdcc87e2158aad Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Tue, 8 Feb 2022 15:51:33 +0000 Subject: [PATCH 19/61] Re-enable gdb backtrace check --- java-17-openjdk.spec | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index aa70294..a1f3aaf 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -136,13 +136,8 @@ %global ssbd_arches x86_64 # Set of architectures for which java has short vector math library (libsvml.so) %global svml_arches x86_64 -# Set of architectures where we verify backtraces with gdb (ideally all) -# Temporarily disable check on x86, x86_64, ppc64le and s390x as gdb crashes -# ../../gdb/objfiles.h:510: internal-error: sect_index_data not initialized -# A problem internal to GDB has been detected, -# further debugging may prove unreliable. -# See https://bugzilla.redhat.com/show_bug.cgi?id=2041970 -%global gdb_arches sparcv9 sparc64 %{aarch64} %{arm} %{zero_arches} +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -339,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 5 +%global rpmrelease 6 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2530,6 +2525,9 @@ cjc.mainProgram(args) %endif %changelog +* Mon Feb 07 2022 Severin Gehwolf - 1:17.0.2.0.8-6 +- Re-enable gdb backtrace check. + * Mon Feb 07 2022 Andrew Hughes - 1:17.0.2.0.8-5 - Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) - Need to support noarch for creating source RPMs for non-scratch builds. From 7f8f4b1f1d276578a26e5ce7c1985abdca2986bb Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Tue, 8 Feb 2022 02:13:32 +0000 Subject: [PATCH 20/61] Reinstate JIT builds on x86_32. Add JDK-8282004 to fix missing CALL effects on x86_32. --- java-17-openjdk.spec | 15 ++++++++--- jdk8282004-x86_32-missing_call_effects.patch | 28 ++++++++++++++++++++ 2 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 jdk8282004-x86_32-missing_call_effects.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a1f3aaf..f6aaf78 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -113,11 +113,11 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{arm} %{aarch64} %{power64} s390x sparcv9 sparc64 x86_64 +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 # Set of architectures which use the Zero assembler port (!jit_arches) -%global zero_arches ppc s390 %{ix86} +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle -%global bootstrap_arches %{jit_arches} %{ix86} +%global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures with a Ahead-Of-Time (AOT) compiler @@ -334,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 6 +%global rpmrelease 7 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1333,6 +1333,8 @@ Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch # OpenJDK patches in need of upstreaming # ############################################# +# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects +Patch7: jdk8282004-x86_32-missing_call_effects.patch BuildRequires: autoconf BuildRequires: automake @@ -1737,6 +1739,7 @@ pushd %{top_level_dir_name} %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 popd # openjdk %patch1000 @@ -2525,6 +2528,10 @@ cjc.mainProgram(args) %endif %changelog +* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Reinstate JIT builds on x86_32. +- Add JDK-8282004 to fix missing CALL effects on x86_32. + * Mon Feb 07 2022 Severin Gehwolf - 1:17.0.2.0.8-6 - Re-enable gdb backtrace check. diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch new file mode 100644 index 0000000..3efe993 --- /dev/null +++ b/jdk8282004-x86_32-missing_call_effects.patch @@ -0,0 +1,28 @@ +diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad +index a31a38a384f..6138ca5281f 100644 +--- a/src/hotspot/cpu/x86/x86_32.ad ++++ b/src/hotspot/cpu/x86/x86_32.ad +@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{ + %} + + // Divide Register Long +-instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{ ++instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{ + match(Set dst (DivL src1 src2)); +- effect( KILL cr, KILL cx, KILL bx ); ++ effect(CALL); + ins_cost(10000); + format %{ "PUSH $src1.hi\n\t" + "PUSH $src1.lo\n\t" +@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{ + %} + + // Remainder Register Long +-instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{ ++instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{ + match(Set dst (ModL src1 src2)); +- effect( KILL cr, KILL cx, KILL bx ); ++ effect(CALL); + ins_cost(10000); + format %{ "PUSH $src1.hi\n\t" + "PUSH $src1.lo\n\t" From 87b704d81ec002600766d11d0563307349610ae6 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Thu, 24 Feb 2022 01:09:59 +0000 Subject: [PATCH 21/61] Detect NSS at runtime for FIPS detection Turn off build-time NSS linking and go back to an explicit Requires on NSS --- java-17-openjdk.spec | 18 +- rh2052829-fips_runtime_nss_detection.patch | 213 +++++++++++++++++++++ 2 files changed, 227 insertions(+), 4 deletions(-) create mode 100644 rh2052829-fips_runtime_nss_detection.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index f6aaf78..db24254 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -334,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 7 +%global rpmrelease 8 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1104,6 +1104,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1326,7 +1328,10 @@ Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch ############################################# # @@ -1361,8 +1366,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1757,6 +1762,7 @@ popd # openjdk %patch1014 %patch1015 %patch1016 +%patch1017 # Extract systemtap tapsets %if %{with_systemtap} @@ -1900,7 +1906,7 @@ function buildjdk() { --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ - --enable-sysconf-nss \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -2528,6 +2534,10 @@ cjc.mainProgram(args) %endif %changelog +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS + * Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-7 - Reinstate JIT builds on x86_32. - Add JDK-8282004 to fix missing CALL effects on x86_32. diff --git a/rh2052829-fips_runtime_nss_detection.patch b/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..c609fce --- /dev/null +++ b/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,213 @@ +commit 090ea0389db5c2e0c8ee13652bccd544b17872c2 +Author: Andrew Hughes +Date: Mon Feb 7 15:33:27 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index caf678a7dd6..8dcb7d9073f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -23,26 +23,37 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + +-#define MSG_MAX_SIZE 96 ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); + ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read +-#ifndef SYSCONF_NSS +- +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + static void throwIOException(JNIEnv *env, const char *msg) + { +@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg) + (*env)->ThrowNew(env, cls, msg); + } + +-#endif ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} + +-static void dbgPrint(JNIEnv *env, const char* msg) ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) + { +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } + } + ++#endif ++ + /* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad +@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ FILE *fe; + +-#else // SYSCONF_NSS +- +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS + } From 8c47abf37c9994a9d8283b382cf6ad45ad9fe744 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 30 Mar 2022 20:15:01 +0100 Subject: [PATCH 22/61] java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 --- java-17-openjdk.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index db24254..562b6c9 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -314,7 +314,7 @@ # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver 17 +%global buildjdkver %{featurever} # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -1372,7 +1372,7 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem -BuildRequires: java-latest-openjdk-devel +BuildRequires: java-%{buildjdkver}-openjdk-devel # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -2534,6 +2534,9 @@ cjc.mainProgram(args) %endif %changelog +* Wed Mar 30 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 + * Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-8 - Detect NSS at runtime for FIPS detection - Turn off build-time NSS linking and go back to an explicit Requires on NSS From 8a08a43c551d78d40fb56eea17a9cea27d1f3711 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 6 Apr 2022 17:42:56 +0100 Subject: [PATCH 23/61] Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode --- java-17-openjdk.spec | 8 +- ...ble_algorithmparameters_in_fips_mode.patch | 1182 +++++++++++++++++ 2 files changed, 1189 insertions(+), 1 deletion(-) create mode 100644 rh2052070-enable_algorithmparameters_in_fips_mode.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 562b6c9..1de2899 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -334,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 8 +%global rpmrelease 9 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1332,6 +1332,8 @@ Patch1015: rh2021263-fips_missing_native_returns.patch Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch # RH2052829: Detect NSS at Runtime for FIPS detection Patch1017: rh2052829-fips_runtime_nss_detection.patch +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch ############################################# # @@ -1763,6 +1765,7 @@ popd # openjdk %patch1015 %patch1016 %patch1017 +%patch1018 # Extract systemtap tapsets %if %{with_systemtap} @@ -2534,6 +2537,9 @@ cjc.mainProgram(args) %endif %changelog +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode + * Wed Mar 30 2022 Andrew Hughes - 1:17.0.2.0.8-8 - java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 diff --git a/rh2052070-enable_algorithmparameters_in_fips_mode.patch b/rh2052070-enable_algorithmparameters_in_fips_mode.patch new file mode 100644 index 0000000..7488ea5 --- /dev/null +++ b/rh2052070-enable_algorithmparameters_in_fips_mode.patch @@ -0,0 +1,1182 @@ +commit 6e74f283739af0d867df01d20f82865f559a45ea +Author: Martin Balao +Date: Mon Feb 28 04:58:05 2022 +0000 + + RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode + +diff --git openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index a020e1c15d8..6d459fdec01 100644 +--- openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { + psA("AlgorithmParameters", "ChaCha20-Poly1305", + "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); + +- /* +- * Key factories +- */ +- psA("KeyFactory", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyFactory", +- null); +- +- /* +- * Secret-key factories +- */ +- ps("SecretKeyFactory", "DES", +- "com.sun.crypto.provider.DESKeyFactory"); +- +- psA("SecretKeyFactory", "DESede", +- "com.sun.crypto.provider.DESedeKeyFactory", null); +- +- psA("SecretKeyFactory", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", +- null); +- +- /* +- * Internal in-house crypto algorithm used for +- * the JCEKS keystore type. Since this was developed +- * internally, there isn't an OID corresponding to this +- * algorithm. +- */ +- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", +- null); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); +- +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ psA("KeyFactory", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyFactory", ++ null); ++ ++ /* ++ * Secret-key factories ++ */ ++ ps("SecretKeyFactory", "DES", ++ "com.sun.crypto.provider.DESKeyFactory"); ++ ++ psA("SecretKeyFactory", "DESede", ++ "com.sun.crypto.provider.DESedeKeyFactory", null); ++ ++ psA("SecretKeyFactory", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", ++ null); ++ ++ /* ++ * Internal in-house crypto algorithm used for ++ * the JCEKS keystore type. Since this was developed ++ * internally, there isn't an OID corresponding to this ++ * algorithm. ++ */ ++ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", ++ null); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); ++ ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 7cb5ebcde51..709d32912ca 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -193,20 +193,22 @@ public final class SunEntries { + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + +- /* +- * Algorithm Parameter Generator engines +- */ +- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", +- "sun.security.provider.DSAParameterGenerator", attrs); +- attrs.remove("KeySize"); ++ /* ++ * Algorithm Parameter Generator engines ++ */ ++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", ++ "sun.security.provider.DSAParameterGenerator", attrs); ++ attrs.remove("KeySize"); + +- /* +- * Algorithm Parameter engines +- */ +- addWithAlias(p, "AlgorithmParameters", "DSA", +- "sun.security.provider.DSAParameters", attrs); ++ /* ++ * Algorithm Parameter engines ++ */ ++ addWithAlias(p, "AlgorithmParameters", "DSA", ++ "sun.security.provider.DSAParameters", attrs); + ++ if (!systemFipsEnabled) { + /* + * Key factories + */ +diff --git openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index ca79f25cc44..16c5ad2e227 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -56,49 +61,52 @@ public final class SunRsaSignEntries { + // start populating content using the specified provider + // common attribute map + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ++ add(p, "KeyFactory", "RSA", ++ "sun.security.rsa.RSAKeyFactory$Legacy", ++ getAliases("PKCS1"), null); ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); + +- add(p, "KeyFactory", "RSA", +- "sun.security.rsa.RSAKeyFactory$Legacy", +- getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ addA(p, "KeyFactory", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyFactory$PSS", attrs); ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } + +- addA(p, "KeyFactory", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security +index 3a322854204..5a355e70cae 100644 +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -86,6 +86,8 @@ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg + fips.provider.2=SUN + fips.provider.3=SunEC + fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign + + # + # A list of preferred providers for specific algorithms. These providers will From 52e513df50dce3236b17ac5f0fbc3bb9d6dea57e Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Fri, 8 Apr 2022 17:42:37 +0100 Subject: [PATCH 24/61] Update to jdk-17.0.3.0+1 Update release notes to 17.0.3.0+1 Switch to EA mode for 17.0.3 pre-release builds. Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value --- .gitignore | 1 + NEWS | 141 ++++++++++++++++++ java-17-openjdk.spec | 18 ++- jdk8283911-default_promoted_version_pre.patch | 16 ++ sources | 2 +- 5 files changed, 173 insertions(+), 5 deletions(-) create mode 100644 jdk8283911-default_promoted_version_pre.patch diff --git a/.gitignore b/.gitignore index 2bc3036..fa4239b 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /openjdk-jdk17u-jdk-17.0.1+12.tar.xz /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz /openjdk-jdk17u-jdk-17.0.2+8.tar.xz +/openjdk-jdk17u-jdk-17.0.3+1.tar.xz diff --git a/NEWS b/NEWS index 78938f4..50b37ae 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,147 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.3 (2022-04-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1703 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt + +* Other changes + - JDK-8177814: jdk/editpad is not in jdk TEST.groups + - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 + - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently + - JDK-8225559: assertion error at TransTypes.visitApply + - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful + - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails + - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test + - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 + - JDK-8251216: Implement MD5 intrinsics on AArch64 + - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" + - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" + - JDK-8263567: gtests don't terminate the VM safely + - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark + - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups + - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it + - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only + - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM + - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file + - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java + - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' + - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error + - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" + - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor + - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity + - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8271506: Add ResourceHashtable support for deleting selected entries + - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories + - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates + - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code + - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt + - JDK-8273277: C2: Move conditional negation into rc_predicate + - JDK-8273341: Update Siphash to version 1.0 + - JDK-8273351: bad tag in jdk.random module-info.java + - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 + - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm + - JDK-8273387: remove some unreferenced gtk-related functions + - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests + - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests + - JDK-8273526: Extend the OSContainer API pids controller with pids.current + - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java + - JDK-8273682: Upgrade Jline to 3.20.0 + - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time + - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 + - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions + - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 + - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) + - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes + - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures + - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274658: ISO 4217 Amendment 170 Update + - JDK-8274714: Incorrect verifier protected access error message + - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 + - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes + - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler + - JDK-8274935: dumptime_table has stale entry + - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info + - JDK-8275082: Update XML Security for Java to 2.3.0 + - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime + - JDK-8275586: Zero: Simplify interpreter initialization + - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow + - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault + - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg + - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 + - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 + - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException + - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock + - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method + - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue + - JDK-8276057: Update JMH devkit to 1.33 + - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" + - JDK-8276314: [JVMCI] check alignment of call displacement during code installation + - JDK-8276623: JDK-8275650 accidentally pushed "out" file + - JDK-8276654: element-list order is non deterministic + - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() + - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod + - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content + - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" + - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 + - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 + - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows + - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for + - JDK-8277385: Zero: Enable CompactStrings support + - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last + - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop + - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs + - JDK-8277497: Last column cell in the JTable row is read as empty cell + - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." + - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad + - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 + - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording + - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 + - JDK-8278016: Add compiler tests to tier{2,3} + - JDK-8278020: ~13% variation in Renaissance-Scrabble + - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError + - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' + - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx + - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx + - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux + - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d + - JDK-8278241: Implement JVM SpinPause on linux-aarch64 + - JDK-8278309: [windows] use of uninitialized OSThread::_state + - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output + - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec + - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT + - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic + - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column + - JDK-8278604: SwingSet2 table demo does not have accessible description set for images + - JDK-8278627: Shenandoah: TestHeapDump test failed + - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 + - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 + - JDK-8278824: Uneven work distribution when scanning heap roots in G1 + - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob + - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ + - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t + - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 + - JDK-8279124: VM does not handle SIGQUIT during initialization + - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers + - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest + - JDK-8279379: GHA: Print tests that are in error + - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it + - JDK-8279445: Update JMH devkit to 1.34 + - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms + - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 + - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 + - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks + - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" + - JDK-8280002: jmap -histo may leak stream + - JDK-8280155: [PPC64, s390] frame size checks are not yet correct + - JDK-8280414: Memory leak in DefaultProxySelector + - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + New in release OpenJDK 17.0.2 (2022-01-18): =========================================== Live versions of these release notes can be found at: diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 1de2899..035d14c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -305,7 +305,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 2 +%global updatever 3 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -333,8 +333,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 9 +%global buildver 1 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -357,7 +357,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA %global expected_ea_designator "" @@ -1342,6 +1342,8 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch ############################################# # JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects Patch7: jdk8282004-x86_32-missing_call_effects.patch +# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 +Patch2001: jdk8283911-default_promoted_version_pre.patch BuildRequires: autoconf BuildRequires: automake @@ -1767,6 +1769,8 @@ popd # openjdk %patch1017 %patch1018 +%patch2001 + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2537,6 +2541,12 @@ cjc.mainProgram(args) %endif %changelog +* Fri Apr 08 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value + * Wed Apr 06 2022 Andrew Hughes - 1:17.0.2.0.8-9 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode diff --git a/jdk8283911-default_promoted_version_pre.patch b/jdk8283911-default_promoted_version_pre.patch new file mode 100644 index 0000000..b94cbd5 --- /dev/null +++ b/jdk8283911-default_promoted_version_pre.patch @@ -0,0 +1,16 @@ +commit 37807a694f89611f60880260d2bb7162908bc0c8 +Author: Andrew Hughes +Date: Wed Mar 30 04:19:43 2022 +0100 + + 8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 + +diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf +index 71b19762f2e..7378ec67a48 100644 +--- openjdk.orig/make/conf/version-numbers.conf ++++ openjdk/make/conf/version-numbers.conf +@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0 + DEFAULT_VERSION_DOCS_API_SINCE=11 + DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17" + DEFAULT_JDK_SOURCE_TARGET_VERSION=17 +-DEFAULT_PROMOTED_VERSION_PRE= ++DEFAULT_PROMOTED_VERSION_PRE=ea diff --git a/sources b/sources index 22e666f..363f8f6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.2+8.tar.xz) = 03371771574c19c38f9091eaad7c46d1638c95e5a3ab16e5ce540bf0f9dcbf8f60fd3848f75fd6fb5eb5fa35a91ca8a6a7b582ce4cf5c7cd2efe6c0957c98719 +SHA512 (openjdk-jdk17u-jdk-17.0.3+1.tar.xz) = f6bc8ba86a3e7dcd7d5c9ac17fe0ff337b76cc654b667bd1d506778dfa76b3d140731119738fa330601f5f4751ce11c9bf9877bad403d6ed610f2c91570dd304 From a29fc2e2664f82174bee5f1e6956cbce2f0d2127 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 13 Apr 2022 03:34:46 +0100 Subject: [PATCH 25/61] Update to jdk-17.0.3.0+5 Update release notes to 17.0.3.0+5 --- .gitignore | 1 + NEWS | 42 ++++++++++++++++++++++++++++++++++++++++++ java-17-openjdk.spec | 6 +++++- sources | 2 +- 4 files changed, 49 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index fa4239b..a07e974 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz /openjdk-jdk17u-jdk-17.0.2+8.tar.xz /openjdk-jdk17u-jdk-17.0.3+1.tar.xz +/openjdk-jdk17u-jdk-17.0.3+5.tar.xz diff --git a/NEWS b/NEWS index 50b37ae..7c85481 100644 --- a/NEWS +++ b/NEWS @@ -32,14 +32,21 @@ Live versions of these release notes can be found at: - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" + - JDK-8270117: Broken jtreg link in "Building the JDK" page - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity + - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - JDK-8271506: Add ResourceHashtable support for deleting selected entries + - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code + - JDK-8272600: (test) Use native "sleep" in Basic.java + - JDK-8272866: java.util.random package summary contains incorrect mixing function in table + - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt - JDK-8273277: C2: Move conditional negation into rc_predicate - JDK-8273341: Update Siphash to version 1.0 @@ -51,6 +58,7 @@ Live versions of these release notes can be found at: - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - JDK-8273526: Extend the OSContainer API pids controller with pids.current - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java + - JDK-8273655: content-types.properties files are missing some common types - JDK-8273682: Upgrade Jline to 3.20.0 - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 @@ -58,8 +66,12 @@ Live versions of these release notes can be found at: - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes + - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures + - JDK-8274471: Add support for RSASSA-PSS in OCSP Response - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake + - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS - JDK-8274658: ISO 4217 Amendment 170 Update - JDK-8274714: Incorrect verifier protected access error message - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 @@ -69,6 +81,7 @@ Live versions of these release notes can be found at: - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - JDK-8275082: Update XML Security for Java to 2.3.0 - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - JDK-8275586: Zero: Simplify interpreter initialization - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow @@ -81,6 +94,7 @@ Live versions of these release notes can be found at: - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue - JDK-8276057: Update JMH devkit to 1.33 + - JDK-8276141: XPathFactory set/getProperty method - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - JDK-8276623: JDK-8275650 accidentally pushed "out" file @@ -88,32 +102,42 @@ Live versions of these release notes can be found at: - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content + - JDK-8276841: Add support for Visual Studio 2022 - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 + - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for + - JDK-8277383: VM.metaspace optionally show chunk freelist details - JDK-8277385: Zero: Enable CompactStrings support - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs + - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - JDK-8277497: Last column cell in the JTable row is read as empty cell - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." + - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad + - JDK-8277795: ldap connection timeout not honoured under contention - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - JDK-8278016: Add compiler tests to tier{2,3} - JDK-8278020: ~13% variation in Renaissance-Scrabble + - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx + - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux + - JDK-8278185: Custom JRE cannot find non-ASCII named module inside - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d - JDK-8278241: Implement JVM SpinPause on linux-aarch64 - JDK-8278309: [windows] use of uninitialized OSThread::_state - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output + - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic @@ -124,6 +148,7 @@ Live versions of these release notes can be found at: - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 - JDK-8278824: Uneven work distribution when scanning heap roots in G1 - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob + - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 @@ -131,18 +156,35 @@ Live versions of these release notes can be found at: - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - JDK-8279379: GHA: Print tests that are in error + - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it - JDK-8279445: Update JMH devkit to 1.34 - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition + - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - JDK-8280002: jmap -histo may leak stream - JDK-8280155: [PPC64, s390] frame size checks are not yet correct + - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 - JDK-8280414: Memory leak in DefaultProxySelector - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames + - JDK-8281460: Let ObjectMonitor have its own NMT category + - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX + - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8274791: Support for RSASSA-PSS in OCSP Response +==================================================== +An OCSP response signed with the RSASSA-PSS algorithm is now supported. New in release OpenJDK 17.0.2 (2022-01-18): =========================================== diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 035d14c..eefa952 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -333,7 +333,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 +%global buildver 5 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -2541,6 +2541,10 @@ cjc.mainProgram(args) %endif %changelog +* Wed Apr 13 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 + * Fri Apr 08 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea - Update to jdk-17.0.3.0+1 - Update release notes to 17.0.3.0+1 diff --git a/sources b/sources index 363f8f6..dda3fdf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.3+1.tar.xz) = f6bc8ba86a3e7dcd7d5c9ac17fe0ff337b76cc654b667bd1d506778dfa76b3d140731119738fa330601f5f4751ce11c9bf9877bad403d6ed610f2c91570dd304 +SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) = a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160 From 3cbe105c02a34a9a45c741b1e5ea997241cfb84b Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Sun, 24 Apr 2022 22:13:48 +0100 Subject: [PATCH 26/61] April 2022 security update to jdk 17.0.3+7 Update release notes to 17.0.3.0+7 Update README.md and generate_source_tarball.sh to match CentOS Switch to GA mode for release JDK-8283911 patch no longer needed now we're GA... --- .gitignore | 2 ++ NEWS | 24 ++++++++++++++++++- README.md | 17 +++++++------ generate_source_tarball.sh | 6 ++--- java-17-openjdk.spec | 23 +++++++++++------- jdk8283911-default_promoted_version_pre.patch | 16 ------------- sources | 2 +- 7 files changed, 53 insertions(+), 37 deletions(-) delete mode 100644 jdk8283911-default_promoted_version_pre.patch diff --git a/.gitignore b/.gitignore index a07e974..9d53f89 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,5 @@ /openjdk-jdk17u-jdk-17.0.2+8.tar.xz /openjdk-jdk17u-jdk-17.0.3+1.tar.xz /openjdk-jdk17u-jdk-17.0.3+5.tar.xz +/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz +/openjdk-jdk17u-jdk-17.0.3+7.tar.xz diff --git a/NEWS b/NEWS index 7c85481..b0e58ad 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,25 @@ Live versions of these release notes can be found at: * https://bitly.com/openjdk1703 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt +* Security fixes + - JDK-8269938: Enhance XML processing passes redux + - JDK-8270504, CVE-2022-21426: Better XPath expression handling + - JDK-8272255: Completely handle MIDI files + - JDK-8272261: Improve JFR recording file processing + - JDK-8272588: Enhanced recording parsing + - JDK-8272594: Better record of recordings + - JDK-8274221: More definite BER encodings + - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 + - JDK-8275151, CVE-2022-21443: Improved Object Identification + - JDK-8277227: Better identification of OIDs + - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support + - JDK-8277672, CVE-2022-21434: Better invocation handler handling + - JDK-8278356: Improve file creation + - JDK-8278449: Improve keychain support + - JDK-8278798: Improve supported intrinsic + - JDK-8278805: Enhance BMP image loading + - JDK-8278972, CVE-2022-21496: Improve URL supports + - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo * Other changes - JDK-8177814: jdk/editpad is not in jdk TEST.groups - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 @@ -79,7 +98,6 @@ Live versions of these release notes can be found at: - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - JDK-8274935: dumptime_table has stale entry - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - - JDK-8275082: Update XML Security for Java to 2.3.0 - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime @@ -175,7 +193,11 @@ Live versions of these release notes can be found at: - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - JDK-8281460: Let ObjectMonitor have its own NMT category - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX + - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 + - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods + - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException + - JDK-8284920: Incorrect Token type causes XPath expression to return empty result Notes on individual issues: =========================== diff --git a/README.md b/README.md index 079e78c..3bfd7d2 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,13 @@ -Package of LTS OpenJDK 17 -OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. +OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. -JDK17 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/17/ and is landing to your Fedora. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. +* https://fedoraproject.org/wiki/Changes/Java17 -See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html -See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf +For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream +release page for OpenJDK 17 and the preceding interim releases: -https://fedoraproject.org/wiki/Changes/Java17 -https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview +* 12: https://openjdk.java.net/projects/jdk/12/ +* 13: https://openjdk.java.net/projects/jdk/13/ +* 14: https://openjdk.java.net/projects/jdk/14/ +* 15: https://openjdk.java.net/projects/jdk/15/ +* 16: https://openjdk.java.net/projects/jdk/16/ +* 17: https://openjdk.java.net/projects/jdk/17/ diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 1a019ff..bf21bc4 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -8,8 +8,8 @@ # # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=openjdk -# REPO_NAME=jdk16 -# VERSION=HEAD +# REPO_NAME=jdk17u +# VERSION=jdk-17.0.3+5 # or to eg prepare systemtap: # icedtea7's jstack and other tapsets # VERSION=6327cf1cea9e @@ -130,7 +130,7 @@ pushd "${FILE_NAME_ROOT}" # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) echo "PR3823 not found. Downloading..." - wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch + wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch echo "Applying ${PWD}/pr3823.patch" patch -Np1 < pr3823.patch rm pr3823.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index eefa952..121bd41 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -333,7 +333,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 5 +%global buildver 7 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -353,11 +353,14 @@ # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global expected_ea_designator "" @@ -1249,9 +1252,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv URL: http://openjdk.java.net/ -# to regenerate source0 (jdk) run update_package.sh -# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz +# The source tarball, generated using generate_source_tarball.sh +Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1342,8 +1344,6 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch ############################################# # JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects Patch7: jdk8282004-x86_32-missing_call_effects.patch -# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 -Patch2001: jdk8283911-default_promoted_version_pre.patch BuildRequires: autoconf BuildRequires: automake @@ -1769,8 +1769,6 @@ popd # openjdk %patch1017 %patch1018 -%patch2001 - # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2541,6 +2539,13 @@ cjc.mainProgram(args) %endif %changelog +* Sun Apr 24 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Update release notes to 17.0.3.0+7 +- Update README.md and generate_source_tarball.sh to match CentOS +- Switch to GA mode for release +- JDK-8283911 patch no longer needed now we're GA... + * Wed Apr 13 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea - Update to jdk-17.0.3.0+5 - Update release notes to 17.0.3.0+5 diff --git a/jdk8283911-default_promoted_version_pre.patch b/jdk8283911-default_promoted_version_pre.patch deleted file mode 100644 index b94cbd5..0000000 --- a/jdk8283911-default_promoted_version_pre.patch +++ /dev/null @@ -1,16 +0,0 @@ -commit 37807a694f89611f60880260d2bb7162908bc0c8 -Author: Andrew Hughes -Date: Wed Mar 30 04:19:43 2022 +0100 - - 8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 - -diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf -index 71b19762f2e..7378ec67a48 100644 ---- openjdk.orig/make/conf/version-numbers.conf -+++ openjdk/make/conf/version-numbers.conf -@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0 - DEFAULT_VERSION_DOCS_API_SINCE=11 - DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17" - DEFAULT_JDK_SOURCE_TARGET_VERSION=17 --DEFAULT_PROMOTED_VERSION_PRE= -+DEFAULT_PROMOTED_VERSION_PRE=ea diff --git a/sources b/sources index dda3fdf..e4816a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) = a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160 +SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567 From 756a991906919de0d448abf84e9a66cf96dc6afd Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Mon, 13 Jun 2022 00:05:38 +0100 Subject: [PATCH 27/61] Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch RH2023467: Enable FIPS keys export RH2094027: SunEC runtime permission for FIPS --- fips-17u-3625385b13d.patch | 3589 +++++++++++++++++ java-17-openjdk.spec | 64 +- ...ort_fedora_rhel_system_crypto_policy.patch | 88 - pr3695-toggle_system_crypto_policy.patch | 78 - ...ut_nss_cfg_provider_to_java_security.patch | 10 +- rh1655466-global_crypto_and_fips.patch | 205 - rh1818909-fips_default_keystore_type.patch | 52 - rh1860986-disable_tlsv1.3_in_fips_mode.patch | 318 -- ...lways_initialise_configurator_access.patch | 70 - ...-dont_define_unused_throwioexception.patch | 69 - rh1929465-improve_system_FIPS_detection.patch | 428 -- rh1991003-enable_fips_keys_import.patch | 579 --- rh1995150-disable_non-fips_crypto.patch | 591 --- rh1996182-extend_security_policy.patch | 18 - rh1996182-login_to_nss_software_token.patch | 65 - ...263-fips_ensure_security_initialised.patch | 28 - rh2021263-fips_missing_native_returns.patch | 24 - ...3-fips_separate_policy_and_fips_init.patch | 99 - ...ble_algorithmparameters_in_fips_mode.patch | 1182 ------ rh2052829-fips_runtime_nss_detection.patch | 213 - 20 files changed, 3618 insertions(+), 4152 deletions(-) create mode 100644 fips-17u-3625385b13d.patch delete mode 100644 pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch delete mode 100644 pr3695-toggle_system_crypto_policy.patch delete mode 100644 rh1655466-global_crypto_and_fips.patch delete mode 100644 rh1818909-fips_default_keystore_type.patch delete mode 100644 rh1860986-disable_tlsv1.3_in_fips_mode.patch delete mode 100644 rh1915071-always_initialise_configurator_access.patch delete mode 100644 rh1929465-dont_define_unused_throwioexception.patch delete mode 100644 rh1929465-improve_system_FIPS_detection.patch delete mode 100644 rh1991003-enable_fips_keys_import.patch delete mode 100644 rh1995150-disable_non-fips_crypto.patch delete mode 100644 rh1996182-extend_security_policy.patch delete mode 100644 rh1996182-login_to_nss_software_token.patch delete mode 100644 rh2021263-fips_ensure_security_initialised.patch delete mode 100644 rh2021263-fips_missing_native_returns.patch delete mode 100644 rh2021263-fips_separate_policy_and_fips_init.patch delete mode 100644 rh2052070-enable_algorithmparameters_in_fips_mode.patch delete mode 100644 rh2052829-fips_runtime_nss_detection.patch diff --git a/fips-17u-3625385b13d.patch b/fips-17u-3625385b13d.patch new file mode 100644 index 0000000..eecef3b --- /dev/null +++ b/fips-17u-3625385b13d.patch @@ -0,0 +1,3589 @@ +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..b2b1c1787da +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,84 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index a65d91ee974..a8f054c1397 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index c2c9c4adf3a..9d105b37acf 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 5658ff342e5..cb7a56852f7 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..8dcb7d9073f +--- /dev/null ++++ b/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -0,0 +1,224 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index a020e1c15d8..6d459fdec01 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { + psA("AlgorithmParameters", "ChaCha20-Poly1305", + "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); + +- /* +- * Key factories +- */ +- psA("KeyFactory", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyFactory", +- null); +- +- /* +- * Secret-key factories +- */ +- ps("SecretKeyFactory", "DES", +- "com.sun.crypto.provider.DESKeyFactory"); +- +- psA("SecretKeyFactory", "DESede", +- "com.sun.crypto.provider.DESedeKeyFactory", null); +- +- psA("SecretKeyFactory", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", +- null); +- +- /* +- * Internal in-house crypto algorithm used for +- * the JCEKS keystore type. Since this was developed +- * internally, there isn't an OID corresponding to this +- * algorithm. +- */ +- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", +- null); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); +- +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ psA("KeyFactory", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyFactory", ++ null); ++ ++ /* ++ * Secret-key factories ++ */ ++ ps("SecretKeyFactory", "DES", ++ "com.sun.crypto.provider.DESKeyFactory"); ++ ++ psA("SecretKeyFactory", "DESede", ++ "com.sun.crypto.provider.DESedeKeyFactory", null); ++ ++ psA("SecretKeyFactory", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", ++ null); ++ ++ /* ++ * Internal in-house crypto algorithm used for ++ * the JCEKS keystore type. Since this was developed ++ * internally, there isn't an OID corresponding to this ++ * algorithm. ++ */ ++ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", ++ null); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); ++ ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index ff2bc942c03..d303ae5c8f3 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -47,6 +48,9 @@ import sun.security.jca.*; + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ +@@ -67,6 +71,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -99,6 +116,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -193,6 +211,28 @@ public final class Security { + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..da2af5defda +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,245 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /* ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } else { ++ return false; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index f6d3638c3dd..a1ee182d913 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -39,6 +39,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -81,6 +82,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -442,4 +444,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 63bb580eb3a..dbbf11bbb22 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -152,6 +152,8 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.cryptoki, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.net, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..709d32912ca 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,99 +99,101 @@ public final class SunEntries { + // common attribute map + HashMap attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); +- +- attrs.remove("KeySize"); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); +- /* +- * Key Pair Generator engines +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -201,40 +208,42 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index ca79f25cc44..225517ac69b 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { + // start populating content using the specified provider + // common attribute map + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ } + + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index 6ffdfeda18d..775b185fb06 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -32,6 +32,7 @@ import java.security.cert.*; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { + private static final List serverDefaultCipherSuites; + + static { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10, +- ProtocolVersion.SSL30, +- ProtocolVersion.SSL20Hello +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + // Use the customized TLS protocols. + candidates = +diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index 894e26dfad8..8b16378b96b 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + + /** +@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + List.of("SSL"), null); +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 6d91e3f8e4e..5a355e70cae 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -79,6 +79,16 @@ security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 + ++# ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index b22f26947af..3ee2ce6ea88 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..9bb31555f48 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,490 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static volatile KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey ++ ); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index 9b69072280e..b403e6d3c6d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; + */ + abstract class P11Key implements Key, Length { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final long serialVersionUID = -2575874101938349339L; + + private static final String PUBLIC = "public"; +@@ -379,7 +384,8 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_SENSITIVE), + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); +- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { ++ if (!plainKeySupportEnabled && (attributes[1].getBoolean() || ++ (attributes[2].getBoolean() == false))) { + return new P11PrivateKey + (session, keyID, algorithm, keyLength, attributes); + } else { +@@ -461,7 +467,8 @@ abstract class P11Key implements Key, Length { + } + public String getFormat() { + token.ensureValid(); +- if (sensitive || (extractable == false)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || (extractable == false))) { + return null; + } else { + return "RAW"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..5549cd9ed4e 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -339,7 +383,8 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 5c0aacd1a67..372a50dd587 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.AccessController; +@@ -152,16 +155,30 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map sensitiveAttrs = new HashMap<>(); ++ List nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map sensitiveAttrs, ++ List nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } ++} + } +diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 8c9e4f9dbe6..883dc04758e 100644 +--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAAlgorithmParameters; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; +@@ -56,6 +57,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap attrs) { +@@ -249,85 +254,86 @@ public final class SunEC extends Provider { + + putXDHEntries(); + putEdDSAEntries(); +- +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderService(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", +- List.of("EllipticCurve"), ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ++ List.of("EllipticCurve"), ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -344,23 +350,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -375,21 +383,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 121bd41..057f7ad 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -327,6 +327,8 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 3625385b13d # Standard JPackage naming and versioning defines %global origin openjdk @@ -334,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1301,41 +1303,31 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Follow system wide crypto policy RHBZ#1249083 -Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# PR3695: Allow use of system crypto policy to be disabled by the user -Patch5: pr3695-toggle_system_crypto_policy.patch -# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo +# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch -# FIPS support patches +# Crypto policy and FIPS support patches +# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u +# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -Patch1001: rh1655466-global_crypto_and_fips.patch # RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -Patch1002: rh1818909-fips_default_keystore_type.patch # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -Patch1007: rh1915071-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection -Patch1008: rh1929465-improve_system_FIPS_detection.patch -Patch1011: rh1929465-dont_define_unused_throwioexception.patch # RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -Patch1009: rh1995150-disable_non-fips_crypto.patch # RH1996182: Login to the NSS software token in FIPS mode -Patch1010: rh1996182-login_to_nss_software_token.patch -Patch1012: rh1996182-extend_security_policy.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues -Patch1014: rh2021263-fips_ensure_security_initialised.patch -Patch1015: rh2021263-fips_missing_native_returns.patch # RH2052819: Fix FIPS reliance on crypto policies -Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch # RH2052829: Detect NSS at Runtime for FIPS detection -Patch1017: rh2052829-fips_runtime_nss_detection.patch # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +Patch1001: fips-17u-%{fipsver}.patch ############################################# # @@ -1745,29 +1737,15 @@ pushd %{top_level_dir_name} %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 %patch6 -p1 %patch7 -p1 +# Add crypto policy and FIPS support +%patch1001 -p1 +# nss.cfg PKCS11 support; must come last as it also alters java.security +%patch1000 -p1 popd # openjdk -%patch1000 %patch600 -%patch1001 -%patch1002 -%patch1004 -%patch1007 -%patch1008 -%patch1009 -%patch1010 -%patch1011 -%patch1012 -%patch1013 -%patch1014 -%patch1015 -%patch1016 -%patch1017 -%patch1018 # Extract systemtap tapsets %if %{with_systemtap} @@ -2539,6 +2517,12 @@ cjc.mainProgram(args) %endif %changelog +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-2 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS + * Sun Apr 24 2022 Andrew Hughes - 1:17.0.3.0.7-1 - April 2022 security update to jdk 17.0.3+7 - Update release notes to 17.0.3.0+7 diff --git a/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch deleted file mode 100644 index 4efbe9a..0000000 --- a/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch +++ /dev/null @@ -1,88 +0,0 @@ - -# HG changeset patch -# User andrew -# Date 1478057514 0 -# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c -# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a -PR3183: Support Fedora/RHEL system crypto policy -diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100 -+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000 -@@ -43,6 +43,9 @@ - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ -@@ -52,6 +55,10 @@ - private static final Debug sdebug = - Debug.getInstance("properties"); - -+ /* System property file*/ -+ private static final String SYSTEM_PROPERTIES = -+ "/etc/crypto-policies/back-ends/java.config"; -+ - /* The java.security properties */ - private static Properties props; - -@@ -93,6 +100,7 @@ - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -114,6 +122,31 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ -+ if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security ---- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100 -+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000 -@@ -276,6 +276,13 @@ - security.overridePropertiesFile=true - - # -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=true -+ -+# - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. - # diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch deleted file mode 100644 index 3799237..0000000 --- a/pr3695-toggle_system_crypto_policy.patch +++ /dev/null @@ -1,78 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1545198926 0 -# Wed Dec 19 05:55:26 2018 +0000 -# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 -# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c -PR3695: Allow use of system crypto policy to be disabled by the user -Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile - -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -125,31 +125,6 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -- loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } -- } -- } -- -- if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -@@ -215,6 +190,33 @@ - } - } - -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if (disableSystemProps == null && -+ "true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ - if (!loadedProps) { - initializeStatic(); - if (sdebug != null) { diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch index 7be1fae..b552b99 100644 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -1,7 +1,7 @@ -diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security -index 534bdae5a16..2df2b59cbf6 100644 ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 5a355e70cae..c730ea26ea2 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security @@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI security.provider.tbd=Apple #endif @@ -9,4 +9,4 @@ index 534bdae5a16..2df2b59cbf6 100644 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # - # A list of preferred providers for specific algorithms. These providers will + # Security providers used when global crypto-policies are set to FIPS. diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch deleted file mode 100644 index 80cd91c..0000000 --- a/rh1655466-global_crypto_and_fips.patch +++ /dev/null @@ -1,205 +0,0 @@ -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -196,26 +196,8 @@ - if (disableSystemProps == null && - "true".equalsIgnoreCase(props.getProperty - ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -+ if (SystemConfigurator.configure(props)) { - loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } - } - } - -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 ---- /dev/null -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,151 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.nio.file.Files; -+import java.nio.file.Path; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+import java.util.function.Consumer; -+import java.util.regex.Matcher; -+import java.util.regex.Pattern; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static final String CRYPTO_POLICIES_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/config"; -+ -+ private static final class SecurityProviderInfo { -+ int number; -+ String key; -+ String value; -+ SecurityProviderInfo(int number, String key, String value) { -+ this.number = number; -+ this.key = key; -+ this.value = value; -+ } -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configure(Properties props) { -+ boolean loadedProps = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ loadedProps = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ loadedProps = false; -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ loadedProps = true; -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /* -+ * FIPS is enabled only if crypto-policies are set to "FIPS" -+ * and the com.redhat.fips property is true. -+ */ -+ private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (fipsEnabled) { -+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -+ return pattern.matcher(cryptoPoliciesConfig).find(); -+ } else { -+ return false; -+ } -+ } -+} -diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -87,6 +87,14 @@ - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # -+# Security providers used when global crypto-policies are set to FIPS. -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=SunJSSE -+ -+# - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. - # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch deleted file mode 100644 index ff34f3e..0000000 --- a/rh1818909-fips_default_keystore_type.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 -@@ -123,6 +123,33 @@ - } - props.put(fipsProviderKey, fipsProviderValue); - } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } - loadedProps = true; - } - } catch (Exception e) { -diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux ---- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 -@@ -299,6 +299,11 @@ - keystore.type=pkcs12 - - # -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ -+# - # Controls compatibility mode for JKS and PKCS12 keystore types. - # - # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch deleted file mode 100644 index 8dcd9a8..0000000 --- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ /dev/null @@ -1,318 +0,0 @@ -diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index f9baf8c9742..60fa75cab45 100644 ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -1,11 +1,13 @@ - /* -- * Copyright (c) 2019, Red Hat, Inc. -+ * Copyright (c) 2019, 2020, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as -- * published by the Free Software Foundation. -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -@@ -34,10 +36,10 @@ import java.nio.file.Path; - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.function.Consumer; --import java.util.regex.Matcher; - import java.util.regex.Pattern; - -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; -+import jdk.internal.access.SharedSecrets; - import sun.security.util.Debug; - - /** -@@ -47,7 +49,7 @@ import sun.security.util.Debug; - * - */ - --class SystemConfigurator { -+final class SystemConfigurator { - - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -61,15 +63,16 @@ class SystemConfigurator { - private static final String CRYPTO_POLICIES_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/config"; - -- private static final class SecurityProviderInfo { -- int number; -- String key; -- String value; -- SecurityProviderInfo(int number, String key, String value) { -- this.number = number; -- this.key = key; -- this.value = value; -- } -+ private static boolean systemFipsEnabled = false; -+ -+ static { -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); - } - - /* -@@ -128,9 +131,9 @@ class SystemConfigurator { - String nonFipsKeystoreType = props.getProperty("keystore.type"); - props.put("keystore.type", keystoreTypeValue); - if (keystoreTypeValue.equals("PKCS11")) { -- // If keystore.type is PKCS11, javax.net.ssl.keyStore -- // must be "NONE". See JDK-8238264. -- System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); - } - if (System.getProperty("javax.net.ssl.trustStoreType") == null) { - // If no trustStoreType has been set, use the -@@ -144,12 +147,13 @@ class SystemConfigurator { - sdebug.println("FIPS mode default keystore.type = " + - keystoreTypeValue); - sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -- System.getProperty("javax.net.ssl.keyStore", "")); -+ System.getProperty("javax.net.ssl.keyStore", "")); - sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + - System.getProperty("javax.net.ssl.trustStoreType", "")); - } - } - loadedProps = true; -+ systemFipsEnabled = true; - } - } catch (Exception e) { - if (sdebug != null) { -@@ -160,13 +164,30 @@ class SystemConfigurator { - return loadedProps; - } - -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ - /* - * FIPS is enabled only if crypto-policies are set to "FIPS" - * and the com.redhat.fips property is true. - */ - private static boolean enableFips() throws Exception { -- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -- if (fipsEnabled) { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { - String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); - if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } - Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..a31e93ec02e ---- /dev/null -+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,30 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+} -diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index f6d3638c3dd..5a2c9eb0c46 100644 ---- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -81,6 +81,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -442,4 +443,12 @@ public class SharedSecrets { - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index 6ffdfeda18d..775b185fb06 100644 ---- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -32,6 +32,7 @@ import java.security.cert.*; - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { - private static final List serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index 894e26dfad8..8b16378b96b 100644 ---- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch deleted file mode 100644 index 513fbbf..0000000 --- a/rh1915071-always_initialise_configurator_access.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index f1633afb627..ce32c939253 100644 ---- openjdk/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -74,6 +75,15 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -194,9 +204,8 @@ public final class Security { - } - - String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -- if (disableSystemProps == null && -- "true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && -+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { - if (SystemConfigurator.configure(props)) { - loadedProps = true; - } -diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 60fa75cab45..10b54aa4ce4 100644 ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -38,8 +38,6 @@ import java.util.Map.Entry; - import java.util.Properties; - import java.util.regex.Pattern; - --import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; --import jdk.internal.access.SharedSecrets; - import sun.security.util.Debug; - - /** -@@ -65,16 +63,6 @@ final class SystemConfigurator { - - private static boolean systemFipsEnabled = false; - -- static { -- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -- new JavaSecuritySystemConfiguratorAccess() { -- @Override -- public boolean isSystemFipsEnabled() { -- return SystemConfigurator.isSystemFipsEnabled(); -- } -- }); -- } -- - /* - * Invoked when java.security.Security class is initialized, if - * java.security.disableSystemPropertiesFile property is not set and diff --git a/rh1929465-dont_define_unused_throwioexception.patch b/rh1929465-dont_define_unused_throwioexception.patch deleted file mode 100644 index eba090f..0000000 --- a/rh1929465-dont_define_unused_throwioexception.patch +++ /dev/null @@ -1,69 +0,0 @@ -commit 90e344e7d4987af610fa0054c92d18fe1c2edd41 -Author: Andrew Hughes -Date: Sat Aug 28 01:15:28 2021 +0100 - - RH1929465: Don't define unused throwIOException function when using NSS detection - -diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -index 6f4656bfcb6..38919d6bb0f 100644 ---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -34,14 +34,34 @@ - - #include "java_security_SystemConfigurator.h" - --#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" - #define MSG_MAX_SIZE 96 - - static jmethodID debugPrintlnMethodID = NULL; - static jobject debugObj = NULL; - --static void throwIOException(JNIEnv *env, const char *msg); --static void dbgPrint(JNIEnv *env, const char* msg); -+// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read -+#ifndef SYSCONF_NSS -+ -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+#endif -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} - - /* - * Class: java_security_SystemConfigurator -@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - - #endif // SYSCONF_NSS - } -- --static void throwIOException(JNIEnv *env, const char *msg) --{ -- jclass cls = (*env)->FindClass(env, "java/io/IOException"); -- if (cls != 0) -- (*env)->ThrowNew(env, cls, msg); --} -- --static void dbgPrint(JNIEnv *env, const char* msg) --{ -- jstring jMsg; -- if (debugObj != NULL) { -- jMsg = (*env)->NewStringUTF(env, msg); -- CHECK_NULL(jMsg); -- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -- } --} diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch deleted file mode 100644 index 4dfd1d4..0000000 --- a/rh1929465-improve_system_FIPS_detection.patch +++ /dev/null @@ -1,428 +0,0 @@ -diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4 -new file mode 100644 -index 00000000000..b2b1c1787da ---- /dev/null -+++ openjdk/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,84 @@ -+# -+# Copyright (c) 2021, Red Hat, Inc. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. Oracle designates this -+# particular file as subject to the "Classpath" exception as provided -+# by Oracle in the LICENSE file that accompanied this code. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 ---- openjdk/make/autoconf/libraries.m4 -+++ openjdk/make/autoconf/libraries.m4 -@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) - m4_include([lib-x11.m4]) - m4_include([lib-fontconfig.m4]) - m4_include([lib-tests.m4]) -+m4_include([lib-sysconf.m4]) - - ################################################################################ - # Determine which libraries are needed for this configuration -@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS - LIB_TESTS_SETUP_GTEST -+ LIB_SETUP_SYSCONF_LIBS - - BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then -diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in -index 29445c8c24f..9b1b512a34a 100644 ---- openjdk/make/autoconf/spec.gmk.in -+++ openjdk/make/autoconf/spec.gmk.in -@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk -index 5658ff342e5..cb7a56852f7 100644 ---- openjdk/make/modules/java.base/Lib.gmk -+++ openjdk/make/modules/java.base/Lib.gmk -@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) -+ -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..6f4656bfcb6 ---- /dev/null -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -0,0 +1,168 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+#define MSG_MAX_SIZE 96 -+ -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void throwIOException(JNIEnv *env, const char *msg); -+static void dbgPrint(JNIEnv *env, const char* msg); -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+#ifdef SYSCONF_NSS -+ -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = SECMOD_GetSystemFIPSEnabled(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -+ " SECMOD_GetSystemFIPSEnabled return value"); -+ } -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ -+#else // SYSCONF_NSS -+ -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -+ " read character"); -+ } -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ -+#endif // SYSCONF_NSS -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 10b54aa4ce4..6aa1419dfd0 100644 ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019, 2020, Red Hat, Inc. -+ * Copyright (c) 2019, 2021, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * -@@ -30,13 +30,9 @@ import java.io.BufferedInputStream; - import java.io.FileInputStream; - import java.io.IOException; - --import java.nio.file.Files; --import java.nio.file.Path; -- - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.regex.Pattern; - - import sun.security.util.Debug; - -@@ -58,11 +54,23 @@ final class SystemConfigurator { - private static final String CRYPTO_POLICIES_JAVA_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - -- private static final String CRYPTO_POLICIES_CONFIG = -- CRYPTO_POLICIES_BASE_DIR + "/config"; -- - private static boolean systemFipsEnabled = false; - -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ - /* - * Invoked when java.security.Security class is initialized, if - * java.security.disableSystemPropertiesFile property is not set and -@@ -170,16 +178,34 @@ final class SystemConfigurator { - } - - /* -- * FIPS is enabled only if crypto-policies are set to "FIPS" -- * and the com.redhat.fips property is true. -+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips -+ * system property is true (default) and the system is in FIPS mode. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. - */ - private static boolean enableFips() throws Exception { - boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); - if (shouldEnable) { -- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -- return pattern.matcher(cryptoPoliciesConfig).find(); -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ shouldEnable = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + shouldEnable); -+ } -+ return shouldEnable; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } - } else { - return false; - } diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch deleted file mode 100644 index 79d2743..0000000 --- a/rh1991003-enable_fips_keys_import.patch +++ /dev/null @@ -1,579 +0,0 @@ -commit abcd0954643eddbf826d96291d44a143038ab750 -Author: Martin Balao -Date: Sun Oct 10 18:14:01 2021 +0100 - - RH1991003: Enable the import of plain keys into the NSS software token. - - This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false - -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index ce32c939253..dc7020ce668 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -82,6 +82,10 @@ public final class Security { - public boolean isSystemFipsEnabled() { - return SystemConfigurator.isSystemFipsEnabled(); - } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } - }); - - // doPrivileged here because there are multiple -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 6aa1419dfd0..ecab722848e 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -55,6 +55,7 @@ final class SystemConfigurator { - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - - private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; - - private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; - -@@ -150,6 +151,16 @@ final class SystemConfigurator { - } - loadedProps = true; - systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } - } - } catch (Exception e) { - if (sdebug != null) { -@@ -177,6 +188,19 @@ final class SystemConfigurator { - return systemFipsEnabled; - } - -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ - /* - * OpenJDK FIPS mode will be enabled only if the com.redhat.fips - * system property is true (default) and the system is in FIPS mode. -diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -index a31e93ec02e..3f3caac64dc 100644 ---- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -27,4 +27,5 @@ package jdk.internal.access; - - public interface JavaSecuritySystemConfiguratorAccess { - boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); - } -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..bee3a1e1537 ---- /dev/null -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,291 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 5d3963ea893..42c72b393fd 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider { - private static final boolean systemFipsEnabled = SharedSecrets - .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..4d80145cb91 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -152,16 +153,28 @@ public class PKCS11 { - - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -index e2d6d371bec..dc5e7eefdd3 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception { - return "0x" + Functions.toFullHexString((int)errorCode); - } - -+ /** -+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with -+ * no extra info for the error message. -+ */ -+ public PKCS11Exception(long errorCode) { -+ this(errorCode, null); -+ } -+ - /** - * Constructor taking the error code (the CKR_* constants in PKCS#11) and - * extra info for error message. diff --git a/rh1995150-disable_non-fips_crypto.patch b/rh1995150-disable_non-fips_crypto.patch deleted file mode 100644 index de06552..0000000 --- a/rh1995150-disable_non-fips_crypto.patch +++ /dev/null @@ -1,591 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 63bb580eb3a..238735c0c8c 100644 ---- openjdk.orig/src/java.base/share/classes/module-info.java -+++ openjdk/src/java.base/share/classes/module-info.java -@@ -152,6 +152,7 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.net, -diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..7cb5ebcde51 100644 ---- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetPropertyAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -94,147 +99,149 @@ public final class SunEntries { - // common attribute map - HashMap attrs = new HashMap<>(3); - -- /* -- * SecureRandom engines -- */ -- attrs.put("ThreadSafe", "true"); -- if (NativePRNG.isAvailable()) { -- add(p, "SecureRandom", "NativePRNG", -- "sun.security.provider.NativePRNG", attrs); -- } -- if (NativePRNG.Blocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGBlocking", -- "sun.security.provider.NativePRNG$Blocking", attrs); -- } -- if (NativePRNG.NonBlocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGNonBlocking", -- "sun.security.provider.NativePRNG$NonBlocking", attrs); -- } -- attrs.put("ImplementedIn", "Software"); -- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -- add(p, "SecureRandom", "SHA1PRNG", -- "sun.security.provider.SecureRandom", attrs); -- -- /* -- * Signature engines -- */ -- attrs.clear(); -- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -- "|java.security.interfaces.DSAPrivateKey"; -- attrs.put("SupportedKeyClasses", dsaKeyClasses); -- attrs.put("ImplementedIn", "Software"); -- -- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -- -- addWithAlias(p, "Signature", "SHA1withDSA", -- "sun.security.provider.DSA$SHA1withDSA", attrs); -- addWithAlias(p, "Signature", "NONEwithDSA", -- "sun.security.provider.DSA$RawDSA", attrs); -- -- // for DSA signatures with 224/256-bit digests -- attrs.put("KeySize", "2048"); -- -- addWithAlias(p, "Signature", "SHA224withDSA", -- "sun.security.provider.DSA$SHA224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA256withDSA", -- "sun.security.provider.DSA$SHA256withDSA", attrs); -- -- addWithAlias(p, "Signature", "SHA3-224withDSA", -- "sun.security.provider.DSA$SHA3_224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-256withDSA", -- "sun.security.provider.DSA$SHA3_256withDSA", attrs); -- -- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -- -- addWithAlias(p, "Signature", "SHA384withDSA", -- "sun.security.provider.DSA$SHA384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA512withDSA", -- "sun.security.provider.DSA$SHA512withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-384withDSA", -- "sun.security.provider.DSA$SHA3_384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-512withDSA", -- "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); -- -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); - -- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only - -- /* -- * Algorithm Parameter Generator engines -- */ -- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -- "sun.security.provider.DSAParameterGenerator", attrs); -- attrs.remove("KeySize"); -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); - -- /* -- * Algorithm Parameter engines -- */ -- addWithAlias(p, "AlgorithmParameters", "DSA", -- "sun.security.provider.DSAParameters", attrs); -+ /* -+ * Algorithm Parameter Generator engines -+ */ -+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -+ "sun.security.provider.DSAParameterGenerator", attrs); -+ attrs.remove("KeySize"); - -- /* -- * Key factories -- */ -- addWithAlias(p, "KeyFactory", "DSA", -- "sun.security.provider.DSAKeyFactory", attrs); -+ /* -+ * Algorithm Parameter engines -+ */ -+ addWithAlias(p, "AlgorithmParameters", "DSA", -+ "sun.security.provider.DSAParameters", attrs); - -- /* -- * Digest engines -- */ -- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -- attrs); -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); - -- addWithAlias(p, "MessageDigest", "SHA-224", -- "sun.security.provider.SHA2$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-256", -- "sun.security.provider.SHA2$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA-384", -- "sun.security.provider.SHA5$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512", -- "sun.security.provider.SHA5$SHA512", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/224", -- "sun.security.provider.SHA5$SHA512_224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/256", -- "sun.security.provider.SHA5$SHA512_256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-224", -- "sun.security.provider.SHA3$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-256", -- "sun.security.provider.SHA3$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-384", -- "sun.security.provider.SHA3$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-512", -- "sun.security.provider.SHA3$SHA512", attrs); -+ /* -+ * Digest engines -+ */ -+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 8c9e4f9dbe6..883dc04758e 100644 ---- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -38,6 +38,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.List; - -+import jdk.internal.access.SharedSecrets; - import sun.security.ec.ed.EdDSAAlgorithmParameters; - import sun.security.ec.ed.EdDSAKeyFactory; - import sun.security.ec.ed.EdDSAKeyPairGenerator; -@@ -56,6 +57,10 @@ public final class SunEC extends Provider { - - private static final long serialVersionUID = -2279741672933606418L; - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private static class ProviderServiceA extends ProviderService { - ProviderServiceA(Provider p, String type, String algo, String cn, - HashMap attrs) { -@@ -249,85 +254,86 @@ public final class SunEC extends Provider { - - putXDHEntries(); - putEdDSAEntries(); -- -- /* -- * Signature engines -- */ -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -- null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$RawinP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA1withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -- -- putService(new ProviderService(this, "Signature", -- "SHA3-224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -- -- /* -- * Key Pair Generator engine -- */ -- putService(new ProviderService(this, "KeyPairGenerator", -- "EC", "sun.security.ec.ECKeyPairGenerator", -- List.of("EllipticCurve"), ATTRS)); -- -- /* -- * Key Agreement engine -- */ -- putService(new ProviderService(this, "KeyAgreement", -- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ if (!systemFipsEnabled) { -+ /* -+ * Signature engines -+ */ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -+ null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$RawinP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA1withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -+ -+ putService(new ProviderService(this, "Signature", -+ "SHA3-224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -+ -+ /* -+ * Key Pair Generator engine -+ */ -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "EC", "sun.security.ec.ECKeyPairGenerator", -+ List.of("EllipticCurve"), ATTRS)); -+ -+ /* -+ * Key Agreement engine -+ */ -+ putService(new ProviderService(this, "KeyAgreement", -+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ } - } - - private void putXDHEntries() { -@@ -344,23 +350,25 @@ public final class SunEC extends Provider { - "X448", "sun.security.ec.XDHKeyFactory.X448", - ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -- ATTRS)); -- -- putService(new ProviderService(this, "KeyAgreement", -- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X448", "sun.security.ec.XDHKeyAgreement.X448", -- ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "KeyAgreement", -+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X448", "sun.security.ec.XDHKeyAgreement.X448", -+ ATTRS)); -+ } - } - - private void putEdDSAEntries() { -@@ -375,21 +383,23 @@ public final class SunEC extends Provider { - putService(new ProviderServiceA(this, "KeyFactory", - "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ } - - } - } diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch deleted file mode 100644 index 7622622..0000000 --- a/rh1996182-extend_security_policy.patch +++ /dev/null @@ -1,18 +0,0 @@ -commit bfd7c5dae9c15266799cb885b8c60199217b65b9 -Author: Andrew Hughes -Date: Mon Aug 30 16:14:14 2021 +0100 - - RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access - -diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy -index 8356e56367b..23925f048be 100644 ---- openjdk.orig/src/java.base/share/lib/security/default.policy -+++ openjdk/src/java.base/share/lib/security/default.policy -@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch deleted file mode 100644 index 96a8204..0000000 --- a/rh1996182-login_to_nss_software_token.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923 -Author: Martin Balao -Date: Sat Aug 28 00:35:44 2021 +0100 - - RH1996182: Login to the NSS Software Token in FIPS Mode - -diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 238735c0c8c..dbbf11bbb22 100644 ---- openjdk.orig/src/java.base/share/classes/module-info.java -+++ openjdk/src/java.base/share/classes/module-info.java -@@ -152,6 +152,7 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.cryptoki, - jdk.crypto.ec, - jdk.jartool, - jdk.jlink, -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 112b639aa96..5d3963ea893 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback; - - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.misc.InnocuousThread; - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; -@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch deleted file mode 100644 index 8dc0122..0000000 --- a/rh2021263-fips_ensure_security_initialised.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 4ac1a03b3ec73358988553fe9e200130847ea3b4 -Author: Andrew Hughes -Date: Mon Jan 10 20:19:40 2022 +0000 - - RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance - -diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index 5a2c9eb0c46..a1ee182d913 100644 ---- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -39,6 +39,7 @@ import java.io.FilePermission; - import java.io.ObjectInputStream; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -449,6 +450,9 @@ public class SharedSecrets { - } - - public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } - return javaSecuritySystemConfiguratorAccess; - } - } diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch deleted file mode 100644 index 5a056ce..0000000 --- a/rh2021263-fips_missing_native_returns.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 8f6e35dc9e9289aed290b36e260beeda76986bb5 -Author: Fridrich Strba -Date: Mon Jan 10 19:32:01 2022 +0000 - - RH2021263: Return in C code after having generated Java exception - -diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -index 38919d6bb0f..caf678a7dd6 100644 ---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); - if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { - throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - fips_enabled = fgetc(fe); - fclose(fe); - if (fips_enabled == EOF) { - throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ - " read character is '%c'", fips_enabled); diff --git a/rh2021263-fips_separate_policy_and_fips_init.patch b/rh2021263-fips_separate_policy_and_fips_init.patch deleted file mode 100644 index b5351a8..0000000 --- a/rh2021263-fips_separate_policy_and_fips_init.patch +++ /dev/null @@ -1,99 +0,0 @@ -commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 -Author: Andrew Hughes -Date: Tue Jan 18 02:09:27 2022 +0000 - - RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support - -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index 28ab1846173..f9726741afd 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -61,10 +61,6 @@ public final class Security { - private static final Debug sdebug = - Debug.getInstance("properties"); - -- /* System property file*/ -- private static final String SYSTEM_PROPERTIES = -- "/etc/crypto-policies/back-ends/java.config"; -- - /* The java.security properties */ - private static Properties props; - -@@ -206,22 +202,36 @@ public final class Security { - } - } - -+ if (!loadedProps) { -+ initializeStatic(); -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties " + -+ "-- using defaults"); -+ } -+ } -+ - String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); - if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && - "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { -- if (SystemConfigurator.configure(props)) { -- loadedProps = true; -+ if (!SystemConfigurator.configureSysProps(props)) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System properties could not be loaded."); -+ } - } - } - -- if (!loadedProps) { -- initializeStatic(); -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); - if (sdebug != null) { -- sdebug.println("unable to load security properties " + -- "-- using defaults"); -+ if (fipsEnabled) { -+ sdebug.println("FIPS support enabled."); -+ } else { -+ sdebug.println("FIPS support disabled."); -+ } - } - } -- - } - - /* -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 874c6221ebe..b7ed41acf0f 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -76,7 +76,7 @@ final class SystemConfigurator { - * java.security.disableSystemPropertiesFile property is not set and - * security.useSystemPropertiesFile is true. - */ -- static boolean configure(Properties props) { -+ static boolean configureSysProps(Properties props) { - boolean loadedProps = false; - - try (BufferedInputStream bis = -@@ -96,11 +96,19 @@ final class SystemConfigurator { - e.printStackTrace(); - } - } -+ return loadedProps; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; - - try { - if (enableFips()) { - if (sdebug != null) { sdebug.println("FIPS mode detected"); } -- loadedProps = false; - // Remove all security providers - Iterator> i = props.entrySet().iterator(); - while (i.hasNext()) { diff --git a/rh2052070-enable_algorithmparameters_in_fips_mode.patch b/rh2052070-enable_algorithmparameters_in_fips_mode.patch deleted file mode 100644 index 7488ea5..0000000 --- a/rh2052070-enable_algorithmparameters_in_fips_mode.patch +++ /dev/null @@ -1,1182 +0,0 @@ -commit 6e74f283739af0d867df01d20f82865f559a45ea -Author: Martin Balao -Date: Mon Feb 28 04:58:05 2022 +0000 - - RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode - -diff --git openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index a020e1c15d8..6d459fdec01 100644 ---- openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -+++ openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -@@ -31,6 +31,7 @@ import java.security.SecureRandom; - import java.security.PrivilegedAction; - import java.util.HashMap; - import java.util.List; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.util.SecurityProviderConstants.*; - -@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; - - public final class SunJCE extends Provider { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - @java.io.Serial - private static final long serialVersionUID = 6812507587804302833L; - -@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { - void putEntries() { - // reuse attribute map and reset before each reuse - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -- + "|OAEPWITHMD5ANDMGF1PADDING" -- + "|OAEPWITHSHA1ANDMGF1PADDING" -- + "|OAEPWITHSHA-1ANDMGF1PADDING" -- + "|OAEPWITHSHA-224ANDMGF1PADDING" -- + "|OAEPWITHSHA-256ANDMGF1PADDING" -- + "|OAEPWITHSHA-384ANDMGF1PADDING" -- + "|OAEPWITHSHA-512ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -- ps("Cipher", "RSA", -- "com.sun.crypto.provider.RSACipher", null, attrs); -- -- // common block cipher modes, pads -- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -- final String BLOCK_MODES128 = BLOCK_MODES + -- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DES", -- "com.sun.crypto.provider.DESCipher", null, attrs); -- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -- attrs); -- ps("Cipher", "Blowfish", -- "com.sun.crypto.provider.BlowfishCipher", null, attrs); -- -- ps("Cipher", "RC2", -- "com.sun.crypto.provider.RC2Cipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES128); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES", -- "com.sun.crypto.provider.AESCipher$General", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -- attrs); -- ps("Cipher", "AES/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_128/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_128/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_128/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_128/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_192/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_192/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_192/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_192/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_256/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_256/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_256/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_256/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "GCM"); -- attrs.put("SupportedKeyFormats", "RAW"); -- -- ps("Cipher", "AES/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -- attrs); -- psA("Cipher", "AES_128/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES128", -- attrs); -- psA("Cipher", "AES_192/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES192", -- attrs); -- psA("Cipher", "AES_256/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES256", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "CBC"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DESedeWrap", -- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "ARCFOUR", -- "com.sun.crypto.provider.ARCFOURCipher", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "ChaCha20", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -- null, attrs); -- psA("Cipher", "ChaCha20-Poly1305", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -- attrs); -- -- // PBES1 -- psA("Cipher", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -- null); -- ps("Cipher", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -- psA("Cipher", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -- null); -- psA("Cipher", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -- null); -- -- psA("Cipher", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -- null); -- -- // PBES2 -- ps("Cipher", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -- -- /* -- * Key(pair) Generator engines -- */ -- ps("KeyGenerator", "DES", -- "com.sun.crypto.provider.DESKeyGenerator"); -- psA("KeyGenerator", "DESede", -- "com.sun.crypto.provider.DESedeKeyGenerator", -- null); -- ps("KeyGenerator", "Blowfish", -- "com.sun.crypto.provider.BlowfishKeyGenerator"); -- psA("KeyGenerator", "AES", -- "com.sun.crypto.provider.AESKeyGenerator", -- null); -- ps("KeyGenerator", "RC2", -- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -- psA("KeyGenerator", "ARCFOUR", -- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -- null); -- ps("KeyGenerator", "ChaCha20", -- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -- ps("KeyGenerator", "HmacMD5", -- "com.sun.crypto.provider.HmacMD5KeyGenerator"); -- -- psA("KeyGenerator", "HmacSHA1", -- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -- psA("KeyGenerator", "HmacSHA224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -- null); -- psA("KeyGenerator", "HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -- null); -- psA("KeyGenerator", "HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -- null); -- psA("KeyGenerator", "HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -- null); -- psA("KeyGenerator", "HmacSHA512/224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -- null); -- psA("KeyGenerator", "HmacSHA512/256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -- null); -- -- psA("KeyGenerator", "HmacSHA3-224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -- null); -- psA("KeyGenerator", "HmacSHA3-256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -- null); -- psA("KeyGenerator", "HmacSHA3-384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -- null); -- psA("KeyGenerator", "HmacSHA3-512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -- null); -- -- psA("KeyPairGenerator", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyPairGenerator", -- null); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -+ + "|OAEPWITHMD5ANDMGF1PADDING" -+ + "|OAEPWITHSHA1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-256ANDMGF1PADDING" -+ + "|OAEPWITHSHA-384ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ ps("Cipher", "RSA", -+ "com.sun.crypto.provider.RSACipher", null, attrs); -+ -+ // common block cipher modes, pads -+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -+ final String BLOCK_MODES128 = BLOCK_MODES + -+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DES", -+ "com.sun.crypto.provider.DESCipher", null, attrs); -+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -+ attrs); -+ ps("Cipher", "Blowfish", -+ "com.sun.crypto.provider.BlowfishCipher", null, attrs); -+ -+ ps("Cipher", "RC2", -+ "com.sun.crypto.provider.RC2Cipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES128); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES", -+ "com.sun.crypto.provider.AESCipher$General", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_128/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_128/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_128/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_192/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_192/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_192/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_256/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_256/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_256/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "GCM"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ -+ ps("Cipher", "AES/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -+ attrs); -+ psA("Cipher", "AES_128/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES128", -+ attrs); -+ psA("Cipher", "AES_192/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES192", -+ attrs); -+ psA("Cipher", "AES_256/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES256", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "CBC"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DESedeWrap", -+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "ARCFOUR", -+ "com.sun.crypto.provider.ARCFOURCipher", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "ChaCha20", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -+ null, attrs); -+ psA("Cipher", "ChaCha20-Poly1305", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -+ attrs); -+ -+ // PBES1 -+ psA("Cipher", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -+ null); -+ ps("Cipher", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -+ psA("Cipher", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("Cipher", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -+ null); -+ -+ // PBES2 -+ ps("Cipher", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -+ -+ /* -+ * Key(pair) Generator engines -+ */ -+ ps("KeyGenerator", "DES", -+ "com.sun.crypto.provider.DESKeyGenerator"); -+ psA("KeyGenerator", "DESede", -+ "com.sun.crypto.provider.DESedeKeyGenerator", -+ null); -+ ps("KeyGenerator", "Blowfish", -+ "com.sun.crypto.provider.BlowfishKeyGenerator"); -+ psA("KeyGenerator", "AES", -+ "com.sun.crypto.provider.AESKeyGenerator", -+ null); -+ ps("KeyGenerator", "RC2", -+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -+ psA("KeyGenerator", "ARCFOUR", -+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -+ null); -+ ps("KeyGenerator", "ChaCha20", -+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -+ ps("KeyGenerator", "HmacMD5", -+ "com.sun.crypto.provider.HmacMD5KeyGenerator"); -+ -+ psA("KeyGenerator", "HmacSHA1", -+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -+ psA("KeyGenerator", "HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -+ null); -+ psA("KeyGenerator", "HmacSHA256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -+ null); -+ psA("KeyGenerator", "HmacSHA384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -+ null); -+ psA("KeyGenerator", "HmacSHA512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -+ null); -+ psA("KeyGenerator", "HmacSHA512/224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -+ null); -+ psA("KeyGenerator", "HmacSHA512/256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -+ null); -+ -+ psA("KeyGenerator", "HmacSHA3-224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -+ null); -+ psA("KeyGenerator", "HmacSHA3-256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -+ null); -+ psA("KeyGenerator", "HmacSHA3-384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -+ null); -+ psA("KeyGenerator", "HmacSHA3-512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -+ null); -+ -+ psA("KeyPairGenerator", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyPairGenerator", -+ null); -+ } - - /* - * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { - "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", - null); - -- /* -- * Key Agreement engines -- */ -- attrs.clear(); -- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -- "|javax.crypto.interfaces.DHPrivateKey"); -- psA("KeyAgreement", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyAgreement", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key Agreement engines -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -+ "|javax.crypto.interfaces.DHPrivateKey"); -+ psA("KeyAgreement", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyAgreement", -+ attrs); -+ } - - /* - * Algorithm Parameter engines -@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { - psA("AlgorithmParameters", "ChaCha20-Poly1305", - "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); - -- /* -- * Key factories -- */ -- psA("KeyFactory", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyFactory", -- null); -- -- /* -- * Secret-key factories -- */ -- ps("SecretKeyFactory", "DES", -- "com.sun.crypto.provider.DESKeyFactory"); -- -- psA("SecretKeyFactory", "DESede", -- "com.sun.crypto.provider.DESedeKeyFactory", null); -- -- psA("SecretKeyFactory", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -- null); -- -- /* -- * Internal in-house crypto algorithm used for -- * the JCEKS keystore type. Since this was developed -- * internally, there isn't an OID corresponding to this -- * algorithm. -- */ -- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -- null); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- -- // PBKDF2 -- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -- null); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -- -- /* -- * MAC -- */ -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -- attrs); -- psA("Mac", "HmacSHA224", -- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -- psA("Mac", "HmacSHA256", -- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -- psA("Mac", "HmacSHA384", -- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -- psA("Mac", "HmacSHA512", -- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -- psA("Mac", "HmacSHA512/224", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -- psA("Mac", "HmacSHA512/256", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -- psA("Mac", "HmacSHA3-224", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -- psA("Mac", "HmacSHA3-256", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -- psA("Mac", "HmacSHA3-384", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -- psA("Mac", "HmacSHA3-512", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -- -- ps("Mac", "HmacPBESHA1", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -- null, attrs); -- ps("Mac", "HmacPBESHA224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -- null, attrs); -- ps("Mac", "HmacPBESHA256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -- null, attrs); -- ps("Mac", "HmacPBESHA384", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -- null, attrs); -- ps("Mac", "HmacPBESHA512", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -- null, attrs); -- ps("Mac", "HmacPBESHA512/224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -- null, attrs); -- ps("Mac", "HmacPBESHA512/256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -- null, attrs); -- -- -- // PBMAC1 -- ps("Mac", "PBEWithHmacSHA1", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -- ps("Mac", "PBEWithHmacSHA224", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -- ps("Mac", "PBEWithHmacSHA256", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -- ps("Mac", "PBEWithHmacSHA384", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -- ps("Mac", "PBEWithHmacSHA512", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -- ps("Mac", "SslMacMD5", -- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -- ps("Mac", "SslMacSHA1", -- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -- -- /* -- * KeyStore -- */ -- ps("KeyStore", "JCEKS", -- "com.sun.crypto.provider.JceKeyStore"); -- -- /* -- * SSL/TLS mechanisms -- * -- * These are strictly internal implementations and may -- * be changed at any time. These names were chosen -- * because PKCS11/SunPKCS11 does not yet have TLS1.2 -- * mechanisms, and it will cause calls to come here. -- */ -- ps("KeyGenerator", "SunTlsPrf", -- "com.sun.crypto.provider.TlsPrfGenerator$V10"); -- ps("KeyGenerator", "SunTls12Prf", -- "com.sun.crypto.provider.TlsPrfGenerator$V12"); -- -- ps("KeyGenerator", "SunTlsMasterSecret", -- "com.sun.crypto.provider.TlsMasterSecretGenerator", -- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -- null); -- -- ps("KeyGenerator", "SunTlsKeyMaterial", -- "com.sun.crypto.provider.TlsKeyMaterialGenerator", -- List.of("SunTls12KeyMaterial"), null); -- -- ps("KeyGenerator", "SunTlsRsaPremasterSecret", -- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -- List.of("SunTls12RsaPremasterSecret"), null); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ psA("KeyFactory", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyFactory", -+ null); -+ -+ /* -+ * Secret-key factories -+ */ -+ ps("SecretKeyFactory", "DES", -+ "com.sun.crypto.provider.DESKeyFactory"); -+ -+ psA("SecretKeyFactory", "DESede", -+ "com.sun.crypto.provider.DESedeKeyFactory", null); -+ -+ psA("SecretKeyFactory", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -+ null); -+ -+ /* -+ * Internal in-house crypto algorithm used for -+ * the JCEKS keystore type. Since this was developed -+ * internally, there isn't an OID corresponding to this -+ * algorithm. -+ */ -+ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -+ null); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -+ -+ // PBKDF2 -+ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -+ null); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -+ -+ /* -+ * MAC -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -+ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -+ attrs); -+ psA("Mac", "HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -+ psA("Mac", "HmacSHA256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -+ psA("Mac", "HmacSHA384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -+ psA("Mac", "HmacSHA512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -+ psA("Mac", "HmacSHA512/224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -+ psA("Mac", "HmacSHA512/256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -+ psA("Mac", "HmacSHA3-224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -+ psA("Mac", "HmacSHA3-256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -+ psA("Mac", "HmacSHA3-384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -+ psA("Mac", "HmacSHA3-512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -+ -+ ps("Mac", "HmacPBESHA1", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -+ null, attrs); -+ ps("Mac", "HmacPBESHA224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -+ null, attrs); -+ ps("Mac", "HmacPBESHA384", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -+ null, attrs); -+ -+ -+ // PBMAC1 -+ ps("Mac", "PBEWithHmacSHA1", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -+ ps("Mac", "PBEWithHmacSHA224", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -+ ps("Mac", "PBEWithHmacSHA256", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -+ ps("Mac", "PBEWithHmacSHA384", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -+ ps("Mac", "SslMacMD5", -+ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -+ ps("Mac", "SslMacSHA1", -+ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -+ -+ /* -+ * KeyStore -+ */ -+ ps("KeyStore", "JCEKS", -+ "com.sun.crypto.provider.JceKeyStore"); -+ -+ /* -+ * SSL/TLS mechanisms -+ * -+ * These are strictly internal implementations and may -+ * be changed at any time. These names were chosen -+ * because PKCS11/SunPKCS11 does not yet have TLS1.2 -+ * mechanisms, and it will cause calls to come here. -+ */ -+ ps("KeyGenerator", "SunTlsPrf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V10"); -+ ps("KeyGenerator", "SunTls12Prf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V12"); -+ -+ ps("KeyGenerator", "SunTlsMasterSecret", -+ "com.sun.crypto.provider.TlsMasterSecretGenerator", -+ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -+ null); -+ -+ ps("KeyGenerator", "SunTlsKeyMaterial", -+ "com.sun.crypto.provider.TlsKeyMaterialGenerator", -+ List.of("SunTls12KeyMaterial"), null); -+ -+ ps("KeyGenerator", "SunTlsRsaPremasterSecret", -+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -+ List.of("SunTls12RsaPremasterSecret"), null); -+ } - } - - // Return the instance of this class or create one if needed. -diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 7cb5ebcde51..709d32912ca 100644 ---- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -193,20 +193,22 @@ public final class SunEntries { - String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; - dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); - addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ } - -- /* -- * Algorithm Parameter Generator engines -- */ -- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -- "sun.security.provider.DSAParameterGenerator", attrs); -- attrs.remove("KeySize"); -+ /* -+ * Algorithm Parameter Generator engines -+ */ -+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -+ "sun.security.provider.DSAParameterGenerator", attrs); -+ attrs.remove("KeySize"); - -- /* -- * Algorithm Parameter engines -- */ -- addWithAlias(p, "AlgorithmParameters", "DSA", -- "sun.security.provider.DSAParameters", attrs); -+ /* -+ * Algorithm Parameter engines -+ */ -+ addWithAlias(p, "AlgorithmParameters", "DSA", -+ "sun.security.provider.DSAParameters", attrs); - -+ if (!systemFipsEnabled) { - /* - * Key factories - */ -diff --git openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..16c5ad2e227 100644 ---- openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -+++ openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -@@ -27,6 +27,7 @@ package sun.security.rsa; - - import java.util.*; - import java.security.Provider; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityProviderConstants.getAliases; - - /** -@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - */ - public final class SunRsaSignEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private void add(Provider p, String type, String algo, String cn, - List aliases, HashMap attrs) { - services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,52 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ -+ add(p, "KeyFactory", "RSA", -+ "sun.security.rsa.RSAKeyFactory$Legacy", -+ getAliases("PKCS1"), null); -+ add(p, "KeyPairGenerator", "RSA", -+ "sun.security.rsa.RSAKeyPairGenerator$Legacy", -+ getAliases("PKCS1"), null); -+ addA(p, "Signature", "MD2withRSA", -+ "sun.security.rsa.RSASignature$MD2withRSA", attrs); -+ addA(p, "Signature", "MD5withRSA", -+ "sun.security.rsa.RSASignature$MD5withRSA", attrs); -+ addA(p, "Signature", "SHA1withRSA", -+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -+ addA(p, "Signature", "SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -+ addA(p, "Signature", "SHA256withRSA", -+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -+ addA(p, "Signature", "SHA384withRSA", -+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -+ addA(p, "Signature", "SHA512withRSA", -+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -+ addA(p, "Signature", "SHA512/224withRSA", -+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -+ addA(p, "Signature", "SHA512/256withRSA", -+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-224withRSA", -+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -+ addA(p, "Signature", "SHA3-256withRSA", -+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-384withRSA", -+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -+ addA(p, "Signature", "SHA3-512withRSA", -+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); - -- add(p, "KeyFactory", "RSA", -- "sun.security.rsa.RSAKeyFactory$Legacy", -- getAliases("PKCS1"), null); -- add(p, "KeyPairGenerator", "RSA", -- "sun.security.rsa.RSAKeyPairGenerator$Legacy", -- getAliases("PKCS1"), null); -- addA(p, "Signature", "MD2withRSA", -- "sun.security.rsa.RSASignature$MD2withRSA", attrs); -- addA(p, "Signature", "MD5withRSA", -- "sun.security.rsa.RSASignature$MD5withRSA", attrs); -- addA(p, "Signature", "SHA1withRSA", -- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -- addA(p, "Signature", "SHA224withRSA", -- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -- addA(p, "Signature", "SHA256withRSA", -- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -- addA(p, "Signature", "SHA384withRSA", -- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -- addA(p, "Signature", "SHA512withRSA", -- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -- addA(p, "Signature", "SHA512/224withRSA", -- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -- addA(p, "Signature", "SHA512/256withRSA", -- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -- addA(p, "Signature", "SHA3-224withRSA", -- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -- addA(p, "Signature", "SHA3-256withRSA", -- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -- addA(p, "Signature", "SHA3-384withRSA", -- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -- addA(p, "Signature", "SHA3-512withRSA", -- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ addA(p, "KeyFactory", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyFactory$PSS", attrs); -+ addA(p, "KeyPairGenerator", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -+ addA(p, "Signature", "RSASSA-PSS", -+ "sun.security.rsa.RSAPSSSignature", attrs); -+ } - -- addA(p, "KeyFactory", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyFactory$PSS", attrs); -- addA(p, "KeyPairGenerator", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -- addA(p, "Signature", "RSASSA-PSS", -- "sun.security.rsa.RSAPSSSignature", attrs); - addA(p, "AlgorithmParameters", "RSASSA-PSS", - "sun.security.rsa.PSSParameters", null); - } -diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security -index 3a322854204..5a355e70cae 100644 ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -86,6 +86,8 @@ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg - fips.provider.2=SUN - fips.provider.3=SunEC - fips.provider.4=SunJSSE -+fips.provider.5=SunJCE -+fips.provider.6=SunRsaSign - - # - # A list of preferred providers for specific algorithms. These providers will diff --git a/rh2052829-fips_runtime_nss_detection.patch b/rh2052829-fips_runtime_nss_detection.patch deleted file mode 100644 index c609fce..0000000 --- a/rh2052829-fips_runtime_nss_detection.patch +++ /dev/null @@ -1,213 +0,0 @@ -commit 090ea0389db5c2e0c8ee13652bccd544b17872c2 -Author: Andrew Hughes -Date: Mon Feb 7 15:33:27 2022 +0000 - - RH2051605: Detect NSS at Runtime for FIPS detection - -diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -index caf678a7dd6..8dcb7d9073f 100644 ---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -23,26 +23,37 @@ - * questions. - */ - --#include - #include - #include -+#include "jvm_md.h" - #include - - #ifdef SYSCONF_NSS - #include -+#else -+#include - #endif //SYSCONF_NSS - - #include "java_security_SystemConfigurator.h" - --#define MSG_MAX_SIZE 96 -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); - -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; - static jmethodID debugPrintlnMethodID = NULL; - static jobject debugObj = NULL; - --// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read --#ifndef SYSCONF_NSS -- --#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} - - static void throwIOException(JNIEnv *env, const char *msg) - { -@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg) - (*env)->ThrowNew(env, cls, msg); - } - --#endif -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} - --static void dbgPrint(JNIEnv *env, const char* msg) -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) - { -- jstring jMsg; -- if (debugObj != NULL) { -- jMsg = (*env)->NewStringUTF(env, msg); -- CHECK_NULL(jMsg); -- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -- } -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } - } - -+#endif -+ - /* - * Class: java_security_SystemConfigurator - * Method: JNI_OnLoad -@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) - debugObj = (*env)->NewGlobalRef(env, debugObj); - } - -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ - return (*env)->GetVersion(env); - } - -@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) - if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { - return; /* Should not happen */ - } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif - (*env)->DeleteGlobalRef(env, debugObj); - } - } -@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - char msg[MSG_MAX_SIZE]; - int msg_bytes; - --#ifdef SYSCONF_NSS -- -- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -- fips_enabled = SECMOD_GetSystemFIPSEnabled(); -- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -- dbgPrint(env, msg); -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); - } else { -- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -- " SECMOD_GetSystemFIPSEnabled return value"); -- } -- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ FILE *fe; - --#else // SYSCONF_NSS -- -- FILE *fe; -- -- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { - throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); - return JNI_FALSE; -- } -- fips_enabled = fgetc(fe); -- fclose(fe); -- if (fips_enabled == EOF) { -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { - throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); - return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); - } -- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -- " read character is '%c'", fips_enabled); -- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -- dbgPrint(env, msg); -- } else { -- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -- " read character"); -- } -- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -- --#endif // SYSCONF_NSS - } From 2879030caf2866f2fa19887e662a284f771a81ff Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 22 Jun 2022 20:17:41 +0100 Subject: [PATCH 28/61] Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch Enable system security properties in the RPM (now disabled by default in the FIPS repo) Improve security properties test to check both enabled and disabled behaviour Run security properties test with property debugging on --- TestSecurityProperties.java | 34 +++- ...85b13d.patch => fips-17u-f8142a23d0a.patch | 167 +++++++++++++----- java-17-openjdk.spec | 30 +++- ...ut_nss_cfg_provider_to_java_security.patch | 4 +- 4 files changed, 175 insertions(+), 60 deletions(-) rename fips-17u-3625385b13d.patch => fips-17u-f8142a23d0a.patch (96%) diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java index 06a0b07..552bd0f 100644 --- a/TestSecurityProperties.java +++ b/TestSecurityProperties.java @@ -9,35 +9,59 @@ public class TestSecurityProperties { // JDK 8 private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); Properties jdkProps = new Properties(); loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } for (Object key: jdkProps.keySet()) { String sKey = (String)key; String securityVal = Security.getProperty(sKey); String jdkSecVal = jdkProps.getProperty(sKey); if (!securityVal.equals(jdkSecVal)) { - String msg = "Expected value '" + jdkSecVal + "' for key '" + + String msg = "Expected value '" + jdkSecVal + "' for key '" + sKey + "'" + " but got value '" + securityVal + "'"; throw new RuntimeException("Test failed! " + msg); } else { - System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); } } System.out.println("TestSecurityProperties PASSED!"); } - + private static void loadProperties(Properties props) { String javaVersion = System.getProperty("java.version"); - System.out.println("Debug: Java version is " + javaVersion); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); String propsFile = JDK_PROPS_FILE_JDK_11; if (javaVersion.startsWith("1.8.0")) { propsFile = JDK_PROPS_FILE_JDK_8; } - try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + try (FileInputStream fin = new FileInputStream(propsFile)) { props.load(fin); } catch (Exception e) { throw new RuntimeException("Test failed!", e); } } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + } diff --git a/fips-17u-3625385b13d.patch b/fips-17u-f8142a23d0a.patch similarity index 96% rename from fips-17u-3625385b13d.patch rename to fips-17u-f8142a23d0a.patch index eecef3b..c07a4bf 100644 --- a/fips-17u-3625385b13d.patch +++ b/fips-17u-f8142a23d0a.patch @@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index ff2bc942c03..d303ae5c8f3 100644 +index ff2bc942c03..96a3ba4040c 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -32,6 +32,7 @@ import java.net.URL; @@ -1409,7 +1409,7 @@ index ff2bc942c03..d303ae5c8f3 100644 import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,6 +48,9 @@ import sun.security.jca.*; +@@ -47,12 +48,20 @@ import sun.security.jca.*; * implementation-specific location, which is typically the properties file * {@code conf/security/java.security} in the Java installation directory. * @@ -1419,7 +1419,18 @@ index ff2bc942c03..d303ae5c8f3 100644 * @author Benjamin Renaud * @since 1.1 */ -@@ -67,6 +71,19 @@ public final class Security { + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { } static { @@ -1439,7 +1450,15 @@ index ff2bc942c03..d303ae5c8f3 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -99,6 +116,7 @@ public final class Security { +@@ -84,6 +106,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -99,6 +122,7 @@ public final class Security { if (sdebug != null) { sdebug.println("reading security properties file: " + propFile); @@ -1447,30 +1466,63 @@ index ff2bc942c03..d303ae5c8f3 100644 } } catch (IOException e) { if (sdebug != null) { -@@ -193,6 +211,28 @@ public final class Security { +@@ -193,6 +217,61 @@ public final class Security { } } -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && -+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { -+ if (!SystemConfigurator.configureSysProps(props)) { ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { + if (sdebug != null) { -+ sdebug.println("WARNING: System properties could not be loaded."); ++ sdebug.println("WARNING: System security properties could not be loaded."); + } + } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } + } + + // FIPS support depends on the contents of java.security so + // ensure it has loaded first -+ if (loadedProps) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS support enabled."); -+ } else { -+ sdebug.println("FIPS support disabled."); ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); + } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); + } + } } @@ -1478,10 +1530,10 @@ index ff2bc942c03..d303ae5c8f3 100644 /* diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 00000000000..da2af5defda +index 00000000000..98ffced455b --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,245 @@ +@@ -0,0 +1,249 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * @@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean loadedProps = false; ++ boolean systemSecPropsLoaded = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); -+ loadedProps = true; ++ systemSecPropsLoaded = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); @@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda + e.printStackTrace(); + } + } -+ return loadedProps; ++ return systemSecPropsLoaded; + } + + /* @@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda + sdebug.println("FIPS support enabled without plain key support"); + } + } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } + } + } catch (Exception e) { + if (sdebug != null) { @@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda + return plainKeySupportEnabled; + } + -+ /* -+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips -+ * system property is true (default) and the system is in FIPS mode. ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode + */ + private static boolean enableFips() throws Exception { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); + if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); + } -+ try { -+ shouldEnable = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + shouldEnable); -+ } -+ return shouldEnable; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); + } -+ } else { -+ return false; ++ throw e; + } + } +} @@ -2352,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644 "sun.security.ssl.SSLContextImpl$TLSContext", List.of("SSL"), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 6d91e3f8e4e..5a355e70cae 100644 +index 6d91e3f8e4e..adfaf57d29e 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -79,6 +79,16 @@ security.provider.tbd=Apple @@ -2360,7 +2416,7 @@ index 6d91e3f8e4e..5a355e70cae 100644 security.provider.tbd=SunPKCS11 +# -+# Security providers used when global crypto-policies are set to FIPS. ++# Security providers used when FIPS mode support is active +# +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN @@ -2393,7 +2449,7 @@ index 6d91e3f8e4e..5a355e70cae 100644 +# using the system properties file stored at +# /etc/crypto-policies/back-ends/java.config +# -+security.useSystemPropertiesFile=true ++security.useSystemPropertiesFile=false + # # Determines the default key and trust manager factory algorithms for @@ -3074,7 +3130,7 @@ index 112b639aa96..5549cd9ed4e 100644 if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..372a50dd587 100644 +index 5c0aacd1a67..1e98ce2e280 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; @@ -3087,8 +3143,21 @@ index 5c0aacd1a67..372a50dd587 100644 import java.util.*; import java.security.AccessController; -@@ -152,16 +155,30 @@ public class PKCS11 { +@@ -150,18 +153,43 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { @@ -3121,7 +3190,7 @@ index 5c0aacd1a67..372a50dd587 100644 } if (omitInitialize == false) { try { -@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 { +@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 057f7ad..b9b18b5 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -328,7 +328,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 3625385b13d +%global fipsver f8142a23d0a # Standard JPackage naming and versioning defines %global origin openjdk @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1327,6 +1327,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode # RH2023467: Enable FIPS keys export # RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -2035,6 +2037,12 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} +# Pre-test setup + +# Turn on system security properties +sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${JAVA_HOME}/conf/security/java.security + #check Shenandoah is enabled %if %{use_shenandoah_hotspot} $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version @@ -2048,9 +2056,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") -# Check system crypto (policy) can be disabled +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. $JAVA_HOME/bin/javac -d . %{SOURCE15} -$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -2517,6 +2530,15 @@ cjc.mainProgram(args) %endif %changelog +* Wed Jun 22 2022 Andrew Hughes - 1:17.0.3.0.7-3 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on + * Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-2 - Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch index b552b99..6d2342a 100644 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -1,5 +1,5 @@ diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 5a355e70cae..c730ea26ea2 100644 +index adfaf57d29e..abf89bbf327 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI @@ -9,4 +9,4 @@ index 5a355e70cae..c730ea26ea2 100644 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # - # Security providers used when global crypto-policies are set to FIPS. + # Security providers used when FIPS mode support is active From a6295304fdbd0c105ba5d6c09e45495e7ec0a631 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Tue, 14 Jun 2022 13:08:00 +0200 Subject: [PATCH 29/61] Fix flatpak builds (catering for their uncompressed manual pages) ...see for details --- java-17-openjdk.spec | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index b9b18b5..dae285c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -933,7 +933,7 @@ exit 0 %ifarch %{sa_arches} %ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb -%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* %endif %endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo @@ -972,11 +972,11 @@ exit 0 %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* %if %{with_systemtap} %dir %{tapsetroot} @@ -2530,6 +2530,9 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jun 27 2022 Stephan Bergmann - 1:17.0.3.0.7-4 +- Fix flatpak builds (catering for their uncompressed manual pages) + * Wed Jun 22 2022 Andrew Hughes - 1:17.0.3.0.7-3 - Update FIPS support to bring in latest changes - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage From 92f9e6d8e30cce2d96af267b7579b4ab851eda0a Mon Sep 17 00:00:00 2001 From: Francisco Ferrari Bihurriet Date: Thu, 30 Jun 2022 13:51:25 -0300 Subject: [PATCH 30/61] RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION --- java-17-openjdk.spec | 5 ++++- nss.fips.cfg.in | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index dae285c..31c6750 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 4 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2530,6 +2530,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-5 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode + * Mon Jun 27 2022 Stephan Bergmann - 1:17.0.3.0.7-4 - Fix flatpak builds (catering for their uncompressed manual pages) diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in index 1aff153..2d9ec35 100644 --- a/nss.fips.cfg.in +++ b/nss.fips.cfg.in @@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } + From de9ee0719807ae772e241f5e8cd8f76291d331e7 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Mon, 4 Apr 2022 14:58:57 +0200 Subject: [PATCH 31/61] Fix flatpak builds ...after 19065a8b01585a1aa5f22e38e99fc0c47c597074 "Temporarily move x86 to use Zero in order to get a working build": When building the > if ${run_bootstrap} ; then branch for suffix='' and loop='-main', the second > buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk on the previous line. But installjdk does > rm ${imagepath}/lib/tzdb.dat > ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non- flatpak build) which is not present at build-time (but will be present at runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for the flatpak /app prefix). So using that JDK's compiler during the build kept failing due to java.io.FileNotFoundException for its lib/tzdb.dat. (This was not an issue prior to 19065a8b01585a1aa5f22e38e99fc0c47c597074, as installjdk's modification of lib/tzdb.dat used to be done only for the "Final setup on the main image" at the very end of the build, not during the build for JDKs that are themselves used later during the build.) The easiest workaround for this issue appears to be to just not bootstrap_build in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has been modified through installjdk is used during the build. --- java-17-openjdk.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 31c6750..7950912 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -190,11 +190,15 @@ %global staticlibs_loop %{nil} %endif +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from @@ -336,7 +340,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 5 +%global rpmrelease 6 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2530,6 +2534,9 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 01 2022 Stephan Bergmann - 1:17.0.3.0.7-6 +- Fix flatpak builds by exempting them from bootstrap + * Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-5 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode From 14d01cca4a503d51f3948b24adfa87b26a46a95f Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 5 Jul 2022 18:01:34 +0100 Subject: [PATCH 32/61] Turn on system security properties as part of the build's install section Move cacerts replacement to install section and retain original of this and tzdb.dat Run tests on the installed image, rather than the build image Introduce variables to refer to the static library installation directories Use relative symlinks so they work within the image Run debug symbols check during build stage, before the install strips them --- java-17-openjdk.spec | 221 +++++++++++++++++++++++-------------------- 1 file changed, 120 insertions(+), 101 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7950912..c9d86fe 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -340,7 +340,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 6 +%global rpmrelease 7 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -404,6 +404,10 @@ # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs +# installation directory for static libraries +%global static_libs_root lib/static +%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall} +%global static_libs_install_dir %{static_libs_arch_dir}/glibc # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch @@ -810,6 +814,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so @@ -868,6 +873,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/lib %dir %{etcjavadir -- %{?1}}/lib/security %{etcjavadir -- %{?1}}/lib/security/cacerts +%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream %dir %{etcjavadir -- %{?1}}/conf %dir %{etcjavadir -- %{?1}}/conf/sdp %dir %{etcjavadir -- %{?1}}/conf/management @@ -1038,10 +1044,10 @@ exit 0 } %define files_static_libs() %{expand: -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} +%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } %define files_javadoc() %{expand: @@ -1806,6 +1812,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1946,9 +1953,18 @@ function installjdk() { # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + mv ${imagepath}/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security # Create fake alt-java as a placeholder for future alt-java pushd ${imagepath} @@ -1959,6 +1975,82 @@ function installjdk() { fi } +# Checks on debuginfo must be performed before the files are stripped +# by the RPM installation stage +function debugcheckjdk() { + local imagepath=${1} + + if [ -d ${imagepath} ] ; then + + so_suffix="so" + # Check debug symbols are present and can identify code + find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib + do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi + done + + # Make sure gdb can do a backtrace based on line numbers on libjvm.so + # javaCalls.cpp:58 should map to: + # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 + # Using line number 1 might cause build problems. See: + # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 + # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 + gdb -q "${imagepath}/bin/java" < - 1:17.0.3.0.7-7 +- Turn on system security properties as part of the build's install section +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Run tests on the installed image, rather than the build image +- Introduce variables to refer to the static library installation directories +- Use relative symlinks so they work within the image +- Run debug symbols check during build stage, before the install strips them + * Fri Jul 01 2022 Stephan Bergmann - 1:17.0.3.0.7-6 - Fix flatpak builds by exempting them from bootstrap From 034d3998e606a175245c36ea793bce0c2e9df0b1 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 7 Jul 2022 20:26:58 +0100 Subject: [PATCH 33/61] Sequence spec file sections as they are run by rpmbuild (build, install then test) --- java-17-openjdk.spec | 129 ++++++++++++++++++++++--------------------- 1 file changed, 67 insertions(+), 62 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index c9d86fe..9a63e0b 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -2123,68 +2123,6 @@ for suffix in %{build_loop} ; do # build cycles done # end of release / debug cycle loop -%check - -# We test debug first as it will give better diagnostics on a crash -for suffix in %{build_loop} ; do - -export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} - -#check Shenandoah is enabled -%if %{use_shenandoah_hotspot} -$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version -%endif - -# Check unlimited policy has been used -$JAVA_HOME/bin/javac -d . %{SOURCE13} -$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel - -# Check ECC is working -$JAVA_HOME/bin/javac -d . %{SOURCE14} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") - -# Check system crypto (policy) is active and can be disabled -# Test takes a single argument - true or false - to state whether system -# security properties are enabled or not. -$JAVA_HOME/bin/javac -d . %{SOURCE15} -export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") -export SEC_DEBUG="-Djava.security.debug=properties" -$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true -$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false - -# Check java launcher has no SSB mitigation -if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi - -# Check alt-java launcher has SSB mitigation on supported architectures -%ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation -%else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi -%endif - -%if %{include_staticlibs} -# Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c -%endif - -# Check src.zip has all sources. See RHBZ#1130490 -$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' - -# Check class files include useful debugging information -$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable - -# Check generated class files include useful debugging information -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable - -# build cycles check -done - %install STRIP_KEEP_SYMTAB=libjvm* @@ -2301,6 +2239,70 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6 # end, dual install done +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# Tests in the check stage are performed on the installed image +# rpmbuild operates as follows: build -> install -> test +export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c +%endif + +# Check src.zip has all sources. See RHBZ#1130490 +$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + +# Check class files include useful debugging information +$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + +# Check generated class files include useful debugging information +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +# build cycles check +done + %if %{include_normal_build} # intentionally only for non-debug %pretrans headless -p @@ -2545,6 +2547,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 07 2022 Andrew Hughes - 1:17.0.3.0.7-7 +- Sequence spec file sections as they are run by rpmbuild (build, install then test) + * Tue Jul 05 2022 Andrew Hughes - 1:17.0.3.0.7-7 - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat From 1d41f8167f4acd4ac0e33e8ea3835b5535abe77d Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 7 Jul 2022 20:30:28 +0100 Subject: [PATCH 34/61] Fix whitespace in spec file --- java-17-openjdk.spec | 165 ++++++++++++++++++++++--------------------- 1 file changed, 84 insertions(+), 81 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 9a63e0b..40394dd 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -552,7 +552,7 @@ alternatives \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ - %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext %{set_if_needed_alternatives $key %{family}} @@ -1937,41 +1937,41 @@ function installjdk() { local imagepath=${1} if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security - # Use system-wide tzdata - mv ${imagepath}/lib/tzdb.dat{,.upstream} - ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + # Use system-wide tzdata + mv ${imagepath}/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - # Rename OpenJDK cacerts database - mv ${imagepath}/lib/security/cacerts{,.upstream} - # Install cacerts symlink needed by some apps which hard-code the path - ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security + # Rename OpenJDK cacerts database + mv ${imagepath}/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd fi } @@ -1982,58 +1982,58 @@ function debugcheckjdk() { if [ -d ${imagepath} ] ; then - so_suffix="so" - # Check debug symbols are present and can identify code - find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib - do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. + so_suffix="so" + # Check debug symbols are present and can identify code + find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib + do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" - done - IFS="$old_IFS" + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi - fi - done + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi + done - # Make sure gdb can do a backtrace based on line numbers on libjvm.so - # javaCalls.cpp:58 should map to: - # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 - # Using line number 1 might cause build problems. See: - # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 - # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 - gdb -q "${imagepath}/bin/java" < - 1:17.0.3.0.7-7 +- Fix whitespace in spec file + * Thu Jul 07 2022 Andrew Hughes - 1:17.0.3.0.7-7 - Sequence spec file sections as they are run by rpmbuild (build, install then test) From 9686b18e4ff6e393dbdb8a9256000685fa961430 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Mon, 11 Jul 2022 19:39:27 +0100 Subject: [PATCH 35/61] Update to jdk-17.0.4.0+1 Update release notes to 17.0.4.0+1 Switch to EA mode for 17.0.4 pre-release builds. Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 Print release file during build, which should now include a correct SOURCE value from .src-rev Update tarball script with IcedTea GitHub URL and .src-rev generation Include script to generate bug list for release notes Update tzdata requirement to 2022a to match JDK-8283350 Move EA designator check to prep so failures can be caught earlier Make EA designator check non-fatal while upstream is not maintaining it --- .gitignore | 1 + NEWS | 256 +++++++++++++++++++ generate_source_tarball.sh | 19 +- java-17-openjdk.spec | 83 +++--- jdk8282004-x86_32-missing_call_effects.patch | 28 -- openjdk_news.sh | 76 ++++++ sources | 2 +- 7 files changed, 397 insertions(+), 68 deletions(-) delete mode 100644 jdk8282004-x86_32-missing_call_effects.patch create mode 100755 openjdk_news.sh diff --git a/.gitignore b/.gitignore index 9d53f89..eaa1e0c 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /openjdk-jdk17u-jdk-17.0.3+5.tar.xz /openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz /openjdk-jdk17u-jdk-17.0.3+7.tar.xz +/openjdk-jdk17u-jdk-17.0.4+1.tar.xz diff --git a/NEWS b/NEWS index b0e58ad..5d91d43 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,262 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.4 (2022-07-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1704 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt + +* Other changes + - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8214733: runtime/8176717/TestInheritFD.java timed out + - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode + - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + - JDK-8255266: Update Public Suffix List to 3c213aa + - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers + - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests + - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure + - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well + - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" + - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL + - JDK-8267163: Rename anonymous loader tests to hidden loader tests + - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo + - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped + - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout + - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum + - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest + - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs + - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM + - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform + - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message + - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support + - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java + - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree + - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output + - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled + - JDK-8270797: ShortECDSA.java test is not complete + - JDK-8270837: fix typos in test TestSigParse.java + - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom + - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack + - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + - JDK-8271302: Regex Test Refresh + - JDK-8272146: Disable Fibonacci test on memory constrained systems + - JDK-8272168: some hotspot runtime/logging tests don't check exit code + - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty + - JDK-8272358: Some tests may fail when executed with other locales than the US + - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 + - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security + - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions + - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" + - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency + - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests + - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 + - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case + - JDK-8274172: Convert JavadocTester to use NIO + - JDK-8274233: Minor cleanup for ToolBox + - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun + - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image + - JDK-8274751: Drag And Drop hangs on Windows + - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed + - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS + - JDK-8274983: C1 optimizes the invocation of private interface methods + - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows + - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert + - JDK-8275745: Reproducible copyright headers + - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers + - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt + - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win) + - JDK-8276657: XSLT compiler tries to define a class with empty name + - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + - JDK-8276825: hotspot/runtime/SelectionResolution test errors + - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java + - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary + - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics + - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive + - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND + - JDK-8277123: jdeps does not report some exceptions correctly + - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories + - JDK-8277166: Data race in jdeps VersionHelper + - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread + - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch + - JDK-8277893: Arraycopy stress tests + - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP + - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge + - JDK-8278014: [vectorapi] Remove test run script + - JDK-8278065: Refactor subclassAudits to use ClassValue + - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + - JDK-8278472: Invalid value set to CANDIDATEFORM structure + - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 + - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date + - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() + - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 + - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler + - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 + - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC + - JDK-8279219: [REDO] C2 crash when allocating array of size too large + - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display + - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! + - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM + - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked + - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism + - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 + - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java + - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment + - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking + - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores + - JDK-8279668: x86: AVX2 versions of vpxor should be asserted + - JDK-8279822: CI: Constant pool entries in error state are not supported + - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled + - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region + - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos + - JDK-8279958: Provide configure hints for Alpine/apk package managers + - JDK-8280004: DCmdArgument::parse_value() should handle NULL input + - JDK-8280041: Retry loop issues in java.io.ClassCache + - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN + - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized + - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang + - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + - JDK-8280600: C2: assert(!had_error) failed: bad dominance + - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. + - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination + - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs + - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint + - JDK-8280940: gtest os.release_multi_mappings_vm is racy + - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range + - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y + - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly + - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 + - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter + - JDK-8281262: Windows builds in different directories are not fully reproducible + - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly + - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info + - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + - JDK-8281318: Improve jfr/event/allocation tests reliability + - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working + - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor + - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants + - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ + - JDK-8281615: Deadlock caused by jdwp agent + - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions + - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature + - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 + - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway + - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 + - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads + - JDK-8282225: GHA: Allow one concurrent run per PR only + - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers + - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive + - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert + - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 + - JDK-8282345: handle latest VS2022 in abstract_vm_version + - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282444: Module finder incorrectly assumes default file system path-separator character + - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 + - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output + - JDK-8282551: Properly initialize L32X64MixRandom state + - JDK-8282583: Update BCEL md to include the copyright notice + - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes + - JDK-8282592: C2: assert(false) failed: graph should be schedulable + - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() + - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap + - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8283017: GHA: Workflows break with update release versions + - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails + - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c + - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing + - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled + - JDK-8283350: (tz) Update Timezone Data to 2022a + - JDK-8283408: Fix a C2 crash when filling arrays with unsafe + - JDK-8283422: Create a new test for JDK-8254790 + - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info + - JDK-8283641: Large value for CompileThresholdScaling causes assert + - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM + - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 + - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284458: CodeHeapState::aggregate() leaks blob_name + - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284866: Add test to JDK-8273056 + - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8285342: Zero build failure with clang due to values not handled in switch + - JDK-8285445: cannot open file "NUL:" + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos +================================================================ +Support has been added for TLS channel binding tokens for +Negotiate/Kerberos authentication over HTTPS through +javax.net.HttpsURLConnection. + +Channel binding tokens are increasingly required as an enhanced form +of security which can mitigate certain kinds of socially engineered, +man in the middle (MITM) attacks. They work by communicating from a +client to a server the client's understanding of the binding between +connection security (as represented by a TLS server cert) and higher +level authentication credentials (such as a username and +password). The server can then detect if the client has been fooled by +a MITM and shutdown the session/connection. + +The feature is controlled through a new system property +`jdk.https.negotiate.cbt` which is described fully at the following +page: + +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt + +core-libs/java.lang: + +JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder +===================================================================== +ProcessBuilder on Windows is restored to address a regression caused +by JDK-8250568. Previously, an argument to ProcessBuilder that +started with a double-quote and ended with a backslash followed by a +double-quote was passed to a command incorrectly and may cause the +command to fail. For example the argument `"C:\\Program Files\"`, +would be seen by the command with extra double-quotes. This update +restores the long standing behavior that does not treat the backslash +before the final double-quote specially. + + +core-libs/java.util.jar: + +JDK-8278386: Default JDK compressor will be closed when IOException is encountered +================================================================================== +`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods +have been modified to close out the associated default JDK compressor +before propagating a Throwable up the +stack. `ZIPOutputStream.closeEntry()` method has been modified to +close out the associated default JDK compressor before propagating an +IOException, not of type ZipException, up the stack. + +core-libs/java.io: + +JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File +================================================================================================= +The Windows implementation of `java.io.File` allows access to NTFS +Alternate Data Streams (ADS) by default. Such streams have a structure +like “filename:streamname”. A system property `jdk.io.File.enableADS` +has been added to control this behavior. To disable ADS support in +`java.io.File`, the system property `jdk.io.File.enableADS` should be +set to `false` (case ignored). Stricter path checking however prevents +the use of special devices such as `NUL:` + New in release OpenJDK 17.0.3 (2022-04-19): =========================================== Live versions of these release notes can be found at: diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index bf21bc4..eb99e1a 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -37,6 +37,8 @@ set -e OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz +# Corresponding IcedTea version +ICEDTEA_VERSION=12.0 if [ "x$1" = "xhelp" ] ; then echo -e "Behaviour may be specified by setting the following variables:\n" @@ -126,11 +128,10 @@ pushd "${FILE_NAME_ROOT}" echo "Syncing EC list with NSS" if [ "x$PR3823" = "x" ] ; then - # originally for 8: - # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag - # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) + # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch + # Do not push it or publish it echo "PR3823 not found. Downloading..." - wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch + wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch echo "Applying ${PWD}/pr3823.patch" patch -Np1 < pr3823.patch rm pr3823.patch @@ -142,6 +143,14 @@ pushd "${FILE_NAME_ROOT}" popd fi + # Generate .src-rev so build has knowledge of the revision the tarball was created from + mkdir build + pushd build + sh ${PWD}/../openjdk/configure + make store-source-revision + popd + rm -rf build + echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then SWITCH=cJf @@ -152,5 +161,3 @@ pushd "${FILE_NAME_ROOT}" mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. popd echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." - - diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 40394dd..22fe90f 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -309,7 +309,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 3 +%global updatever 4 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -339,8 +339,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 7 +%global buildver 1 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -366,18 +366,18 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA -%global expected_ea_designator "" +%global ea_designator "" %global ea_designator_zip "" %global extraver %{nil} %global eaprefix %{nil} %else %global build_type EA -%global expected_ea_designator ea -%global ea_designator_zip -%{expected_ea_designator} -%global extraver .%{expected_ea_designator} +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} %global eaprefix 0. %endif @@ -1106,7 +1106,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -Requires: tzdata-java >= 2015d +# 2022a required as of JDK-8283350 in 17.0.4 +Requires: tzdata-java >= 2022a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1346,8 +1347,6 @@ Patch1001: fips-17u-%{fipsver}.patch # OpenJDK patches in need of upstreaming # ############################################# -# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects -Patch7: jdk8282004-x86_32-missing_call_effects.patch BuildRequires: autoconf BuildRequires: automake @@ -1385,7 +1384,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -BuildRequires: tzdata-java >= 2015d +# 2022a required as of JDK-8283350 in 17.0.4 +BuildRequires: tzdata-java >= 2022a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1750,7 +1750,6 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch6 -p1 -%patch7 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security @@ -1759,6 +1758,27 @@ popd # openjdk %patch600 +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + # Don't fail at present as upstream are not maintaining the value correctly + #exit 17 +fi + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -1855,31 +1875,13 @@ function buildjdk() { local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} - # The OpenJDK version file includes the current - # upstream version information. For some reason, - # configure does not automatically use the - # default pre-version supplied there (despite - # what the file claims), so we pass it manually - # to configure - VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf - if [ -f ${VERSION_FILE} ] ; then - EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) - else - echo "Could not find OpenJDK version file."; - exit 16 - fi - if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then - echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; - exit 17 - fi - echo "Using output directory: ${outputdir}"; echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version echo "Using make targets: ${maketargets}" echo "Using debuglevel: ${debuglevel}" echo "Using link_opt: ${link_opt}" - echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" mkdir -p ${outputdir} pushd ${outputdir} @@ -1892,7 +1894,7 @@ function buildjdk() { --with-jobs=1 \ %endif --with-version-build=%{buildver} \ - --with-version-pre="${EA_DESIGNATOR}" \ + --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{vendor_version_string}" \ --with-vendor-name="Red Hat, Inc." \ @@ -2120,6 +2122,9 @@ for suffix in %{build_loop} ; do # Check debug symbols were built into the dynamic libraries debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + # Print release information + cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release + # build cycles done # end of release / debug cycle loop @@ -2547,6 +2552,18 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jul 11 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it + * Thu Jul 07 2022 Andrew Hughes - 1:17.0.3.0.7-7 - Fix whitespace in spec file diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch deleted file mode 100644 index 3efe993..0000000 --- a/jdk8282004-x86_32-missing_call_effects.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad -index a31a38a384f..6138ca5281f 100644 ---- a/src/hotspot/cpu/x86/x86_32.ad -+++ b/src/hotspot/cpu/x86/x86_32.ad -@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{ - %} - - // Divide Register Long --instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{ -+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{ - match(Set dst (DivL src1 src2)); -- effect( KILL cr, KILL cx, KILL bx ); -+ effect(CALL); - ins_cost(10000); - format %{ "PUSH $src1.hi\n\t" - "PUSH $src1.lo\n\t" -@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{ - %} - - // Remainder Register Long --instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{ -+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{ - match(Set dst (ModL src1 src2)); -- effect( KILL cr, KILL cx, KILL bx ); -+ effect(CALL); - ins_cost(10000); - format %{ "PUSH $src1.hi\n\t" - "PUSH $src1.lo\n\t" diff --git a/openjdk_news.sh b/openjdk_news.sh new file mode 100755 index 0000000..560b356 --- /dev/null +++ b/openjdk_news.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# Copyright (C) 2022 Red Hat, Inc. +# Written by Andrew John Hughes , 2012-2022 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +OLD_RELEASE=$1 +NEW_RELEASE=$2 +SUBDIR=$3 +REPO=$4 +SCRIPT_DIR=$(dirname ${0}) + +if test "x${SUBDIR}" = "x"; then + echo "No subdirectory specified; using ."; + SUBDIR="."; +fi + +if test "x$REPO" = "x"; then + echo "No repository specified; using ${PWD}" + REPO=${PWD} +fi + +if test x${TMPDIR} = x; then + TMPDIR=/tmp; +fi + +echo "Repository: ${REPO}" + +if [ -e ${REPO}/.git ] ; then + TYPE=git; +elif [ -e ${REPO}/.hg ] ; then + TYPE=hg; +else + echo "No Mercurial or Git repository detected."; + exit 1; +fi + +if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then + echo "ERROR: Need to specify old and new release"; + exit 2; +fi + +echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO" +rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes +for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO}); +do + if test "x$TYPE" = "xhg"; then + hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ + egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \ + sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2; + hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ + egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3; + else + git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \ + sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2; + touch ${TMPDIR}/fixes3 ; # unused + fi +done + +sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes +rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 + +echo "In ${TMPDIR}/fixes:" +cat ${TMPDIR}/fixes diff --git a/sources b/sources index e4816a7..ded0ae9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567 +SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1 From b88e34f02e7b229b3bc02ef74b7a8ffccd73d8f1 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sat, 9 Jul 2022 02:02:43 +0100 Subject: [PATCH 36/61] Make use of the vendor version string to store our version & release rather than an upstream release date Include a test in the RPM to check the build has the correct vendor information. Fix issue where CheckVendor.java test erroneously passes when it should fail. Add proper quoting so '&' is not treated as a special character by the shell. --- CheckVendor.java | 65 ++++++++++++++++++++++++++++++++++++++++ java-17-openjdk.spec | 71 +++++++++++++++++++++++++++----------------- 2 files changed, 109 insertions(+), 27 deletions(-) create mode 100644 CheckVendor.java diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 22fe90f..657f19c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -311,10 +311,6 @@ %global interimver 0 %global updatever 4 %global patchver 0 -# If you bump featurever, you must also bump vendor_version_string -# Used via new version scheme. JDK 17 was -# GA'ed in September 2021 => 21.9 -%global vendor_version_string 21.9 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -329,6 +325,27 @@ %global lts_designator_zip "" %endif +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{release}) + # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches @@ -340,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -381,23 +398,6 @@ %global eaprefix 0. %endif -# Define what url should JVM offer in case of a crash report -# order may be important, epel may have rhel declared -%if 0%{?epel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} -%else -%if 0%{?fedora} -# Does not work for rawhide, keeps the version field empty -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} -%else -%if 0%{?rhel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} -%else -%global bugs https://bugzilla.redhat.com/enter_bug.cgi -%endif -%endif -%endif - # parametrized macros are order-sensitive %global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} @@ -1294,6 +1294,9 @@ Source14: TestECDSA.java # Verify system crypto (policy) can be disabled via a property Source15: TestSecurityProperties.java +# Ensure vendor settings are correct +Source16: CheckVendor.java + # nss fips configuration file Source17: nss.fips.cfg.in @@ -1703,6 +1706,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv %prep +echo "Preparing %{oj_vendor_version}" + # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( %if 0%{?stapinstall:1} echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" @@ -1896,11 +1901,11 @@ function buildjdk() { --with-version-build=%{buildver} \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ - --with-vendor-version-string="%{vendor_version_string}" \ - --with-vendor-name="Red Hat, Inc." \ - --with-vendor-url="https://www.redhat.com/" \ - --with-vendor-bug-url="%{bugs}" \ - --with-vendor-vm-bug-url="%{bugs}" \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ @@ -2285,6 +2290,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} @@ -2552,6 +2561,14 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.2.ea +- Make use of the vendor version string to store our version & release rather than an upstream release date +- Include a test in the RPM to check the build has the correct vendor information. + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. + * Mon Jul 11 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea - Update to jdk-17.0.4.0+1 - Update release notes to 17.0.4.0+1 From 3a89c445abf482c0bd02c00252d30ddb43f9d1aa Mon Sep 17 00:00:00 2001 From: "FeRD (Frank Dana)" Date: Wed, 8 Jun 2022 14:03:04 -0400 Subject: [PATCH 37/61] Add additional javadoc & javadoczip alternatives Create additional alternatives linked from the javadocdir, named: * java-%{origin} / java-%{origin}.zip * java-%{javaver} / java-%{javaver}.zip * java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip --- java-17-openjdk.spec | 49 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 657f19c..4e33514 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -743,10 +743,19 @@ PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi + for X in %{origin} %{javaver} ; do + key=javadocdir_"$X" + alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + done -key=javadocdir -alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} -%{set_if_needed_alternatives $key %{family_noarch}} + key=javadocdir_%{javaver}_%{origin} + alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + + key=javadocdir + alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} exit 0 } @@ -756,6 +765,9 @@ if [ "x$debug" == "xtrue" ] ; then fi post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } @@ -767,9 +779,20 @@ PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -key=javadoczip -alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} -%{set_if_needed_alternatives $key %{family_noarch}} + for X in %{origin} %{javaver} ; do + key=javadoczip_"$X" + alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + done + + key=javadoczip_%{javaver}_%{origin} + alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + + # Weird legacy filename for backwards-compatibility + key=javadoczip + alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} exit 0 } @@ -779,6 +802,9 @@ exit 0 fi post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -1056,6 +1082,9 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java +%ghost %{_javadocdir}/java-%{origin} +%ghost %{_javadocdir}/java-%{javaver} +%ghost %{_javadocdir}/java-%{javaver}-%{origin} %endif %endif } @@ -1066,6 +1095,9 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java-zip +%ghost %{_javadocdir}/java-%{origin}.zip +%ghost %{_javadocdir}/java-%{javaver}.zip +%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip %endif %endif } @@ -2561,6 +2593,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 FeRD (Frank Dana) - 1:17.0.4.0.1-0.3.ea +- Add javaver- and origin-specific javadoc and javadoczip alternatives. + * Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.2.ea - Make use of the vendor version string to store our version & release rather than an upstream release date - Include a test in the RPM to check the build has the correct vendor information. From 73fbfeeb34244ac9e1b105d6dea094c1f4d7f1cb Mon Sep 17 00:00:00 2001 From: Jiri Date: Wed, 13 Jul 2022 20:07:30 +0200 Subject: [PATCH 38/61] Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs --- java-17-openjdk.spec | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 4e33514..2f04873 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2178,6 +2178,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} + +pushd ${jdk_image} +%ifarch %{ix86} + for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do + echo "deprecating $file" + echo '#!/bin/bash' > $file + echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file + echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file + echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file + echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file + echo 'exit 1' >> $file + done +%endif +popd + cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} @@ -2282,7 +2297,9 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6 done %check - +%ifarch %{ix86} + exit 0 +%endif # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do @@ -2593,6 +2610,10 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 Jiri Vanek - 1:17.0.4.0.1-0.4.ea +- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: +- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs + * Thu Jul 14 2022 FeRD (Frank Dana) - 1:17.0.4.0.1-0.3.ea - Add javaver- and origin-specific javadoc and javadoczip alternatives. From 0cff01bd2387e69bf4f5090b6eb16e7452033da6 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sat, 9 Jul 2022 01:10:32 +0100 Subject: [PATCH 39/61] Explicitly require crypto-policies during build and runtime for system security properties --- java-17-openjdk.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 2f04873..7e28951 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 4 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1152,6 +1152,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for system security properties +Requires: crypto-policies # for FIPS PKCS11 provider Requires: nss # Post requires alternatives to install tool alternatives @@ -1410,6 +1412,8 @@ BuildRequires: libXt-devel BuildRequires: libXtst-devel # Requirement for setting up nss.cfg and nss.fips.cfg BuildRequires: nss-devel +# Requirement for system security property test +BuildRequires: crypto-policies BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -2610,6 +2614,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.5.ea +- Explicitly require crypto-policies during build and runtime for system security properties + * Thu Jul 14 2022 Jiri Vanek - 1:17.0.4.0.1-0.4.ea - Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: - https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs From c43163d44566d2264fdf69f2d197627b6ce4ed9e Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sat, 16 Jul 2022 20:03:04 +0100 Subject: [PATCH 40/61] Update to jdk-17.0.3.0+7 Update release notes to 17.0.3.0+7 Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable Need to include the '.S' suffix in debuginfo checks after JDK-8284661 --- .gitignore | 1 + NEWS | 52 ++++++++++++++++++++++++++++++++++++++++++++ java-17-openjdk.spec | 17 +++++++++++---- sources | 2 +- 4 files changed, 67 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index eaa1e0c..0987d85 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz /openjdk-jdk17u-jdk-17.0.3+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+1.tar.xz +/openjdk-jdk17u-jdk-17.0.4+7.tar.xz diff --git a/NEWS b/NEWS index 5d91d43..797c2d2 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,14 @@ Live versions of these release notes can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt * Other changes + - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + - JDK-8181571: printing to CUPS fails on mac sandbox app - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use + - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test - JDK-8214733: runtime/8176717/TestInheritFD.java timed out + - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel + - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR - JDK-8255266: Update Public Suffix List to 3c213aa @@ -26,6 +32,7 @@ Live versions of these release notes can be found at: - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout + - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs @@ -60,6 +67,7 @@ Live versions of these release notes can be found at: - JDK-8274233: Minor cleanup for ToolBox - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image - JDK-8274751: Drag And Drop hangs on Windows - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed @@ -125,6 +133,7 @@ Live versions of these release notes can be found at: - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor - JDK-8280600: C2: assert(!had_error) failed: bad dominance - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination @@ -150,8 +159,10 @@ Live versions of these release notes can be found at: - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 + - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads - JDK-8282225: GHA: Allow one concurrent run per PR only - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers @@ -160,6 +171,7 @@ Live versions of these release notes can be found at: - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 - JDK-8282345: handle latest VS2022 in abstract_vm_version - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale - JDK-8282444: Module finder incorrectly assumes default file system path-separator character - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output @@ -170,31 +182,71 @@ Live versions of these release notes can be found at: - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value - JDK-8283017: GHA: Workflows break with update release versions - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + - JDK-8283315: jrt-fs.jar not always deterministically built + - JDK-8283323: libharfbuzz optimization level results in extreme build times - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled - JDK-8283350: (tz) Update Timezone Data to 2022a - JDK-8283408: Fix a C2 crash when filling arrays with unsafe - JDK-8283422: Create a new test for JDK-8254790 - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info - JDK-8283641: Large value for CompileThresholdScaling causes assert - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284094: Memory leak in invoker_completeInvokeRequest() - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284437: Building from different users/workspace is not always deterministic - JDK-8284458: CodeHeapState::aggregate() leaks blob_name - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler + - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + - JDK-8284620: CodeBuffer may leak _overflow_arena - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284661: Reproducible assembly builds without relative linking + - JDK-8284754: print more interesting env variables in hs_err and VM.info + - JDK-8284758: [linux] improve print_container_info + - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping - JDK-8284866: Add test to JDK-8273056 - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8284992: Fix misleading Vector API doc for LSHR operator - JDK-8285342: Zero build failure with clang due to values not handled in switch + - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() + - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 - JDK-8285445: cannot open file "NUL:" + - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + - JDK-8285686: Update FreeType to 2.12.0 + - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + - JDK-8285728: Alpine Linux build fails with busybox tar + - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine + - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService + - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc + - JDK-8286198: [linux] Fix process-memory information + - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk + - JDK-8286855: javac error on invalid jar should only print filename + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287119: Add Distrust.java to ProblemList + - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions + - JDK-8287336: GHA: Workflows break on patch versions + - JDK-8287362: FieldAccessWatch testcase failed on AIX platform + - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows Notes on individual issues: =========================== diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7e28951..a8e4bc1 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -356,8 +356,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 -%global rpmrelease 5 +%global buildver 7 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -474,6 +474,9 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif +# x86 is no longer supported +ExcludeArch: %{ix86} + # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -2046,9 +2049,9 @@ function debugcheckjdk() { IFS=$'\n' for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") do - # We expect to see .cpp files, except for architectures like aarch64 and + # We expect to see .cpp and .S files, except for architectures like aarch64 and # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" done IFS="$old_IFS" @@ -2614,6 +2617,12 @@ cjc.mainProgram(args) %endif %changelog +* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea +- Update to jdk-17.0.3.0+7 +- Update release notes to 17.0.3.0+7 +- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 + * Thu Jul 14 2022 Andrew Hughes - 1:17.0.4.0.1-0.5.ea - Explicitly require crypto-policies during build and runtime for system security properties diff --git a/sources b/sources index ded0ae9..865c6f2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1 +SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419 From e47cdf807e496454ba26a188e8df7ae986931ecf Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 19 Jul 2022 01:18:30 +0100 Subject: [PATCH 41/61] Try to build on x86 again by creating a husk of a JDK which does not depend on itself --- java-17-openjdk.spec | 106 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 86 insertions(+), 20 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a8e4bc1..a4d8b5c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -474,9 +474,6 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif -# x86 is no longer supported -ExcludeArch: %{ix86} - # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -811,14 +808,20 @@ exit 0 exit 0 } +%ifarch %{ix86} +%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh} +%else %define files_jre() %{expand: %{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so } +%endif - +%ifarch %{ix86} +%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh} +%else %define files_jre_headless() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS @@ -953,7 +956,11 @@ exit 0 %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } +%endif +%ifarch %{ix86} +%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh} +%else %define files_devel() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar @@ -1056,29 +1063,49 @@ exit 0 %endif %endif } +%endif +%ifarch %{ix86} +%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh} +%else %define files_jmods() %{expand: %{_jvmdir}/%{sdkdir -- %{?1}}/jmods } +%endif +%ifarch %{ix86} +%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh} +%else %define files_demo() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/demo %{_jvmdir}/%{sdkdir -- %{?1}}/sample } +%endif +%ifarch %{ix86} +%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh} +%else %define files_src() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip } +%endif +%ifarch %{ix86} +%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh} +%else %define files_static_libs() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } +%endif +%ifarch %{ix86} +%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh} +%else %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1091,7 +1118,11 @@ exit 0 %endif %endif } +%endif +%ifarch %{ix86} +%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh} +%else %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1104,6 +1135,7 @@ exit 0 %endif %endif } +%endif # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: @@ -1421,7 +1453,9 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem +%ifnarch %{ix86} BuildRequires: java-%{buildjdkver}-openjdk-devel +%endif # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1877,6 +1911,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build +# x86 is deprecated +%ifarch %{ix86} + exit 0 +%endif + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2186,20 +2225,34 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -pushd ${jdk_image} %ifarch %{ix86} - for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do - echo "deprecating $file" - echo '#!/bin/bash' > $file - echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file - echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file - echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file - echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file - echo 'exit 1' >> $file - done -%endif -popd + mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}} + file=/tmp/gonejdk.$$ + echo "OpenJDK on x86 is now deprecated" + echo '#!/bin/bash' > $file + echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file + echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file + echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file + echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file + echo 'exit 1' >> $file + + for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do + cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh + done + + # Docs were only in the normal build + if ! echo $suffix | grep -q "debug" ; then + for pkgsuffix in javadoc javadoc_zip ; do + cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh + done + fi + + rm -f ${file} + +%else + +# Install the jdk cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} @@ -2300,16 +2353,24 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; +%endif + # end, dual install done %check -%ifarch %{ix86} - exit 0 -%endif + # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do +%ifarch %{ix86} + + # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go + echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list + cat debugsourcefiles.list + +%else + # Tests in the check stage are performed on the installed image # rpmbuild operates as follows: build -> install -> test export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} @@ -2370,6 +2431,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable +%endif + # build cycles check done @@ -2617,6 +2680,9 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jul 19 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea +- Try to build on x86 again by creating a husk of a JDK which does not depend on itself + * Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea - Update to jdk-17.0.3.0+7 - Update release notes to 17.0.3.0+7 From 87a3e38c1ab30ea4a44a54198817793e470cd99b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 21 Jul 2022 15:05:49 +0000 Subject: [PATCH 42/61] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- java-17-openjdk.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a4d8b5c..6e57c24 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -1298,7 +1298,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2680,6 +2680,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 21 2022 Fedora Release Engineering - 1:17.0.4.0.7-0.2.ea.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue Jul 19 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea - Try to build on x86 again by creating a husk of a JDK which does not depend on itself From 814266f96991bd7727bf42c90e541250497deb2d Mon Sep 17 00:00:00 2001 From: Jiri Date: Fri, 22 Jul 2022 12:52:20 +0200 Subject: [PATCH 43/61] moved to build only on %%{java_arches} -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs - reverted : -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) -- Try to build on x86 again by creating a husk of a JDK which does not depend on itself -- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable -- Replaced binaries and .so files with bash-stubs on i686 - added ExclusiveArch: %%{java_arches} -- this now excludes i686 -- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) - https://bugzilla.redhat.com/show_bug.cgi?id=2104128 --- java-17-openjdk.spec | 105 ++++++++----------------------------------- 1 file changed, 19 insertions(+), 86 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 6e57c24..5a441bb 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -474,6 +474,9 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif +# x86 is no longer supported +ExclusiveArch: %{java_arches} + # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -808,20 +811,14 @@ exit 0 exit 0 } -%ifarch %{ix86} -%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh} -%else %define files_jre() %{expand: %{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so } -%endif -%ifarch %{ix86} -%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh} -%else + %define files_jre_headless() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS @@ -956,11 +953,7 @@ exit 0 %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } -%endif -%ifarch %{ix86} -%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh} -%else %define files_devel() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar @@ -1063,49 +1056,29 @@ exit 0 %endif %endif } -%endif -%ifarch %{ix86} -%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh} -%else %define files_jmods() %{expand: %{_jvmdir}/%{sdkdir -- %{?1}}/jmods } -%endif -%ifarch %{ix86} -%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh} -%else %define files_demo() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/demo %{_jvmdir}/%{sdkdir -- %{?1}}/sample } -%endif -%ifarch %{ix86} -%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh} -%else %define files_src() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip } -%endif -%ifarch %{ix86} -%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh} -%else %define files_static_libs() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } -%endif -%ifarch %{ix86} -%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh} -%else %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1118,11 +1091,7 @@ exit 0 %endif %endif } -%endif -%ifarch %{ix86} -%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh} -%else %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1135,7 +1104,6 @@ exit 0 %endif %endif } -%endif # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: @@ -1298,7 +1266,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1453,9 +1421,7 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem -%ifnarch %{ix86} BuildRequires: java-%{buildjdkver}-openjdk-devel -%endif # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1911,11 +1877,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build -# x86 is deprecated -%ifarch %{ix86} - exit 0 -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2224,35 +2185,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} - -%ifarch %{ix86} - mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}} - - file=/tmp/gonejdk.$$ - echo "OpenJDK on x86 is now deprecated" - echo '#!/bin/bash' > $file - echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file - echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file - echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file - echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file - echo 'exit 1' >> $file - - for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do - cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh - done - - # Docs were only in the normal build - if ! echo $suffix | grep -q "debug" ; then - for pkgsuffix in javadoc javadoc_zip ; do - cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh - done - fi - - rm -f ${file} - -%else - -# Install the jdk cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} @@ -2353,8 +2285,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; -%endif - # end, dual install done @@ -2363,14 +2293,6 @@ done # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -%ifarch %{ix86} - - # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go - echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list - cat debugsourcefiles.list - -%else - # Tests in the check stage are performed on the installed image # rpmbuild operates as follows: build -> install -> test export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} @@ -2431,8 +2353,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable -%endif - # build cycles check done @@ -2680,6 +2600,19 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 22 2022 Jiri Vanek - 1:17.0.4.0.7-0.3.ea +- moved to build only on %%{java_arches} +-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs +- reverted : +-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) +-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself +-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable +-- Replaced binaries and .so files with bash-stubs on i686 +- added ExclusiveArch: %%{java_arches} +-- this now excludes i686 +-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) +- https://bugzilla.redhat.com/show_bug.cgi?id=2104128 + * Thu Jul 21 2022 Fedora Release Engineering - 1:17.0.4.0.7-0.2.ea.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From b540c519002b754f5a5b9a252d6173af17af9549 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 22 Jul 2022 16:23:05 +0100 Subject: [PATCH 44/61] Update to jdk-17.0.3.0+8 Update release notes to 17.0.3.0+8 Switch to GA mode for release Exclude x86 where java_arches is undefined, in order to unbreak build --- .gitignore | 1 + NEWS | 11 ++++++++++- java-17-openjdk.spec | 16 +++++++++++++--- sources | 2 +- 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 0987d85..9aef5aa 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /openjdk-jdk17u-jdk-17.0.3+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+1.tar.xz /openjdk-jdk17u-jdk-17.0.4+7.tar.xz +/openjdk-jdk17u-jdk-17.0.4+8.tar.xz diff --git a/NEWS b/NEWS index 797c2d2..0a1d468 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,16 @@ Live versions of these release notes can be found at: * https://bitly.com/openjdk1704 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt +* Security fixes + - JDK-8272243: Improve DER parsing + - JDK-8272249: Better properties of loaded Properties + - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions + - JDK-8277608: Address IP Addressing + - JDK-8281859, CVE-2022-21540: Improve class compilation + - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations + - JDK-8283190: Improve MIDI processing + - JDK-8284370: Improve zlib usage + - JDK-8285407, CVE-2022-34169: Improve Xalan supports * Other changes - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn - JDK-8181571: printing to CUPS fails on mac sandbox app @@ -57,7 +67,6 @@ Live versions of these release notes can be found at: - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 5a441bb..b44225e 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -356,8 +356,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 3 +%global buildver 8 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -383,7 +383,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -475,7 +475,11 @@ %endif # x86 is no longer supported +%if 0%{?java_arches:1} ExclusiveArch: %{java_arches} +%else +ExcludeArch: %{ix86} +%endif # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -2600,6 +2604,12 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-1 +- Update to jdk-17.0.3.0+8 +- Update release notes to 17.0.3.0+8 +- Switch to GA mode for release +- Exclude x86 where java_arches is undefined, in order to unbreak build + * Fri Jul 22 2022 Jiri Vanek - 1:17.0.4.0.7-0.3.ea - moved to build only on %%{java_arches} -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs diff --git a/sources b/sources index 865c6f2..765b22b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419 +SHA512 (openjdk-jdk17u-jdk-17.0.4+8.tar.xz) = 9b6bac353899501e5645cac0234455d5777d6d7c7f0ef5ca2487770be5953a7af578c735aece1b64d2a59cc9e93d735ecb3a4d693ef97ca4ca84595bdb0c8deb From ddd9b60d6ebc3f166a7e8768d0cf6af2076fb5ea Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Mon, 15 Aug 2022 02:09:20 +0100 Subject: [PATCH 45/61] Update FIPS support to bring in latest changes * RH2104724: Avoid import/export of DH private keys * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode * Build the systemconf library on all platforms --- ...a23d0a.patch => fips-17u-bb46af07cb9.patch | 706 +++++++----------- java-17-openjdk.spec | 13 +- 2 files changed, 276 insertions(+), 443 deletions(-) rename fips-17u-f8142a23d0a.patch => fips-17u-bb46af07cb9.patch (94%) diff --git a/fips-17u-f8142a23d0a.patch b/fips-17u-bb46af07cb9.patch similarity index 94% rename from fips-17u-f8142a23d0a.patch rename to fips-17u-bb46af07cb9.patch index c07a4bf..8954cf1 100644 --- a/fips-17u-f8142a23d0a.patch +++ b/fips-17u-bb46af07cb9.patch @@ -124,10 +124,10 @@ index c2c9c4adf3a..9d105b37acf 100644 LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 5658ff342e5..cb7a56852f7 100644 +index 5658ff342e5..c8bc5bde1e1 100644 --- a/make/modules/java.base/Lib.gmk +++ b/make/modules/java.base/Lib.gmk -@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) +@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) endif endif @@ -142,255 +142,23 @@ index 5658ff342e5..cb7a56852f7 100644 + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) + -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif ++TARGETS += $(BUILD_LIBSYSTEMCONF) + ################################################################################ # Create the symbols file for static builds. -diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index a020e1c15d8..6d459fdec01 100644 +index a020e1c15d8..3c064965e82 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -31,6 +31,7 @@ import java.security.SecureRandom; @@ -1006,89 +774,10 @@ index a020e1c15d8..6d459fdec01 100644 /* * Algorithm Parameter engines -@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { - psA("AlgorithmParameters", "ChaCha20-Poly1305", - "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); +@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- /* -- * Key factories -- */ -- psA("KeyFactory", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyFactory", -- null); -- -- /* -- * Secret-key factories -- */ -- ps("SecretKeyFactory", "DES", -- "com.sun.crypto.provider.DESKeyFactory"); -- -- psA("SecretKeyFactory", "DESede", -- "com.sun.crypto.provider.DESedeKeyFactory", null); -- -- psA("SecretKeyFactory", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -- null); -- -- /* -- * Internal in-house crypto algorithm used for -- * the JCEKS keystore type. Since this was developed -- * internally, there isn't an OID corresponding to this -- * algorithm. -- */ -- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -- null); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- - // PBKDF2 - psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", - "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", @@ -1202,85 +891,6 @@ index a020e1c15d8..6d459fdec01 100644 - "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", - List.of("SunTls12RsaPremasterSecret"), null); + if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ psA("KeyFactory", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyFactory", -+ null); -+ -+ /* -+ * Secret-key factories -+ */ -+ ps("SecretKeyFactory", "DES", -+ "com.sun.crypto.provider.DESKeyFactory"); -+ -+ psA("SecretKeyFactory", "DESede", -+ "com.sun.crypto.provider.DESedeKeyFactory", null); -+ -+ psA("SecretKeyFactory", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -+ null); -+ -+ /* -+ * Internal in-house crypto algorithm used for -+ * the JCEKS keystore type. Since this was developed -+ * internally, there isn't an OID corresponding to this -+ * algorithm. -+ */ -+ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -+ null); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -+ + // PBKDF2 + psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", @@ -2474,12 +2084,254 @@ index b22f26947af..3ee2ce6ea88 100644 permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 -index 00000000000..9bb31555f48 +index 00000000000..8cfa2734d4e --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,490 @@ +@@ -0,0 +1,461 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -2520,7 +2372,6 @@ index 00000000000..9bb31555f48 +import javax.crypto.Cipher; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import sun.security.jca.JCAUtil; @@ -2676,34 +2527,6 @@ index 00000000000..9bb31555f48 + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } + } else { + if (debug != null) { + debug.println("Unrecognized private key type."); @@ -2971,7 +2794,7 @@ index 00000000000..9bb31555f48 + } +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..b403e6d3c6d 100644 +index 9b69072280e..babf19d7157 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -2993,17 +2816,18 @@ index 9b69072280e..b403e6d3c6d 100644 private static final long serialVersionUID = -2575874101938349339L; private static final String PUBLIC = "public"; -@@ -379,7 +384,8 @@ abstract class P11Key implements Key, Length { +@@ -379,7 +384,9 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_SENSITIVE), new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); - if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { -+ if (!plainKeySupportEnabled && (attributes[1].getBoolean() || ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ if (!exportable && (attributes[1].getBoolean() || + (attributes[2].getBoolean() == false))) { return new P11PrivateKey (session, keyID, algorithm, keyLength, attributes); } else { -@@ -461,7 +467,8 @@ abstract class P11Key implements Key, Length { +@@ -461,7 +468,8 @@ abstract class P11Key implements Key, Length { } public String getFormat() { token.ensureValid(); diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index b44225e..082fe91 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -349,7 +349,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver f8142a23d0a +%global fipsver bb46af07cb9 # Standard JPackage naming and versioning defines %global origin openjdk @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1384,6 +1384,9 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2094027: SunEC runtime permission for FIPS # RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage # RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -2604,6 +2607,12 @@ cjc.mainProgram(args) %endif %changelog +* Mon Aug 15 2022 Andrew Hughes - 1:17.0.4.0.8-2 +- Update FIPS support to bring in latest changes +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms + * Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-1 - Update to jdk-17.0.3.0+8 - Update release notes to 17.0.3.0+8 From 5dd4fd8561efbcb9c8ce6d67b0c4c8df8dc5c5b3 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sun, 21 Aug 2022 04:04:02 +0100 Subject: [PATCH 46/61] Update to jdk-17.0.4.1+1 Update release notes to 17.0.4.1+1 Add patch to provide translations for Europe/Kyiv added in tzdata2022b Add test to ensure timezones can be translated --- .gitignore | 1 + NEWS | 20 +++++ TestSecurityProperties.java | 17 ++++ TestTranslations.java | 35 ++++++++ java-17-openjdk.spec | 30 +++++-- jdk8292223-tzdata2022b-kyiv.patch | 132 ++++++++++++++++++++++++++++++ sources | 2 +- 7 files changed, 231 insertions(+), 6 deletions(-) create mode 100644 TestTranslations.java create mode 100644 jdk8292223-tzdata2022b-kyiv.patch diff --git a/.gitignore b/.gitignore index 9aef5aa..5df29a7 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ /openjdk-jdk17u-jdk-17.0.4+1.tar.xz /openjdk-jdk17u-jdk-17.0.4+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+8.tar.xz +/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz diff --git a/NEWS b/NEWS index 0a1d468..ed5ebeb 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,26 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.4.1 (2022-08-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17041 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt + +* Other changes + - JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1 + - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large + +Notes on individual issues: +=========================== + +hotspot/compiler: + +JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM +============================================================ +Fixes a regression in the C2 JIT compiler which caused the Java +Runtime to crash unpredictably. + New in release OpenJDK 17.0.4 (2022-07-19): =========================================== Live versions of these release notes can be found at: diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java index 552bd0f..2967a32 100644 --- a/TestSecurityProperties.java +++ b/TestSecurityProperties.java @@ -1,3 +1,20 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ import java.io.File; import java.io.FileInputStream; import java.security.Security; diff --git a/TestTranslations.java b/TestTranslations.java new file mode 100644 index 0000000..cf83303 --- /dev/null +++ b/TestTranslations.java @@ -0,0 +1,35 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.util.Arrays; +import java.util.Locale; +import java.util.ResourceBundle; + +import sun.util.resources.LocaleData; +import sun.util.locale.provider.LocaleProviderAdapter; + +public class TestTranslations { + public static void main(String[] args) { + for (String zone : args) { + System.out.printf("Translations for %s\n", zone); + for (Locale l : Locale.getAvailableLocales()) { + ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l); + System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone))); + } + } + } +} diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 082fe91..654850d 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -310,7 +310,7 @@ %global featurever 17 %global interimver 0 %global updatever 4 -%global patchver 0 +%global patchver 1 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -356,8 +356,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 2 +%global buildver 1 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1341,6 +1341,9 @@ Source16: CheckVendor.java # nss fips configuration file Source17: nss.fips.cfg.in +# Ensure translations are available for new timezones +Source18: TestTranslations.java + ############################################ # # RPM/distribution specific patches @@ -1360,6 +1363,8 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b +Patch7: jdk8292223-tzdata2022b-kyiv.patch # Crypto policy and FIPS support patches # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u @@ -1801,6 +1806,7 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch6 -p1 +%patch7 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security @@ -2340,6 +2346,14 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" +# Check translations are available for new timezones +$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \ + --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ + -d . %{SOURCE18} +$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \ + --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ + $(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv" + %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} @@ -2607,6 +2621,12 @@ cjc.mainProgram(args) %endif %changelog +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated + * Mon Aug 15 2022 Andrew Hughes - 1:17.0.4.0.8-2 - Update FIPS support to bring in latest changes - * RH2104724: Avoid import/export of DH private keys @@ -2614,8 +2634,8 @@ cjc.mainProgram(args) - * Build the systemconf library on all platforms * Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-1 -- Update to jdk-17.0.3.0+8 -- Update release notes to 17.0.3.0+8 +- Update to jdk-17.0.4.0+8 +- Update release notes to 17.0.4.0+8 - Switch to GA mode for release - Exclude x86 where java_arches is undefined, in order to unbreak build diff --git a/jdk8292223-tzdata2022b-kyiv.patch b/jdk8292223-tzdata2022b-kyiv.patch new file mode 100644 index 0000000..1107b82 --- /dev/null +++ b/jdk8292223-tzdata2022b-kyiv.patch @@ -0,0 +1,132 @@ +diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +index 8759aab3995..11ccbf73839 100644 +--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java ++++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle { + {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00", + "Kirov Daylight Time", "GMT+03:00", + "Kirov Time", "GMT+03:00"}}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java +index f007c1a8d3b..617268e4cf3 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java +index 386414e16e6..14c5d89b9c5 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java +index d23f5fd49e6..44117125619 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java +index b4f57d4568c..efa818f3865 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java +index 1a10a9f96dc..7c0565461ad 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java +index 9a2d9e5c57c..8a2c805997f 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java +index de5e5c82daa..e3c06417f09 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java +index b53de4d8c89..3e46b6a063e 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java +index 7797cda19d5..590908409a8 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java +index 2cd10554853..23c5f180b6d 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java +@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, diff --git a/sources b/sources index 765b22b..2008902 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+8.tar.xz) = 9b6bac353899501e5645cac0234455d5777d6d7c7f0ef5ca2487770be5953a7af578c735aece1b64d2a59cc9e93d735ecb3a4d693ef97ca4ca84595bdb0c8deb +SHA512 (openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz) = 50bf07932e3aec20b4b5d51c01fe095a67b0186a4bc0bed6c8acfacde3673b97f0f177e0f3c372bf1a494c99e61475b4af66261be15f33bb4be8b14671952419 From ea9509f5cadcf50044fda1098ddbc07a08e3ed49 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Mon, 29 Aug 2022 04:59:50 +0100 Subject: [PATCH 47/61] Update FIPS support to bring in latest changes * RH2048582: Support PKCS#12 keystores * RH2020290: Support TLS 1.3 in FIPS mode --- ...f07cb9.patch => fips-17u-0bd5ca9ccc5.patch | 2361 ++++++++++++++++- java-17-openjdk.spec | 11 +- 2 files changed, 2241 insertions(+), 131 deletions(-) rename fips-17u-bb46af07cb9.patch => fips-17u-0bd5ca9ccc5.patch (60%) diff --git a/fips-17u-bb46af07cb9.patch b/fips-17u-0bd5ca9ccc5.patch similarity index 60% rename from fips-17u-bb46af07cb9.patch rename to fips-17u-0bd5ca9ccc5.patch index 8954cf1..86fb1ab 100644 --- a/fips-17u-bb46af07cb9.patch +++ b/fips-17u-0bd5ca9ccc5.patch @@ -157,6 +157,310 @@ index 5658ff342e5..c8bc5bde1e1 100644 ################################################################################ # Create the symbols file for static builds. +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +index 1fd6230d83b..683e3dd3a8d 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +@@ -25,13 +25,12 @@ + + package com.sun.crypto.provider; + +-import java.util.Arrays; +- + import javax.crypto.SecretKey; + import javax.crypto.spec.SecretKeySpec; +-import javax.crypto.spec.PBEParameterSpec; ++import javax.crypto.spec.PBEKeySpec; + import java.security.*; + import java.security.spec.*; ++import sun.security.util.PBEUtil; + + /** + * This is an implementation of the HMAC algorithms as defined +@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { + */ + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- char[] passwdChars; +- byte[] salt = null; +- int iCount = 0; +- if (key instanceof javax.crypto.interfaces.PBEKey) { +- javax.crypto.interfaces.PBEKey pbeKey = +- (javax.crypto.interfaces.PBEKey) key; +- passwdChars = pbeKey.getPassword(); +- salt = pbeKey.getSalt(); // maybe null if unspecified +- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified +- } else if (key instanceof SecretKey) { +- byte[] passwdBytes; +- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || +- (passwdBytes = key.getEncoded()) == null) { +- throw new InvalidKeyException("Missing password"); +- } +- passwdChars = new char[passwdBytes.length]; +- for (int i=0; i serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); +diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java +new file mode 100644 +index 00000000000..dc8bc72fccb +--- /dev/null ++++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ + -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); ++package sun.security.util; + -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index 894e26dfad8..8b16378b96b 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; ++import java.security.AlgorithmParameters; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.Key; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidParameterSpecException; ++import java.util.Arrays; ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; + -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++public final class PBEUtil { ++ ++ // Used by SunJCE and SunPKCS11 ++ public final static class PBES2Helper { ++ private int iCount; ++ private byte[] salt; ++ private IvParameterSpec ivSpec; ++ private final int defaultSaltLength; ++ private final int defaultCount; ++ ++ public PBES2Helper(int defaultSaltLength, int defaultCount) { ++ this.defaultSaltLength = defaultSaltLength; ++ this.defaultCount = defaultCount; + } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); ++ ++ public IvParameterSpec getIvSpec() { ++ return ivSpec; ++ } ++ ++ public AlgorithmParameters getAlgorithmParameters( ++ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { ++ AlgorithmParameters params = null; ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if (ivSpec == null) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ PBEParameterSpec pbeSpec = new PBEParameterSpec( ++ salt, iCount, ivSpec); ++ try { ++ params = (p == null) ? ++ AlgorithmParameters.getInstance(pbeAlgo) : ++ AlgorithmParameters.getInstance(pbeAlgo, p); ++ params.init(pbeSpec); ++ } catch (NoSuchAlgorithmException nsae) { ++ // should never happen ++ throw new RuntimeException("AlgorithmParameters for " ++ + pbeAlgo + " not configured"); ++ } catch (InvalidParameterSpecException ipse) { ++ // should never happen ++ throw new RuntimeException("PBEParameterSpec not supported"); ++ } ++ return params; ++ } ++ ++ public PBEKeySpec getPBEKeySpec( ++ int blkSize, int keyLength, int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ ++ if (key == null) { ++ throw new InvalidKeyException("Null key"); ++ } ++ ++ byte[] passwdBytes = key.getEncoded(); ++ char[] passwdChars = null; ++ PBEKeySpec pbeSpec; ++ try { ++ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( ++ true, 0, "PBE", 0, 3))) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ ++ // TBD: consolidate the salt, ic and IV parameter checks below ++ ++ // Extract salt and iteration count from the key, if present ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); ++ if (salt != null && salt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ iCount = ((javax.crypto.interfaces.PBEKey)key) ++ .getIterationCount(); ++ if (iCount == 0) { ++ iCount = defaultCount; ++ } else if (iCount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ } ++ ++ // Extract salt, iteration count and IV from the params, ++ // if present ++ if (params == null) { ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ } else { ++ if (!(params instanceof PBEParameterSpec)) { ++ throw new InvalidAlgorithmParameterException ++ ("Wrong parameter type: PBE expected"); ++ } ++ // salt and iteration count from the params take precedence ++ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); ++ if (specSalt != null && specSalt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ salt = specSalt; ++ int specICount = ((PBEParameterSpec) params) ++ .getIterationCount(); ++ if (specICount == 0) { ++ specICount = defaultCount; ++ } else if (specICount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ iCount = specICount; ++ ++ AlgorithmParameterSpec specParams = ++ ((PBEParameterSpec) params).getParameterSpec(); ++ if (specParams != null) { ++ if (specParams instanceof IvParameterSpec) { ++ ivSpec = (IvParameterSpec)specParams; ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: IV expected"); ++ } ++ } else if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Missing parameter type: IV expected"); ++ } ++ } ++ ++ passwdChars = new char[passwdBytes.length]; ++ for (int i = 0; i < passwdChars.length; i++) ++ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); ++ ++ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); ++ // password char[] was cloned in PBEKeySpec constructor, ++ // so we can zero it out here ++ } finally { ++ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); ++ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); ++ } ++ return pbeSpec; ++ } ++ ++ public static AlgorithmParameterSpec getParameterSpec( ++ AlgorithmParameters params) ++ throws InvalidAlgorithmParameterException { ++ AlgorithmParameterSpec pbeSpec = null; ++ if (params != null) { ++ try { ++ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); ++ } catch (InvalidParameterSpecException ipse) { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: PBE expected"); ++ } ++ } ++ return pbeSpec; ++ } ++ } ++ ++ // Used by SunJCE and SunPKCS11 ++ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ char[] passwdChars; ++ byte[] salt = null; ++ int iCount = 0; ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ javax.crypto.interfaces.PBEKey pbeKey = ++ (javax.crypto.interfaces.PBEKey) key; ++ passwdChars = pbeKey.getPassword(); ++ salt = pbeKey.getSalt(); // maybe null if unspecified ++ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified ++ } else if (key instanceof SecretKey) { ++ byte[] passwdBytes; ++ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || ++ (passwdBytes = key.getEncoded()) == null) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ passwdChars = new char[passwdBytes.length]; ++ for (int i=0; i [ 0x0061, 0x0000 ] ++ // / \ / \ ++ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] ++ // | | | | ++ // BMPString => [ 0x00, 0x61, 0x00, 0x00] ++ // ++ int inputLength = (password == null) ? 0 : password.length; ++ char[] expPassword = new char[inputLength * 2 + 2]; ++ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { ++ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); ++ expPassword[j + 1] = (char) (password[i] & 0xFF); ++ } ++ password = expPassword; ++ } ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PBE_PARAMS(password, salt, itCount)); ++ } ++ ++ long keyType = getKeyType(kdfData.keyAlgo); ++ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ ++ switch (kdfData.op) { ++ case ENCRYPTION, AUTHENTICATION -> 4; ++ case GENERIC -> 5; ++ }]; ++ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); ++ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); ++ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); ++ switch (kdfData.op) { ++ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; ++ case GENERIC -> { ++ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; ++ } ++ } ++ CK_ATTRIBUTE[] attr = token.getAttributes( ++ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); ++ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); ++ return (P11Key)P11Key.secretKey( ++ session, keyID, kdfData.keyAlgo, keySize, attr); ++ } catch (PKCS11Exception e) { ++ throw new InvalidKeySpecException("Could not create key", e); ++ } finally { ++ token.releaseSession(session); ++ } ++ } ++ ++ static P11Key derivePBEKey(Token token, PBEKey key, String algo) ++ throws InvalidKeyException { ++ token.ensureValid(); ++ if (key == null) { ++ throw new InvalidKeyException("PBEKey must not be null"); ++ } ++ P11Key p11Key = token.secretCache.get(key); ++ if (p11Key != null) { ++ return p11Key; ++ } ++ try { ++ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), ++ key.getSalt(), key.getIterationCount()), algo); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ token.secretCache.put(key, p11Key); ++ return p11Key; ++ } ++ + static void fixDESParity(byte[] key, int offset) { + for (int i = 0; i < 8; i++) { + int b = key[offset] & 0xfe; +@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + keySpec = new SecretKeySpec(keyBytes, "DESede"); + return engineGenerateSecret(keySpec); + } ++ } else if (keySpec instanceof PBEKeySpec) { ++ return (SecretKey)derivePBEKey(token, ++ (PBEKeySpec)keySpec, algorithm); + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getClass().getName()); +@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + // see JCE spec + protected SecretKey engineTranslateKey(SecretKey key) + throws InvalidKeyException { ++ if (key instanceof PBEKey) { ++ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); ++ } + return (SecretKey)convertKey(token, key, algorithm); + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +index 262cfc062ad..72b64f72c0a 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +@@ -27,6 +27,10 @@ package sun.security.pkcs11; + + import java.math.BigInteger; + import java.security.*; ++import java.util.HashMap; ++import java.util.Map; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * Collection of static utility methods. +@@ -40,10 +44,106 @@ public final class P11Util { + + private static volatile Provider sun, sunRsaSign, sunJce; + ++ // Used by PBE ++ static final class KDFData { ++ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} ++ public long kdfMech; ++ public long prfMech; ++ public String keyAlgo; ++ public int keyLen; ++ public Operation op; ++ KDFData(long kdfMech, long prfMech, String keyAlgo, ++ int keyLen, Operation op) { ++ this.kdfMech = kdfMech; ++ this.prfMech = prfMech; ++ this.keyAlgo = keyAlgo; ++ this.keyLen = keyLen; ++ this.op = op; ++ } ++ ++ public static void addPbkdf2Data(String algo, long kdfMech, ++ long prfMech) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "Generic", -1, Operation.GENERIC)); ++ } ++ ++ public static void addPbkdf2AesData(String algo, long kdfMech, ++ long prfMech, int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "AES", keyLen, Operation.ENCRYPTION)); ++ } ++ ++ public static void addPkcs12KDData(String algo, long kdfMech, ++ int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, -1, ++ "Generic", keyLen, Operation.AUTHENTICATION)); ++ } ++ } ++ ++ static final Map kdfDataMap = new HashMap<>(); ++ ++ static { ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); ++ ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); ++ ++ KDFData.addPkcs12KDData("HmacPBESHA1", ++ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); ++ KDFData.addPkcs12KDData("HmacPBESHA224", ++ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); ++ KDFData.addPkcs12KDData("HmacPBESHA256", ++ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); ++ KDFData.addPkcs12KDData("HmacPBESHA384", ++ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); ++ KDFData.addPkcs12KDData("HmacPBESHA512", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/224", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/256", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ } ++ + private P11Util() { + // empty + } + ++ static boolean isNSS(Token token) { ++ char[] tokenLabel = token.tokenInfo.label; ++ if (tokenLabel != null && tokenLabel.length >= 3) { ++ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' ++ && tokenLabel[2] == 'S'); ++ } ++ return false; ++ } ++ + static Provider getSunProvider() { + Provider p = sun; + if (p == null) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 112b639aa96..5549cd9ed4e 100644 +index 112b639aa96..3e170b4c115 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -2918,7 +3960,7 @@ index 112b639aa96..5549cd9ed4e 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -339,7 +383,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, @@ -2928,6 +3970,11 @@ index 112b639aa96..5549cd9ed4e 100644 } p11 = tmpPKCS11; +- CK_INFO p11Info = p11.C_GetInfo(); ++ CK_INFO p11Info = p11.getInfo(); + if (p11Info.cryptokiVersion.major < 2) { + throw new ProviderException("Only PKCS#11 v2.0 and later " + + "supported, library version is v" + p11Info.cryptokiVersion); @@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); @@ -2953,8 +4000,588 @@ index 112b639aa96..5549cd9ed4e 100644 } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException +@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider { + final String className; + final List aliases; + final int[] mechanisms; ++ final int[] requiredMechs; + ++ // mechanisms is a list of possible mechanisms that implement the ++ // algorithm, at least one of them must be available. requiredMechs ++ // is a list of auxiliary mechanisms, all of them must be available + private Descriptor(String type, String algorithm, String className, +- List aliases, int[] mechanisms) { ++ List aliases, int[] mechanisms, int[] requiredMechs) { + this.type = type; + this.algorithm = algorithm; + this.className = className; + this.aliases = aliases; + this.mechanisms = mechanisms; ++ this.requiredMechs = requiredMechs; + } + private P11Service service(Token token, int mechanism) { + return new P11Service +@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider { + + private static void d(String type, String algorithm, String className, + int[] m) { +- register(new Descriptor(type, algorithm, className, null, m)); ++ register(new Descriptor(type, algorithm, className, null, m, null)); + } + + private static void d(String type, String algorithm, String className, + List aliases, int[] m) { +- register(new Descriptor(type, algorithm, className, aliases, m)); ++ register(new Descriptor(type, algorithm, className, aliases, m, null)); ++ } ++ ++ private static void d(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, null, m, ++ requiredMechs)); ++ } ++ private static void dA(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, ++ getAliases(algorithm), m, requiredMechs)); + } + + private static void dA(String type, String algorithm, String className, + int[] m) { + register(new Descriptor(type, algorithm, className, +- getAliases(algorithm), m)); ++ getAliases(algorithm), m, null)); + } + + private static void register(Descriptor d) { +@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider { + String P11Cipher = "sun.security.pkcs11.P11Cipher"; + String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; + String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; ++ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; + String P11Signature = "sun.security.pkcs11.P11Signature"; + String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; + +@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider { + d(MAC, "SslMacSHA1", P11Mac, + m(CKM_SSL3_SHA1_MAC)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBA HMacs ++ * ++ * KeyDerivationMech must be supported ++ * for these services to be available. ++ * ++ */ ++ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ } ++ + d(KPG, "RSA", P11KeyPairGenerator, + getAliases("PKCS1"), + m(CKM_RSA_PKCS_KEY_PAIR_GEN)); +@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider { + d(SKF, "ChaCha20", P11SecretKeyFactory, + m(CKM_CHACHA20_POLY1305)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Secret Key Factories ++ * ++ * KeyDerivationPrf must be supported for these services ++ * to be available. ++ * ++ */ ++ d(SKF, "PBEWithHmacSHA1AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ d(SKF, "PBEWithHmacSHA1AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ /* ++ * PBA Secret Key Factories ++ */ ++ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ /* ++ * PBKDF2 Secret Key Factories ++ */ ++ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ } ++ + // XXX attributes for Ciphers (supported modes, padding) + dA(CIP, "ARCFOUR", P11Cipher, + m(CKM_RC4)); +@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider { + d(CIP, "RSA/ECB/NoPadding", P11RSACipher, + m(CKM_RSA_X_509)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Ciphers ++ * ++ * KeyDerivationMech and KeyDerivationPrf must be supported ++ * for these services to be available. ++ * ++ */ ++ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ } ++ + d(SIG, "RawDSA", P11Signature, + List.of("NONEwithDSA"), + m(CKM_DSA)); +@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider { + if (ds == null) { + continue; + } ++ descLoop: + for (Descriptor d : ds) { + Integer oldMech = supportedAlgs.get(d); + if (oldMech == null) { ++ if (d.requiredMechs != null) { ++ // Check that other mechanisms required for the ++ // service are supported before listing it as ++ // available for the first time. ++ for (int requiredMech : d.requiredMechs) { ++ if (token.getMechanismInfo( ++ requiredMech & 0xFFFFFFFFL) == null) { ++ continue descLoop; ++ } ++ } ++ } + supportedAlgs.put(d, integerMech); + continue; + } +@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider { + } else if (algorithm.endsWith("GCM/NoPadding") || + algorithm.startsWith("ChaCha20-Poly1305")) { + return new P11AEADCipher(token, algorithm, mechanism); ++ } else if (algorithm.startsWith("PBE")) { ++ return new P11PBECipher(token, algorithm, mechanism); + } else { + return new P11Cipher(token, algorithm, mechanism); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +index 88ff8a71fc3..47a2f97eddf 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { + } + + /** +- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. ++ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. + * +- * @return the string representation of CK_PKCS5_PBKD2_PARAMS ++ * @return the string representation of CK_ECDH1_DERIVE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +index 0c9ebb289c1..b4b2448464d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +@@ -160,6 +160,18 @@ public class CK_MECHANISM { + init(mechanism, params); + } + ++ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { ++ init(mechanism, params); ++ } ++ + // For PSS. the parameter may be set multiple times, use the + // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) + // methods instead of creating yet another constructor +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +index e8b048869c4..a25fa1c39e5 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; + + + /** +- * class CK_PBE_PARAMS provides all of the necessary information required byte ++ * class CK_PBE_PARAMS provides all the necessary information required by + * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

+ * PKCS#11 structure: + * 

+  * typedef struct CK_PBE_PARAMS {
+- *   CK_CHAR_PTR pInitVector;
+- *   CK_CHAR_PTR pPassword;
++ *   CK_BYTE_PTR pInitVector;
++ *   CK_UTF8CHAR_PTR pPassword;
+  *   CK_ULONG ulPasswordLen;
+- *   CK_CHAR_PTR pSalt;
++ *   CK_BYTE_PTR pSalt;
+  *   CK_ULONG ulSaltLen;
+  *   CK_ULONG ulIteration;
+  * } CK_PBE_PARAMS;
+@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pInitVector;
++     *   CK_BYTE_PTR pInitVector;
+      * 

+      */
+-    public char[] pInitVector;
++    public byte[] pInitVector;
+ 
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pPassword;
++     *   CK_UTF8CHAR_PTR pPassword;
+      *   CK_ULONG ulPasswordLen;
+      * 

+      */
+@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
+     /**
+      * PKCS#11:
+      * 
+-     *   CK_CHAR_PTR pSalt
++     *   CK_BYTE_PTR pSalt
+      *   CK_ULONG ulSaltLen;
+      * 

+      */
+-    public char[] pSalt;
++    public byte[] pSalt;
+ 
+     /**
+      * PKCS#11:
+@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
+      */
+     public long ulIteration;
+ 
++    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
++         this.pPassword = pPassword;
++         this.pSalt = pSalt;
++         this.ulIteration = ulIteration;
++     }
++
+     /**
+      * Returns the string representation of CK_PBE_PARAMS.
+      *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+index fb90bfced27..a01beb0753a 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
+@@ -47,7 +47,7 @@
+ 
+ package sun.security.pkcs11.wrapper;
+ 
+-
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
+ /**
+  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
+@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
+  * PKCS#11 structure:
+  * 
+  * typedef struct CK_PKCS5_PBKD2_PARAMS {
+- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+  *   CK_VOID_PTR pSaltSourceData;
+  *   CK_ULONG ulSaltSourceDataLen;
+  *   CK_ULONG iterations;
+  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+  *   CK_VOID_PTR pPrfData;
+  *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG_PTR ulPasswordLen;
+  * } CK_PKCS5_PBKD2_PARAMS;
+  * 

+  *
+@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
+      */
+     public byte[] pPrfData;
+ 
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG_PTR ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
+     /**
+      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
+      *
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+new file mode 100644
+index 00000000000..935db656639
+--- /dev/null
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
+@@ -0,0 +1,156 @@
++/*
++ * Copyright (c) 2022, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11.wrapper;
++
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++
++/**
++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
++ * mechanism.

++ * PKCS#11 structure:
++ * 
++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
++ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ *   CK_VOID_PTR pSaltSourceData;
++ *   CK_ULONG ulSaltSourceDataLen;
++ *   CK_ULONG iterations;
++ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ *   CK_VOID_PTR pPrfData;
++ *   CK_ULONG ulPrfDataLen;
++ *   CK_UTF8CHAR_PTR pPassword;
++ *   CK_ULONG ulPasswordLen;
++ * } CK_PKCS5_PBKD2_PARAMS2;
++ * 

++ *
++ */
++public class CK_PKCS5_PBKD2_PARAMS2 {
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++     * 

++     */
++    public long saltSource;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pSaltSourceData;
++     *   CK_ULONG ulSaltSourceDataLen;
++     * 

++     */
++    public byte[] pSaltSourceData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_ULONG iterations;
++     * 

++     */
++    public long iterations;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++     * 

++     */
++    public long prf;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_VOID_PTR pPrfData;
++     *   CK_ULONG ulPrfDataLen;
++     * 

++     */
++    public byte[] pPrfData;
++
++    /**
++     * PKCS#11:
++     * 
++     *   CK_UTF8CHAR_PTR pPassword
++     *   CK_ULONG ulPasswordLen;
++     * 

++     */
++    public char[] pPassword;
++
++    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
++            long iterations, long prf) {
++        this.pPassword = pPassword;
++        this.pSaltSourceData = pSalt;
++        this.iterations = iterations;
++        this.prf = prf;
++        this.saltSource = CKZ_SALT_SPECIFIED;
++    }
++
++    /**
++     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
++     *
++     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
++     */
++    public String toString() {
++        StringBuilder sb = new StringBuilder();
++
++        sb.append(Constants.INDENT);
++        sb.append("saltSource: ");
++        sb.append(saltSource);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pSaltSourceData: ");
++        sb.append(Functions.toHexString(pSaltSourceData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulSaltSourceDataLen: ");
++        sb.append(pSaltSourceData.length);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("iterations: ");
++        sb.append(iterations);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("prf: ");
++        sb.append(prf);
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("pPrfData: ");
++        sb.append(Functions.toHexString(pPrfData));
++        sb.append(Constants.NEWLINE);
++
++        sb.append(Constants.INDENT);
++        sb.append("ulPrfDataLen: ");
++        sb.append(pPrfData.length);
++
++        return sb.toString();
++    }
++
++}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+index 1f9c4d39f57..5e3c1b9d29f 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
+@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
+     public byte[] pPublicData;
+ 
+     /**
+-     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
++     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
+      *
+-     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
++     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
+      */
+     public String toString() {
+         StringBuilder sb = new StringBuilder();
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..1e98ce2e280 100644
+index 5c0aacd1a67..5fbf8addcba 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
 @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@@ -2967,10 +4594,26 @@ index 5c0aacd1a67..1e98ce2e280 100644
  import java.util.*;
  
  import java.security.AccessController;
-@@ -150,18 +153,43 @@ public class PKCS11 {
-         this.pkcs11ModulePath = pkcs11ModulePath;
-     }
+@@ -113,6 +116,8 @@ public class PKCS11 {
  
+     private long pNativeData;
+ 
++    private CK_INFO pInfo;
++
+     /**
+      * This method does the initialization of the native library. It is called
+      * exactly once for this class.
+@@ -145,23 +150,49 @@ public class PKCS11 {
+      * @postconditions
+      */
+     PKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         connect(pkcs11ModulePath, functionListName);
+         this.pkcs11ModulePath = pkcs11ModulePath;
++        pInfo = C_GetInfo();
++    }
++
 +    /*
 +     * Compatibility wrapper to allow this method to work as before
 +     * when FIPS mode support is not active.
@@ -2980,8 +4623,8 @@ index 5c0aacd1a67..1e98ce2e280 100644
 +           boolean omitInitialize) throws IOException, PKCS11Exception {
 +        return getInstance(pkcs11ModulePath, functionList,
 +                           pInitArgs, omitInitialize, null, null);
-+    }
-+
+     }
+ 
      public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
              String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
 -            boolean omitInitialize) throws IOException, PKCS11Exception {
@@ -3014,7 +4657,31 @@ index 5c0aacd1a67..1e98ce2e280 100644
              }
              if (omitInitialize == false) {
                  try {
-@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
+@@ -179,6 +210,14 @@ public class PKCS11 {
+         return pkcs11;
+     }
+ 
++    /**
++     * Returns the CK_INFO structure fetched at initialization with
++     * C_GetInfo. This structure represent Cryptoki library information.
++     */
++    public CK_INFO getInfo() {
++        return pInfo;
++    }
++
+     /**
+      * Connects this object to the specified PKCS#11 library. This method is for
+      * internal use only.
+@@ -1625,7 +1664,7 @@ public class PKCS11 {
+ static class SynchronizedPKCS11 extends PKCS11 {
+ 
+     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
+-            throws IOException {
++            throws IOException, PKCS11Exception {
+         super(pkcs11ModulePath, functionListName);
+     }
+ 
+@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
          super.C_GenerateRandom(hSession, randomData);
      }
  }
@@ -3028,7 +4695,7 @@ index 5c0aacd1a67..1e98ce2e280 100644
 +    private MethodHandle hC_GetAttributeValue;
 +    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
 +            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException {
++                    throws IOException, PKCS11Exception {
 +        super(pkcs11ModulePath, functionListName);
 +        this.fipsKeyImporter = fipsKeyImporter;
 +        this.fipsKeyExporter = fipsKeyExporter;
@@ -3080,7 +4747,7 @@ index 5c0aacd1a67..1e98ce2e280 100644
 +    private MethodHandle hC_GetAttributeValue;
 +    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
 +            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException {
++                    throws IOException, PKCS11Exception {
 +        super(pkcs11ModulePath, functionListName);
 +        this.fipsKeyImporter = fipsKeyImporter;
 +        this.fipsKeyExporter = fipsKeyExporter;
@@ -3209,6 +4876,442 @@ index 5c0aacd1a67..1e98ce2e280 100644
 +    }
 +}
  }
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+index d22844cfba8..9e02958b4b0 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
+@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
+     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
+     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
+ 
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
+-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
+-
+-    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
+-
+     public static final long  CK_OTP_VALUE            = 0x00000000L;
+     public static final long  CK_OTP_PIN              = 0x00000001L;
+     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
+@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
+     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
+     */
+ 
++    // PBKDF2 support, used in P11Util
++    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
++    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
++
+     // private NSS attribute (for DSA and DH private keys)
+     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
+ 
+     // base number of NSS private attributes
+     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
+-                                                      = 0xCE534350L;
++    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
+ 
+     // object type for NSS trust
+     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
+@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
+                                                              = 0xCE534355L;
+     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
+     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
++
++    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
++    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
++    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
++                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
+ }
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+index 666c5eb9b3b..5523dafcdb4 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+         case CKM_PBE_SHA1_DES3_EDE_CBC:
+         case CKM_PBE_SHA1_DES2_EDE_CBC:
+         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
+             break;
+         case CKM_PKCS5_PBKD2:
+@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+     // retrieve java values
+     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
+     if (jPbeParamsClass == NULL) { return NULL; }
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
+     if (fieldID == NULL) { return NULL; }
+     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+-    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
++    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
+     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
+@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ 
+     // populate using java values
+     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+-    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
++    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
++    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
++    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
+     }
+ }
+ 
++#define PBKD2_PARAM_SET(member, value)                              \
++    do {                                                            \
++        if(ckParamPtr->version == PARAMS) {                         \
++            ckParamPtr->params.v1.member = value;                   \
++        } else {                                                    \
++            ckParamPtr->params.v2.member = value;                   \
++        }                                                           \
++    } while(0)
++
++#define PBKD2_PARAM_ADDR(member)                                    \
++    (                                                               \
++        (ckParamPtr->version == PARAMS) ?                           \
++        (void*) &ckParamPtr->params.v1.member :                     \
++        (void*) &ckParamPtr->params.v2.member                       \
++    )
++
+ /*
+- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
+  * pointer
+  *
+- * @param env - used to call JNI funktions to get the Java classes and objects
+- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
++ * @param env - used to call JNI functions to get the Java classes and objects
++ * @param jParam - the Java object to convert
+  * @param pLength - length of the allocated memory of the returned pointer
+- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
++ * @return pointer to the new structure
+  */
+-CK_PKCS5_PBKD2_PARAMS_PTR
++CK_VOID_PTR
+ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
+ {
+-    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
++    VersionedPbkd2ParamsPtr ckParamPtr;
++    ParamVersion paramVersion;
++    CK_ULONG_PTR pUlPasswordLen;
+     jclass jPkcs5Pbkd2ParamsClass;
+     jfieldID fieldID;
+     jlong jSaltSource, jIteration, jPrf;
+-    jobject jSaltSourceData, jPrfData;
++    jobject jSaltSourceData, jPrfData, jPassword;
+ 
+     if (pLength != NULL) {
+         *pLength = 0L;
+     }
+ 
+     // retrieve java values
+-    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
+-    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
++    if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS;
++    } else if ((jPkcs5Pbkd2ParamsClass =
++            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
++            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
++        paramVersion = PARAMS2;
++    } else {
++        return NULL;
++    }
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
+     if (fieldID == NULL) { return NULL; }
+     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
+@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
+     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
+     if (fieldID == NULL) { return NULL; }
+     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
++    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
++    if (fieldID == NULL) { return NULL; }
++    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
+ 
+-    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
+-    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
++    // allocate memory for VersionedPbkd2Params and store the structure version
++    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
+     if (ckParamPtr == NULL) {
+         throwOutOfMemoryError(env, 0);
+         return NULL;
+     }
++    ckParamPtr->version = paramVersion;
+ 
+     // populate using java values
+-    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+-    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
++    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
++    jByteArrayToCKByteArray(env, jSaltSourceData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
++            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+-    ckParamPtr->iterations = jLongToCKULong(jIteration);
+-    ckParamPtr->prf = jLongToCKULong(jPrf);
+-    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
+-            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
++    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
++    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
++    jByteArrayToCKByteArray(env, jPrfData,
++            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
++            PBKD2_PARAM_ADDR(ulPrfDataLen));
++    if ((*env)->ExceptionCheck(env)) {
++        goto cleanup;
++    }
++    if (ckParamPtr->version == PARAMS) {
++        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
++        if (pUlPasswordLen == NULL) {
++            throwOutOfMemoryError(env, 0);
++            goto cleanup;
++        }
++        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
++    } else {
++        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
++    }
++    jCharArrayToCKUTF8CharArray(env, jPassword,
++            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
++            pUlPasswordLen);
+     if ((*env)->ExceptionCheck(env)) {
+         goto cleanup;
+     }
+ 
+     if (pLength != NULL) {
+-        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
++        *pLength = (ckParamPtr->version == PARAMS ?
++            sizeof(ckParamPtr->params.v1) :
++            sizeof(ckParamPtr->params.v2));
+     }
++    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
+     return ckParamPtr;
+ cleanup:
+-    free(ckParamPtr->pSaltSourceData);
+-    free(ckParamPtr->pPrfData);
++    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
+     free(ckParamPtr);
+     return NULL;
+ 
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+index 520bd52a2cd..aa76945283d 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+                  case CKM_CAMELLIA_CTR:
+                      // params do not contain pointers
+                      break;
++                 case CKM_PKCS5_PBKD2:
++                     // get the versioned structure from behind memory
++                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
++                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
++                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
++                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
++                     break;
++                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
++                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
++                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
++                     break;
+                  default:
+                      // currently unsupported mechs by SunPKCS11 provider
+                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
+                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
+-                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
++                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
+                      // PBE mechs, WTLS mechs, CMS mechs,
+                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
+                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
+@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
+     jboolean* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
+     jbyte* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
+     jlong* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
+     jchar* jpTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jpTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
+     jchar* jTemp;
+     CK_ULONG i;
+ 
+-    if(jArray == NULL) {
++    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
++    if(*ckpLength == 0L) {
+         *ckpArray = NULL_PTR;
+-        *ckpLength = 0L;
+         return;
+     }
+-    *ckpLength = (*env)->GetArrayLength(env, jArray);
+     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
+     if (jTemp == NULL) {
+         throwOutOfMemoryError(env, 0);
+diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+index eb6d01b9e47..450e4d27d62 100644
+--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
+@@ -68,6 +68,7 @@
+ /* extra PKCS#11 constants not in the standard include files */
+ 
+ #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
++/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
+ #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
+ #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
+ #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
+@@ -76,6 +77,12 @@
+ #define CKA_NETSCAPE_DB                         0xD5A0DB00
+ #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
+ 
++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
++
+ /*
+ 
+  Define the PKCS#11 functions to include and exclude. Reduces the size
+@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
+ #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
+ #define PBE_INIT_VECTOR_SIZE 8
+ #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
+ #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
+ 
+ #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
+@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
+ CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
+     jobject jParam, CK_ULONG* pLength);
+ CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
+@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
+ CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
+ 
++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
++typedef enum {PARAMS=0, PARAMS2} ParamVersion;
++
++typedef struct {
++    union {
++        CK_PKCS5_PBKD2_PARAMS v1;
++        CK_PKCS5_PBKD2_PARAMS2 v2;
++    } params;
++    ParamVersion version;
++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
++
++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
++    do {                                                            \
++        if ((verParamsPtr)->version == PARAMS) {                    \
++            free((verParamsPtr)->params.v1.pSaltSourceData);        \
++            free((verParamsPtr)->params.v1.pPrfData);               \
++            free((verParamsPtr)->params.v1.pPassword);              \
++            free((verParamsPtr)->params.v1.ulPasswordLen);          \
++        } else {                                                    \
++            free((verParamsPtr)->params.v2.pSaltSourceData);        \
++            free((verParamsPtr)->params.v2.pPrfData);               \
++            free((verParamsPtr)->params.v2.pPassword);              \
++        }                                                           \
++    } while(0)
++
+ /* functions to copy the returned values inside CK-mechanism back to Java object */
+ 
+ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
 diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
 index 8c9e4f9dbe6..883dc04758e 100644
 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 654850d..a7e9c14 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -349,7 +349,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver bb46af07cb9
+%global fipsver 0bd5ca9ccc5
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
@@ -357,7 +357,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        1
-%global rpmrelease      1
+%global rpmrelease      2
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1392,6 +1392,8 @@ Patch7: jdk8292223-tzdata2022b-kyiv.patch
 # RH2104724: Avoid import/export of DH private keys
 # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
 # Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores
+# RH2020290: Support TLS 1.3 in FIPS mode
 Patch1001: fips-17u-%{fipsver}.patch
 
 #############################################
@@ -2621,6 +2623,11 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Mon Aug 29 2022 Andrew Hughes  - 1:17.0.4.1.1-2
+- Update FIPS support to bring in latest changes
+- * RH2048582: Support PKCS#12 keystores
+- * RH2020290: Support TLS 1.3 in FIPS mode
+
 * Sun Aug 21 2022 Andrew Hughes  - 1:17.0.4.1.1-1
 - Update to jdk-17.0.4.1+1
 - Update release notes to 17.0.4.1+1

From b6fe10006550dde2aee2763c06dd2f0143850dfa Mon Sep 17 00:00:00 2001
From: Andrew Hughes 
Date: Thu, 1 Sep 2022 02:59:35 +0100
Subject: [PATCH 48/61] Switch to static builds, reducing system dependencies
 and making build more portable

---
 java-17-openjdk.spec | 73 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 61 insertions(+), 12 deletions(-)

diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a7e9c14..cbef4a4 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -23,6 +23,8 @@
 %bcond_without staticlibs
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
 %bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
 
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@@ -39,6 +41,16 @@
 %global build_hotspot_first 0
 %endif
 
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -357,7 +369,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        1
-%global rpmrelease      2
+%global rpmrelease      3
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -419,7 +431,7 @@
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
 %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
 %if %is_system_jdk
 %global __provides_exclude ^(%{_privatelibs})$
@@ -857,6 +869,9 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -1411,14 +1426,8 @@ BuildRequires: desktop-file-utils
 # elfutils only are OK for build without AOT
 BuildRequires: elfutils-devel
 BuildRequires: fontconfig-devel
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
 BuildRequires: gcc-c++
 BuildRequires: gdb
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
 BuildRequires: libxslt
 BuildRequires: libX11-devel
 BuildRequires: libXi-devel
@@ -1450,6 +1459,30 @@ BuildRequires: systemtap-sdt-devel
 %endif
 BuildRequires: make
 
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.0
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 2.8.0
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
 # this is always built, also during debug-only build
 # when it is built in debug-only this package is just placeholder
 %{java_rpo %{nil}}
@@ -1799,8 +1832,11 @@ if [ $prioritylength -ne 8 ] ; then
 fi
 
 # OpenJDK patches
+
+%if %{system_libs}
 # Remove libraries that are linked by both static and dynamic builds
 sh %{SOURCE12} %{top_level_dir_name}
+%endif
 
 # Patch the JDK
 pushd %{top_level_dir_name}
@@ -1934,6 +1970,12 @@ function buildjdk() {
     local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
     local top_dir_abs_build_path=$(pwd)/${outputdir}
 
+    if [ "x${link_opt}" = "xbundled" ] ; then
+        libc_link_opt="static";
+    else
+        libc_link_opt="dynamic";
+    fi
+
     echo "Using output directory: ${outputdir}";
     echo "Checking build JDK ${buildjdk} is operational..."
     ${buildjdk}/bin/java -version
@@ -1965,13 +2007,14 @@ function buildjdk() {
     --with-native-debug-symbols="%{debug_symbols}" \
     --disable-sysconf-nss \
     --enable-unlimited-crypto \
-    --with-zlib=system \
+    --with-zlib=${link_opt} \
+    --with-freetype=${link_opt} \
     --with-libjpeg=${link_opt} \
     --with-giflib=${link_opt} \
     --with-libpng=${link_opt} \
     --with-lcms=${link_opt} \
     --with-harfbuzz=${link_opt} \
-    --with-stdc++lib=dynamic \
+    --with-stdc++lib=${libc_link_opt} \
     --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
     --with-extra-cflags="$EXTRA_CFLAGS" \
     --with-extra-ldflags="%{ourldflags}" \
@@ -2138,12 +2181,13 @@ for suffix in %{build_loop} ; do
     bootbuilddir=boot${builddir}
 
     if test "x${loop}" = "x%{main_suffix}" ; then
+      link_opt="%{link_type}"
+%if %{system_libs}
       # Copy the source tree so we can remove all in-tree libraries
       cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
       # Remove all libraries that are linked
       sh %{SOURCE12} %{top_level_dir_name} full
-      # Use system libraries
-      link_opt="system"
+%endif
       # Debug builds don't need same targets as release for
       # build speed-up. We also avoid bootstrapping these
       # slower builds.
@@ -2161,9 +2205,11 @@ for suffix in %{build_loop} ; do
       else
         buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
       fi
+%if %{system_libs}
       # Restore original source tree we modified by removing full in-tree sources
       rm -rf %{top_level_dir_name}
       mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
     else
       # Use bundled libraries for building statically
       link_opt="bundled"
@@ -2623,6 +2669,9 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-3
+- Switch to static builds, reducing system dependencies and making build more portable
+
 * Mon Aug 29 2022 Andrew Hughes  - 1:17.0.4.1.1-2
 - Update FIPS support to bring in latest changes
 - * RH2048582: Support PKCS#12 keystores

From 3e49d2c00a1317e128ae6c5d9ef46e9bfdea36e1 Mon Sep 17 00:00:00 2001
From: Andrew Hughes 
Date: Mon, 3 Oct 2022 04:09:32 +0100
Subject: [PATCH 49/61] Update to jdk-17.0.5+1

Update release notes to 17.0.5+1
Switch to EA mode for 17.0.5 pre-release builds.
Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
Bump FreeType bundled version to 2.12.1 following JDK-8290334
---
 .gitignore           |   1 +
 NEWS                 | 273 +++++++++++++++++++++++++++++++++++++++++++
 java-17-openjdk.spec |  19 ++-
 sources              |   2 +-
 4 files changed, 288 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 5df29a7..18fa8bb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@
 /openjdk-jdk17u-jdk-17.0.4+7.tar.xz
 /openjdk-jdk17u-jdk-17.0.4+8.tar.xz
 /openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
+/openjdk-jdk17u-jdk-17.0.5+1.tar.xz
diff --git a/NEWS b/NEWS
index ed5ebeb..d278173 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,279 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 17.0.5 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk1705
+  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.txt
+
+* Other changes
+  - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
+  - JDK-7131823: bug in GIFImageReader
+  - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
+  - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
+  - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails
+  - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
+  - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
+  - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
+  - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test.
+  - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values
+  - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
+  - JDK-8240903: Add test to check that jmod hashes are reproducible
+  - JDK-8254318: Remove .hgtags
+  - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
+  - JDK-8256844: Make NMT late-initializable
+  - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom"
+  - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class
+  - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
+  - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled"
+  - JDK-8269039: Disable SHA-1 Signed JARs
+  - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr
+  - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
+  - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
+  - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
+  - JDK-8271344: Windows product version issue
+  - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
+  - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals
+  - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null]
+  - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
+  - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts
+  - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12
+  - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms
+  - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
+  - JDK-8274597: Some of the dnd tests time out and fail intermittently
+  - JDK-8274856: Failing jpackage tests with fastdebug/release build
+  - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
+  - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold
+  - JDK-8276837: [macos]: Error when signing the additional launcher
+  - JDK-8277429: Conflicting jpackage static library name
+  - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged"
+  - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
+  - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript
+  - JDK-8278311: Debian packaging doesn't work
+  - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS
+  - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS
+  - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
+  - JDK-8279622: C2: miscompilation of map pattern as a vector reduction
+  - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl
+  - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound
+  - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed
+  - JDK-8280863: Update build README to reflect that MSYS2 is supported
+  - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
+  - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
+  - JDK-8281181: Do not use CPU Shares to compute active processor count
+  - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
+  - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted)
+  - JDK-8281535: Create a regression test for JDK-4670051
+  - JDK-8281569: Create tests for Frame.setMinimumSize() method
+  - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
+  - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
+  - JDK-8281745: Create a regression test for JDK-4514331
+  - JDK-8281988: Create a regression test for JDK-4618767
+  - JDK-8282007: Assorted enhancements to jpackage testing framework
+  - JDK-8282046: Create a regression test for JDK-8000326
+  - JDK-8282214: Upgrade JQuery to version 3.6.0
+  - JDK-8282234: Create a regression test for JDK-4532513
+  - JDK-8282280: Update Xerces to Version 2.12.2
+  - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access
+  - JDK-8282343: Create a regression test for JDK-4518432
+  - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows
+  - JDK-8282407: Missing ')' in MacResources.properties
+  - JDK-8282467: add extra diagnostics for JDK-8268184
+  - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler
+  - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+  - JDK-8282548: Create a regression test for JDK-4330998
+  - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
+  - JDK-8282640: Create a test for JDK-4740761
+  - JDK-8282778: Create a regression test for JDK-4699544
+  - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
+  - JDK-8282860: Write a regression test for JDK-4164779
+  - JDK-8282933: Create a test for JDK-4529616
+  - JDK-8282936: Write a regression test for JDK-4615365
+  - JDK-8282937: Write a regression test for JDK-4820080
+  - JDK-8283015: Create a test for JDK-4715496
+  - JDK-8283087: Create a test or JDK-4715503
+  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
+  - JDK-8283457: [macos] libpng build failures with Xcode13.3
+  - JDK-8283493: Create an automated regression test for RFE 4231298
+  - JDK-8283507: Create a regression test for RFE 4287690
+  - JDK-8283562: JDK-8282306 breaks gtests on zero
+  - JDK-8283597: [REDO] Invalid generic signature for redefined classes
+  - JDK-8283621: Write a regression test for CCC4400728
+  - JDK-8283623: Create an automated regression test for JDK-4525475
+  - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
+  - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
+  - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+  - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
+  - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS
+  - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt
+  - JDK-8284294: Create an automated regression test for RFE 4138746
+  - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph
+  - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
+  - JDK-8284521: Write an automated regression test for RFE 4371575
+  - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest
+  - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
+  - JDK-8284686: Interval of < 1 ms disables ExecutionSample events
+  - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
+  - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
+  - JDK-8284898: Enhance PassFailJFrame
+  - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
+  - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
+  - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
+  - JDK-8285081: Improve XPath operators count accuracy
+  - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
+  - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity
+  - JDK-8285380: Fix typos in security
+  - JDK-8285398: Cache the results of constraint checks
+  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
+  - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
+  - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
+  - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
+  - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe
+  - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
+  - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
+  - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes
+  - JDK-8286277: CDS VerifyError when calling clone() on object array
+  - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
+  - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45]
+  - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage
+  - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
+  - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
+  - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis
+  - JDK-8286869: unify os::dir_is_empty across posix platforms
+  - JDK-8286870: Memory leak with RepeatCompilation
+  - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5
+  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+  - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
+  - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
+  - JDK-8287113: JFR: Periodic task thread uses period for method sampling events
+  - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host
+  - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
+  - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
+  - JDK-8287366: Improve test failure reporting in GHA
+  - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number
+  - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
+  - JDK-8287663: Add a regression test for JDK-8287073
+  - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
+  - JDK-8287724: Fix various issues with msys2
+  - JDK-8287735: Provide separate event category for dll operations
+  - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
+  - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag
+  - JDK-8287895: Some langtools tests fail on msys2
+  - JDK-8287896: PropertiesTest.sh fail on msys2
+  - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows
+  - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
+  - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
+  - JDK-8288003: log events for os::dll_unload
+  - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic
+  - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
+  - JDK-8288467: remove memory_operand assert for spilled instructions
+  - JDK-8288499: Restore cancel-in-progress in GHA
+  - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ...
+  - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
+  - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
+  - JDK-8288992: AArch64: CMN should be handled the same way as CMP
+  - JDK-8289147: unify os::infinite_sleep on posix platforms
+  - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion
+  - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
+  - JDK-8289486: Improve XSLT XPath operators count efficiency
+  - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
+  - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
+  - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
+  - JDK-8289853: Update HarfBuzz to 4.4.1
+  - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
+  - JDK-8290000: Bump macOS GitHub actions to macOS 11
+  - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
+  - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
+  - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers
+  - JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
+  - JDK-8290334: Update FreeType to 2.12.1
+  - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
+
+Notes on individual issues:
+===========================
+
+core-libs/java.net:
+
+JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
+===========================================================================
+Two system properties have been added which control the keep alive
+behavior of HttpURLConnection in the case where the server does not
+specify a keep alive time. Two properties are defined for controlling
+connections to servers and proxies separately. They are:
+
+* `http.keepAlive.time.server`
+* `http.keepAlive.time.proxy`
+
+respectively. More information about them can be found on the
+Networking Properties page:
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
+
+hotspot/runtime:
+
+JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
+=====================================================================
+Previous JDK releases used an incorrect interpretation of the Linux
+cgroups parameter "cpu.shares". This might cause the JVM to use fewer
+CPUs than available, leading to an under utilization of CPU resources
+when the JVM is used inside a container.
+
+Starting from this JDK release, by default, the JVM no longer
+considers "cpu.shares" when deciding the number of threads to be used
+by the various thread pools. The `-XX:+UseContainerCpuShares`
+command-line option can be used to revert to the previous
+behavior. This option is deprecated and may be removed in a future JDK
+release.
+
+security-libs/java.security:
+
+JDK-8269039: Disabled SHA-1 Signed JARs
+=======================================
+JARs signed with SHA-1 algorithms are now restricted by default and
+treated as if they were unsigned. This applies to the algorithms used
+to digest, sign, and optionally timestamp the JAR. It also applies to
+the signature and digest algorithms of the certificates in the
+certificate chain of the code signer and the Timestamp Authority, and
+any CRLs or OCSP responses that are used to verify if those
+certificates have been revoked. These restrictions also apply to
+signed JCE providers.
+
+To reduce the compatibility risk for JARs that have been previously
+timestamped, there is one exception to this policy:
+
+- Any JAR signed with SHA-1 algorithms and timestamped prior to
+  January 01, 2019 will not be restricted.
+
+This exception may be removed in a future JDK release. To determine if
+your signed JARs are affected by this change, run:
+
+$ jarsigner -verify -verbose -certs`
+
+on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
+"disabled" and a warning that the JAR will be treated as unsigned in
+the output.
+
+For example:
+
+   Signed by "CN="Signer""
+   Digest algorithm: SHA-1 (disabled)
+   Signature algorithm: SHA1withRSA (disabled), 2048-bit key
+
+   WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
+
+   jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
+
+JARs affected by these new restrictions should be replaced or
+re-signed with stronger algorithms.
+
+Users can, *at their own risk*, remove these restrictions by modifying
+the `java.security` configuration file (or override it by using the
+`java.security.properties` system property) and removing "SHA1 usage
+SignedJAR & denyAfter 2019-01-01" from the
+`jdk.certpath.disabledAlgorithms` security property and "SHA1
+denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
+property.
+
 New in release OpenJDK 17.0.4.1 (2022-08-16):
 ===========================================
 Live versions of these release notes can be found at:
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index cbef4a4..7e9d93e 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -321,8 +321,8 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 4
-%global patchver 1
+%global updatever 5
+%global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
 # and this it is better to change it here, on single place
@@ -369,7 +369,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        1
-%global rpmrelease      3
+%global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -395,7 +395,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
+%global is_ga           0
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
@@ -1468,11 +1468,11 @@ BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
 %else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
-Provides: bundled(freetype) = 2.12.0
+Provides: bundled(freetype) = 2.12.1
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
 Provides: bundled(giflib) = 5.2.1
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 2.8.0
+Provides: bundled(harfbuzz) = 4.4.1
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.12.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
@@ -2669,6 +2669,13 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Mon Oct 03 2022 Andrew Hughes  - 1:17.0.5.0.1-0.1.ea
+- Update to jdk-17.0.5+1
+- Update release notes to 17.0.5+1
+- Switch to EA mode for 17.0.5 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+
 * Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-3
 - Switch to static builds, reducing system dependencies and making build more portable
 
diff --git a/sources b/sources
index 2008902..ccc402e 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz) = 50bf07932e3aec20b4b5d51c01fe095a67b0186a4bc0bed6c8acfacde3673b97f0f177e0f3c372bf1a494c99e61475b4af66261be15f33bb4be8b14671952419
+SHA512 (openjdk-jdk17u-jdk-17.0.5+1.tar.xz) = fb8a70c13220bb2091d618c186912f9a11741effee769eee33e20239d439176a9a3a0321316fb0778d14e08a662b282a9f4c7fb2d64ad45e7b582dcf9f2187a1

From 344ea34bdd0b0e21960190665e23be94a90b8bd4 Mon Sep 17 00:00:00 2001
From: Andrew Hughes 
Date: Tue, 4 Oct 2022 02:28:50 +0100
Subject: [PATCH 50/61] Update to jdk-17.0.5+7

Update release notes to 17.0.5+7
---
 .gitignore           |  1 +
 NEWS                 | 51 ++++++++++++++++++++++++++++++++++++++++++++
 java-17-openjdk.spec |  6 +++++-
 sources              |  2 +-
 4 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 18fa8bb..8a7b642 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,4 @@
 /openjdk-jdk17u-jdk-17.0.4+8.tar.xz
 /openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.5+1.tar.xz
+/openjdk-jdk17u-jdk-17.0.5+7.tar.xz
diff --git a/NEWS b/NEWS
index d278173..277319c 100644
--- a/NEWS
+++ b/NEWS
@@ -10,9 +10,11 @@ Live versions of these release notes can be found at:
   * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.txt
 
 * Other changes
+  - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
   - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
   - JDK-7131823: bug in GIFImageReader
   - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
+  - JDK-8028265: Add legacy tz tests to OpenJDK
   - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed
   - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails
   - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
@@ -20,7 +22,10 @@ Live versions of these release notes can be found at:
   - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
   - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test.
   - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values
+  - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
+  - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
   - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
+  - JDK-8227651: Tests fail with SSLProtocolException: Input record too big
   - JDK-8240903: Add test to check that jmod hashes are reproducible
   - JDK-8254318: Remove .hgtags
   - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
@@ -36,6 +41,7 @@ Live versions of these release notes can be found at:
   - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
   - JDK-8271344: Windows product version issue
   - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
+  - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData
   - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals
   - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null]
   - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades)
@@ -46,6 +52,7 @@ Live versions of these release notes can be found at:
   - JDK-8274597: Some of the dnd tests time out and fail intermittently
   - JDK-8274856: Failing jpackage tests with fastdebug/release build
   - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
+  - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
   - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold
   - JDK-8276837: [macos]: Error when signing the additional launcher
   - JDK-8277429: Conflicting jpackage static library name
@@ -55,6 +62,7 @@ Live versions of these release notes can be found at:
   - JDK-8278311: Debian packaging doesn't work
   - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS
   - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS
+  - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
   - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0
   - JDK-8279622: C2: miscompilation of map pattern as a vector reduction
   - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl
@@ -62,6 +70,7 @@ Live versions of these release notes can be found at:
   - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed
   - JDK-8280863: Update build README to reflect that MSYS2 is supported
   - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
+  - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism
   - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
   - JDK-8281181: Do not use CPU Shares to compute active processor count
   - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
@@ -93,8 +102,11 @@ Live versions of these release notes can be found at:
   - JDK-8282933: Create a test for JDK-4529616
   - JDK-8282936: Write a regression test for JDK-4615365
   - JDK-8282937: Write a regression test for JDK-4820080
+  - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
   - JDK-8283015: Create a test for JDK-4715496
   - JDK-8283087: Create a test or JDK-4715503
+  - JDK-8283245: Create a test for JDK-4670319
+  - JDK-8283277: ISO 4217 Amendment 171 Update
   - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
   - JDK-8283457: [macos] libpng build failures with Xcode13.3
   - JDK-8283493: Create an automated regression test for RFE 4231298
@@ -103,16 +115,21 @@ Live versions of these release notes can be found at:
   - JDK-8283597: [REDO] Invalid generic signature for redefined classes
   - JDK-8283621: Write a regression test for CCC4400728
   - JDK-8283623: Create an automated regression test for JDK-4525475
+  - JDK-8283624: Create an automated regression test for RFE-4390885
+  - JDK-8283712: Create a manual test framework class
   - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows
   - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
   - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+  - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
   - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
   - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS
   - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt
+  - JDK-8284077: Create an automated test for JDK-4170173
   - JDK-8284294: Create an automated regression test for RFE 4138746
   - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph
   - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
   - JDK-8284521: Write an automated regression test for RFE 4371575
+  - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
   - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest
   - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
   - JDK-8284686: Interval of < 1 ms disables ExecutionSample events
@@ -120,6 +137,7 @@ Live versions of these release notes can be found at:
   - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
   - JDK-8284898: Enhance PassFailJFrame
   - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
+  - JDK-8284950: CgroupV1 detection code should consider memory.swappiness
   - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
   - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
   - JDK-8285081: Improve XPath operators count accuracy
@@ -127,7 +145,10 @@ Live versions of these release notes can be found at:
   - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity
   - JDK-8285380: Fix typos in security
   - JDK-8285398: Cache the results of constraint checks
+  - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test
+  - JDK-8285693: Create an automated test for JDK-4702199
   - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
+  - JDK-8285730: unify _WIN32_WINNT settings
   - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
   - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
   - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
@@ -155,6 +176,7 @@ Live versions of these release notes can be found at:
   - JDK-8287366: Improve test failure reporting in GHA
   - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number
   - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
+  - JDK-8287463: JFR: Disable TestDevNull.java on Windows
   - JDK-8287663: Add a regression test for JDK-8287073
   - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
   - JDK-8287724: Fix various issues with msys2
@@ -166,24 +188,32 @@ Live versions of these release notes can be found at:
   - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows
   - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
   - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
+  - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs
   - JDK-8288003: log events for os::dll_unload
   - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic
   - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
+  - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds
   - JDK-8288467: remove memory_operand assert for spilled instructions
   - JDK-8288499: Restore cancel-in-progress in GHA
   - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ...
   - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
   - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
+  - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305
   - JDK-8288992: AArch64: CMN should be handled the same way as CMP
+  - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
   - JDK-8289147: unify os::infinite_sleep on posix platforms
   - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion
+  - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
   - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
   - JDK-8289486: Improve XSLT XPath operators count efficiency
+  - JDK-8289549: ISO 4217 Amendment 172 Update
   - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
+  - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
   - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
   - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
   - JDK-8289853: Update HarfBuzz to 4.4.1
   - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
+  - JDK-8289910: unify os::message_box across posix platforms
   - JDK-8290000: Bump macOS GitHub actions to macOS 11
   - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
   - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
@@ -191,6 +221,10 @@ Live versions of these release notes can be found at:
   - JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
   - JDK-8290334: Update FreeType to 2.12.1
   - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
+  - JDK-8290456: remove os::print_statistics()
+  - JDK-8291595: [17u] Delete files missed in backport of 8269039
+  - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr
+  - JDK-8292579: (tz) Update Timezone Data to 2022c
 
 Notes on individual issues:
 ===========================
@@ -211,6 +245,23 @@ respectively. More information about them can be found on the
 Networking Properties page:
 https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
 
+security-libs/javax.crypto:
+
+JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location
+=====================================================================================
+The Windows KeyStore support in the SunMSCAPI provider has been
+expanded to include access to the local machine location. The new
+keystore types are:
+
+* "Windows-MY-LOCALMACHINE"
+* "Windows-ROOT-LOCALMACHINE"
+
+The following keystore types were also added, allowing developers to
+make it clear they map to the current user:
+
+* "Windows-MY-CURRENTUSER" (same as "Windows-MY")
+* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT")
+
 hotspot/runtime:
 
 JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 7e9d93e..a424c92 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -368,7 +368,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        1
+%global buildver        7
 %global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -2669,6 +2669,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Tue Oct 04 2022 Andrew Hughes  - 1:17.0.5.0.7-0.1.ea
+- Update to jdk-17.0.5+7
+- Update release notes to 17.0.5+7
+
 * Mon Oct 03 2022 Andrew Hughes  - 1:17.0.5.0.1-0.1.ea
 - Update to jdk-17.0.5+1
 - Update release notes to 17.0.5+1
diff --git a/sources b/sources
index ccc402e..d0a250a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.5+1.tar.xz) = fb8a70c13220bb2091d618c186912f9a11741effee769eee33e20239d439176a9a3a0321316fb0778d14e08a662b282a9f4c7fb2d64ad45e7b582dcf9f2187a1
+SHA512 (openjdk-jdk17u-jdk-17.0.5+7.tar.xz) = 43eb77ba56756748ce39e245824ca7d68c7cfe01fd4e72599e1b73f85bd522beadb3651029457c2b6dbb0080daf3d0550350929090e36fce8fc7892163222bc7

From 48de3d829af74724145d4561d610479f8eddb7f4 Mon Sep 17 00:00:00 2001
From: Andrew Hughes 
Date: Fri, 14 Oct 2022 18:51:06 +0100
Subject: [PATCH 51/61] Update in-tree tzdata to 2022e with JDK-8294357 &
 JDK-8295173

Update CLDR data with Europe/Kyiv (JDK-8293834)
Drop JDK-8292223 patch which we found to be unnecessary
Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
---
 TestTranslations.java             | 125 ++++++++-
 java-17-openjdk.spec              |  46 +++-
 jdk8292223-tzdata2022b-kyiv.patch | 132 ----------
 jdk8293834-kyiv_cldr_update.patch |  51 ++++
 jdk8294357-tzdata2022d.patch      | 303 +++++++++++++++++++++
 jdk8295173-tzdata2022e.patch      | 420 ++++++++++++++++++++++++++++++
 6 files changed, 921 insertions(+), 156 deletions(-)
 delete mode 100644 jdk8292223-tzdata2022b-kyiv.patch
 create mode 100644 jdk8293834-kyiv_cldr_update.patch
 create mode 100644 jdk8294357-tzdata2022d.patch
 create mode 100644 jdk8295173-tzdata2022e.patch

diff --git a/TestTranslations.java b/TestTranslations.java
index cf83303..dbea417 100644
--- a/TestTranslations.java
+++ b/TestTranslations.java
@@ -15,20 +15,125 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see .
 */
 
-import java.util.Arrays;
-import java.util.Locale;
-import java.util.ResourceBundle;
+import java.text.DateFormatSymbols;
 
-import sun.util.resources.LocaleData;
-import sun.util.locale.provider.LocaleProviderAdapter;
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;
 
 public class TestTranslations {
+
+    private static Map KYIV;
+
+    static {
+        Map map = new HashMap();
+        map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
+                                          "Eastern European Summer Time", "GMT+03:00", "EEST",
+                                          "Eastern European Time", "GMT+02:00", "EET"});
+        map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
+                                              "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
+                                              "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
+        map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
+                                               "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+                                               "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+        KYIV = Collections.unmodifiableMap(map);
+    }
+
+
     public static void main(String[] args) {
-        for (String zone : args) {
-            System.out.printf("Translations for %s\n", zone);
-            for (Locale l : Locale.getAvailableLocales()) {
-                ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l);
-                System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone)));
+        if (args.length < 1) {
+            System.err.println("Test must be started with the name of the locale provider.");
+            System.exit(1);
+        }
+
+        String localeProvider = args[0];
+        System.out.println("Checking sanity of full zone string set...");
+        boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+            .peek(l -> System.out.println("Locale: " + l))
+            .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+            .flatMap(zs -> Arrays.stream(zs))
+            .flatMap(names -> Arrays.stream(names))
+            .filter(name -> Objects.isNull(name) || name.isEmpty())
+            .findAny()
+            .isPresent();
+        if (invalid) {
+            System.err.println("Zone string for a locale returned null or empty string");
+            System.exit(2);
+        }
+
+        for (Locale l : KYIV.keySet()) {
+            String[] expected = KYIV.get(l);
+            for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) {
+                String expectedShortStd = null;
+                String expectedShortDST = null;
+                String expectedShortGen = null;
+
+                System.out.printf("Checking locale %s for %s...\n", l, id);
+
+                if ("JRE".equals(localeProvider)) {
+                    expectedShortStd = expected[2];
+                    expectedShortDST = expected[5];
+                    expectedShortGen = expected[8];
+                } else if ("CLDR".equals(localeProvider)) {
+                    expectedShortStd = expected[1];
+                    expectedShortDST = expected[4];
+                    expectedShortGen = expected[7];
+                } else {
+                    System.err.printf("Invalid locale provider %s\n", localeProvider);
+                    System.exit(3);
+                }
+                System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+                                  localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+                String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+                String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+                String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+                String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+                String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+                String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+                if (!expected[0].equals(longStd)) {
+                    System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, longStd, expected[0]);
+                    System.exit(4);
+                }
+
+                if (!expectedShortStd.equals(shortStd)) {
+                    System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortStd, expectedShortStd);
+                    System.exit(5);
+                }
+
+                if (!expected[3].equals(longDST)) {
+                    System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+                                      id, l, longDST, expected[3]);
+                    System.exit(6);
+                }
+
+                if (!expectedShortDST.equals(shortDST)) {
+                    System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortDST, expectedShortDST);
+                    System.exit(7);
+                }
+
+                if (!expected[6].equals(longGen)) {
+                    System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+                                      id, l, longGen, expected[6]);
+                    System.exit(8);
+                }
+
+                if (!expectedShortGen.equals(shortGen)) {
+                    System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+                                      id, l, shortGen, expectedShortGen);
+                    System.exit(9);
+                }
             }
         }
     }
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index a424c92..1dcf98c 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -369,7 +369,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        7
-%global rpmrelease      1
+%global rpmrelease      2
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -1160,8 +1160,9 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2022a required as of JDK-8283350 in 17.0.4
-Requires: tzdata-java >= 2022a
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+Requires: tzdata-java >= 2022d
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@@ -1378,8 +1379,6 @@ Patch2:    rh1648644-java_access_bridge_privileged_security.patch
 Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
 # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b
-Patch7: jdk8292223-tzdata2022b-kyiv.patch
 
 # Crypto policy and FIPS support patches
 # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
@@ -1417,6 +1416,18 @@ Patch1001: fips-17u-%{fipsver}.patch
 #
 #############################################
 
+#############################################
+#
+# OpenJDK patches targetted for 17.0.6
+#
+#############################################
+# JDK-8293834: Update CLDR data following tzdata 2022c update
+Patch2001: jdk8293834-kyiv_cldr_update.patch
+# JDK-8294357: (tz) Update Timezone Data to 2022d
+Patch2002: jdk8294357-tzdata2022d.patch
+# JDK-8295173: (tz) Update Timezone Data to 2022e
+Patch2003: jdk8295173-tzdata2022e.patch
+
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: alsa-lib-devel
@@ -1449,8 +1460,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2022a required as of JDK-8283350 in 17.0.4
-BuildRequires: tzdata-java >= 2022a
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+BuildRequires: tzdata-java >= 2022d
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1844,11 +1856,14 @@ pushd %{top_level_dir_name}
 %patch2 -p1
 %patch3 -p1
 %patch6 -p1
-%patch7 -p1
 # Add crypto policy and FIPS support
 %patch1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
 %patch1000 -p1
+# tzdata updates targetted for 17.0.6
+%patch2001 -p1
+%patch2002 -p1
+%patch2003 -p1
 popd # openjdk
 
 %patch600
@@ -2395,12 +2410,9 @@ $JAVA_HOME/bin/javac -d . %{SOURCE16}
 $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
 
 # Check translations are available for new timezones
-$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \
-                     --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
-                     -d . %{SOURCE18}
-$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \
-                    --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
-                    $(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv"
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
 
 %if %{include_staticlibs}
 # Check debug symbols in static libraries (smoke test)
@@ -2669,6 +2681,12 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Fri Oct 14 2022 Andrew Hughes  - 1:17.0.5.0.7-0.2.ea
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Update CLDR data with Europe/Kyiv (JDK-8293834)
+- Drop JDK-8292223 patch which we found to be unnecessary
+- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
+
 * Tue Oct 04 2022 Andrew Hughes  - 1:17.0.5.0.7-0.1.ea
 - Update to jdk-17.0.5+7
 - Update release notes to 17.0.5+7
diff --git a/jdk8292223-tzdata2022b-kyiv.patch b/jdk8292223-tzdata2022b-kyiv.patch
deleted file mode 100644
index 1107b82..0000000
--- a/jdk8292223-tzdata2022b-kyiv.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-index 8759aab3995..11ccbf73839 100644
---- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
-@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
-             {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00",
-                                            "Kirov Daylight Time", "GMT+03:00",
-                                            "Kirov Time", "GMT+03:00"}},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
-index f007c1a8d3b..617268e4cf3 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
-index 386414e16e6..14c5d89b9c5 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
-index d23f5fd49e6..44117125619 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
-index b4f57d4568c..efa818f3865 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
-index 1a10a9f96dc..7c0565461ad 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
-index 9a2d9e5c57c..8a2c805997f 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
-index de5e5c82daa..e3c06417f09 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
-index b53de4d8c89..3e46b6a063e 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
-index 7797cda19d5..590908409a8 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
-@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
-diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
-index 2cd10554853..23c5f180b6d 100644
---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
-+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
-@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
-             {"Europe/Jersey", GMTBST},
-             {"Europe/Kaliningrad", EET},
-             {"Europe/Kiev", EET},
-+            {"Europe/Kyiv", EET},
-             {"Europe/Lisbon", WET},
-             {"Europe/Ljubljana", CET},
-             {"Europe/London", GMTBST},
diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch
new file mode 100644
index 0000000..b8dda24
--- /dev/null
+++ b/jdk8293834-kyiv_cldr_update.patch
@@ -0,0 +1,51 @@
+diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml
+index 41ff6d236c8..e703020dcdd 100644
+--- a/make/data/cldr/common/bcp47/timezone.xml
++++ b/make/data/cldr/common/bcp47/timezone.xml
+@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html
+             
+             
+             
+-            
++            
+             
+             
+             
+diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+index eb56c087ad6..e398af3c151 100644
+--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
++++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java
+@@ -23,7 +23,7 @@
+ 
+  /*
+  * @test
+- * @bug 8181157 8202537 8234347 8236548 8261279
++ * @bug 8181157 8202537 8234347 8236548 8261279 8293834
+  * @modules jdk.localedata
+  * @summary Checks CLDR time zone names are generated correctly at runtime
+  * @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest
+@@ -102,6 +102,24 @@ public class TimeZoneNamesTest {
+                                                     "UTC+04:00",
+                                                     "heure : Astrakhan",
+                                                     "UTC+04:00"},
++            {"Europe/Kyiv",             Locale.US, "Eastern European Standard Time",
++                                                    "GMT+02:00",
++                                                    "Eastern European Summer Time",
++                                                    "GMT+03:00",
++                                                    "Eastern European Time",
++                                                    "GMT+02:00"},
++            {"Europe/Kyiv",             Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est",
++                                                    "UTC+02:00",
++                                                    "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est",
++                                                    "UTC+03:00",
++                                                    "heure d\u2019Europe de l\u2019Est",
++                                                    "UTC+02:00"},
++            {"Europe/Kyiv",             Locale.GERMANY, "Osteurop\u00e4ische Normalzeit",
++                                                    "OEZ",
++                                                    "Osteurop\u00e4ische Sommerzeit",
++                                                    "OESZ",
++                                                    "Osteurop\u00e4ische Zeit",
++                                                    "OEZ"},
+             {"Europe/Saratov",          Locale.US, "Saratov Standard Time",
+                                                     "GMT+04:00",
+                                                     "Saratov Daylight Time",
diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch
new file mode 100644
index 0000000..9eb6727
--- /dev/null
+++ b/jdk8294357-tzdata2022d.patch
@@ -0,0 +1,303 @@
+commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce
+Author: Goetz Lindenmaier 
+Date:   Wed Oct 5 07:13:43 2022 +0000
+
+    8294357: (tz) Update Timezone Data to 2022d
+    
+    Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index 3a150b0f36b..f9df7432947 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+ 
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+ 
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards.  Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
+ Rule EgyptAsia	1957	1958	-	Oct	 1	0:00	0	-
+@@ -3448,14 +3456,16 @@ Rule Palestine	2013	only	-	Sep	27	0:00	0	-
+ Rule Palestine	2014	only	-	Oct	24	0:00	0	-
+ Rule Palestine	2015	only	-	Mar	28	0:00	1:00	S
+ Rule Palestine	2015	only	-	Oct	23	1:00	0	-
+-Rule Palestine	2016	2018	-	Mar	Sat>=24	1:00	1:00	S
+-Rule Palestine	2016	2018	-	Oct	Sat>=24	1:00	0	-
++Rule Palestine	2016	2018	-	Mar	Sat<=30	1:00	1:00	S
++Rule Palestine	2016	2018	-	Oct	Sat<=30	1:00	0	-
+ Rule Palestine	2019	only	-	Mar	29	0:00	1:00	S
+-Rule Palestine	2019	only	-	Oct	Sat>=24	0:00	0	-
+-Rule Palestine	2020	2021	-	Mar	Sat>=24	0:00	1:00	S
++Rule Palestine	2019	only	-	Oct	Sat<=30	0:00	0	-
++Rule Palestine	2020	2021	-	Mar	Sat<=30	0:00	1:00	S
+ Rule Palestine	2020	only	-	Oct	24	1:00	0	-
+-Rule Palestine	2021	max	-	Oct	Fri>=23	1:00	0	-
+-Rule Palestine	2022	max	-	Mar	Sun>=25	0:00	1:00	S
++Rule Palestine	2021	only	-	Oct	29	1:00	0	-
++Rule Palestine	2022	only	-	Mar	27	0:00	1:00	S
++Rule Palestine	2022	max	-	Oct	Sat<=30	2:00	0	-
++Rule Palestine	2023	max	-	Mar	Sat<=30	2:00	1:00	S
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
+diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/make/data/tzdata/backward
++++ b/make/data/tzdata/backward
+@@ -113,6 +113,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index 879b5337536..accc845dbaf 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 			 2:00	EU	EE%sT	2014 Mar 30  2:00
+ 			 4:00	-	MSK	2014 Oct 26  2:00s
+ 			 3:00	-	MSK
+@@ -3774,8 +3778,8 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+ 
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+ 
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital.  Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-# This represents most of Ukraine.  See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:02:04	-	KMT	1924 May  2 # Kyiv Mean Time
+ 			2:00	-	EET	1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv	2:02:04 -	LMT	1880
+ 			2:00	1:00	EEST	1991 Sep 29  3:00
+ 			2:00	C-Eur	EE%sT	1996 May 13
+ 			2:00	EU	EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod	1:29:12 -	LMT	1890 Oct
+-			1:00	-	CET	1940
+-			1:00	C-Eur	CE%sT	1944 Oct
+-			1:00	1:00	CEST	1944 Oct 26
+-			1:00	-	CET	1945 Jun 29
+-			3:00	Russia	MSK/MSD	1990
+-			3:00	-	MSK	1990 Jul  1  2:00
+-			1:00	-	CET	1991 Mar 31  3:00
+-			2:00	-	EET	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English.  Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye	2:20:40 -	LMT	1880
+-			2:20	-	+0220	1924 May  2
+-			2:00	-	EET	1930 Jun 21
+-			3:00	-	MSK	1941 Aug 25
+-			1:00	C-Eur	CE%sT	1943 Oct 25
+-			3:00	Russia	MSK/MSD	1991 Mar 31  2:00
+-			2:00	E-Eur	EE%sT	1992 Mar 20
+-			2:00	C-Eur	EE%sT	1996 May 13
+-			2:00	EU	EE%sT
+ 
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/make/data/tzdata/southamerica
++++ b/make/data/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"...  This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Chile	1927	1931	-	Sep	 1	0:00	1:00	-
+diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/make/data/tzdata/zone.tab
++++ b/make/data/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV	-0831+17913	Pacific/Funafuti
+ TW	+2503+12130	Asia/Taipei
+ TZ	-0648+03917	Africa/Dar_es_Salaam
+ UA	+5026+03031	Europe/Kyiv	Ukraine (most areas)
+-UA	+4837+02218	Europe/Uzhgorod	Transcarpathia
+-UA	+4750+03510	Europe/Zaporozhye	Zaporozhye and east Lugansk
+ UG	+0019+03225	Africa/Kampala
+ UM	+2813-17722	Pacific/Midway	Midway Islands
+ UM	+1917+16637	Pacific/Wake	Wake Island
+diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 15c2f0d1275..6f6e190efcd 100644
+--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -574,12 +574,8 @@ public final class ZoneInfoFile {
+                     // we can then pass in the dom = -1, dow > 0 into ZoneInfo
+                     //
+                     // hacking, assume the >=24 is the result of ZRB optimization for
+-                    // "last", it works for now. From tzdata2020d this hacking
+-                    // will not work for Asia/Gaza and Asia/Hebron which follow
+-                    // Palestine DST rules.
+-                    if (dom < 0 || dom >= 24 &&
+-                                   !(zoneId.equals("Asia/Gaza") ||
+-                                     zoneId.equals("Asia/Hebron"))) {
++                    // "last", it works for now.
++                    if (dom < 0 || dom >= 24) {
+                         params[1] = -1;
+                         params[2] = toCalendarDOW[dow];
+                     } else {
+@@ -601,7 +597,6 @@ public final class ZoneInfoFile {
+                     params[7] = 0;
+                 } else {
+                     // hacking: see comment above
+-                    // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
+                     if (dom < 0 || dom >= 24) {
+                         params[6] = -1;
+                         params[7] = toCalendarDOW[dow];
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index c32bee39fba..71470168456 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022c
++tzdata2022d
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+index a5e6428a3f5..e3ce742f887 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -183,6 +183,8 @@ Link	Etc/UTC			Etc/UCT
+ Link	Europe/London		Europe/Belfast
+ Link	Europe/Kyiv		Europe/Kiev
+ Link	Europe/Chisinau		Europe/Tiraspol
++Link	Europe/Kyiv		Europe/Uzhgorod
++Link	Europe/Kyiv		Europe/Zaporozhye
+ Link	Europe/London		GB
+ Link	Europe/London		GB-Eire
+ Link	Etc/GMT			GMT+0
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index fc148537f1f..b3823958ae4 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -163,11 +163,9 @@ Europe/Simferopol MSK
+ Europe/Sofia EET EEST
+ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+-Europe/Uzhgorod EET EEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
+ Europe/Warsaw CET CEST
+-Europe/Zaporozhye EET EEST
+ Europe/Zurich CET CEST
+ HST HST
+ MET MET MEST
+diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+index 7b50c342a0d..a7d14f1aa21 100644
+--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
++++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
+@@ -176,11 +176,12 @@ public class TestZoneInfo310 {
+              * save time in IANA tzdata. This bug is tracked via JDK-8223388.
+              *
+              * These are the zones/rules that employ negative DST in vanguard
+-             * format (as of 2019a):
++             * format (as of 2019a), Palestine added in 2022d:
+              *
+              *  - Rule "Eire"
+              *  - Rule "Morocco"
+              *  - Rule "Namibia"
++             *  - Rule "Palestine"
+              *  - Zone "Europe/Prague"
+              *
+              * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
+@@ -196,6 +197,8 @@ public class TestZoneInfo310 {
+                 zid.equals("Europe/Dublin") || // uses "Eire" rule
+                 zid.equals("Europe/Prague") ||
+                 zid.equals("Asia/Tehran") || // last rule mismatch
++                zid.equals("Asia/Gaza") || // uses "Palestine" rule
++                zid.equals("Asia/Hebron") || // uses "Palestine" rule
+                 zid.equals("Iran")) { // last rule mismatch
+                     continue;
+             }
diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch
new file mode 100644
index 0000000..8ffd2ee
--- /dev/null
+++ b/jdk8295173-tzdata2022e.patch
@@ -0,0 +1,420 @@
+commit d159a377e0243bd2c80593689fd7cd20b2b578f7
+Author: duke 
+Date:   Fri Oct 14 03:37:19 2022 +0000
+
+    Backport 21407dec0156301871a83328615e4d975c4287c4
+
+diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/make/data/tzdata/VERSION
++++ b/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
+index f9df7432947..5b2337fd0b6 100644
+--- a/make/data/tzdata/asia
++++ b/make/data/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+ 
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
+ Rule	Jordan	1973	only	-	Jun	6	0:00	1:00	S
+ Rule	Jordan	1973	1975	-	Oct	1	0:00	0	-
+@@ -2285,11 +2296,12 @@ Rule	Jordan	2005	only	-	Sep	lastFri	0:00s	0	-
+ Rule	Jordan	2006	2011	-	Oct	lastFri	0:00s	0	-
+ Rule	Jordan	2013	only	-	Dec	20	0:00	0	-
+ Rule	Jordan	2014	2021	-	Mar	lastThu	24:00	1:00	S
+-Rule	Jordan	2014	max	-	Oct	lastFri	0:00s	0	-
+-Rule	Jordan	2022	max	-	Feb	lastThu	24:00	1:00	S
++Rule	Jordan	2014	2022	-	Oct	lastFri	0:00s	0	-
++Rule	Jordan	2022	only	-	Feb	lastThu	24:00	1:00	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Amman	2:23:44 -	LMT	1931
+-			2:00	Jordan	EE%sT
++			2:00	Jordan	EE%sT	2022 Oct 28 0:00s
++			3:00	-	+03
+ 
+ 
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+ 
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+ 
+ Rule	Syria	2008	only	-	Apr	Fri>=1	0:00	1:00	S
+ Rule	Syria	2008	only	-	Nov	1	0:00	0	-
+ Rule	Syria	2009	only	-	Mar	lastFri	0:00	1:00	S
+ Rule	Syria	2010	2011	-	Apr	Fri>=1	0:00	1:00	S
+-Rule	Syria	2012	max	-	Mar	lastFri	0:00	1:00	S
+-Rule	Syria	2009	max	-	Oct	lastFri	0:00	0	-
++Rule	Syria	2012	2022	-	Mar	lastFri	0:00	1:00	S
++Rule	Syria	2009	2022	-	Oct	lastFri	0:00	0	-
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ Zone	Asia/Damascus	2:25:12 -	LMT	1920 # Dimashq
+-			2:00	Syria	EE%sT
++			2:00	Syria	EE%sT	2022 Oct 28 0:00
++			3:00	-	+03
+ 
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
+index accc845dbaf..2832c4b9763 100644
+--- a/make/data/tzdata/europe
++++ b/make/data/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone	Europe/Madrid	-0:14:44 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	Spain	WE%sT	1940 Mar 16 23:00
+ 			 1:00	Spain	CE%sT	1979
+ 			 1:00	EU	CE%sT
+-Zone	Africa/Ceuta	-0:21:16 -	LMT	1900 Dec 31 23:38:44
++Zone	Africa/Ceuta	-0:21:16 -	LMT	1901 Jan  1  0:00u
+ 			 0:00	-	WET	1918 May  6 23:00
+ 			 0:00	1:00	WEST	1918 Oct  7 23:00
+ 			 0:00	-	WET	1924
+diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/make/data/tzdata/northamerica
++++ b/make/data/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule	Chicago	1922	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Chicago	1922	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Chicago	1955	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
++Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00	Chicago	C%sT	1936 Mar  1  2:00
+ 			-5:00	-	EST	1936 Nov 15  2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
+ 			-6:00	Chicago	C%sT	1967
+ 			-6:00	US	C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1992 Oct 25  2:00
+ 			-6:00	US	C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See .
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2003 Oct 26  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
+ # largest city in Mercer County).  Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+ 
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	2010 Nov  7  2:00
+ 			-6:00	US	C%sT
+ 
+@@ -530,7 +530,7 @@ Rule	Denver	1921	only	-	May	22	2:00	0	S
+ Rule	Denver	1965	1966	-	Apr	lastSun	2:00	1:00	D
+ Rule	Denver	1965	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
++Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1920
+ 			-7:00	Denver	M%sT	1942
+ 			-7:00	US	M%sT	1946
+@@ -583,7 +583,7 @@ Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
+ Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
+ Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1946
+ 			-8:00	CA	P%sT	1967
+ 			-8:00	US	P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu	-10:31:26 -	LMT	1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+ 
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 11:31:42
++Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 19:00u
+ 			-7:00	US	M%sT	1944 Jan  1  0:01
+ 			-7:00	-	MST	1944 Apr  1  0:01
+ 			-7:00	US	M%sT	1944 Oct  1  0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
++Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 20:00u
+ 			-8:00	US	P%sT	1923 May 13  2:00
+ 			-7:00	US	M%sT	1974
+ 			-7:00	-	MST	1974 Feb  3  2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941	only	-	Jun	22	2:00	1:00	D
+ Rule Indianapolis 1941	1954	-	Sep	lastSun	2:00	0	S
+ Rule Indianapolis 1946	1954	-	Apr	lastSun	2:00	1:00	D
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT	1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1920
+ 			-6:00 Indianapolis C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -965,7 +965,7 @@ Rule	Marengo	1951	only	-	Sep	lastSun	2:00	0	S
+ Rule	Marengo	1954	1960	-	Apr	lastSun	2:00	1:00	D
+ Rule	Marengo	1954	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1951
+ 			-6:00	Marengo	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -989,7 +989,7 @@ Rule Vincennes	1960	only	-	Oct	lastSun	2:00	0	S
+ Rule Vincennes	1961	only	-	Sep	lastSun	2:00	0	S
+ Rule Vincennes	1962	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Vincennes	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1969
+@@ -1009,7 +1009,7 @@ Rule Perry	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule Perry	1956	1963	-	Apr	lastSun	2:00	1:00	D
+ Rule Perry	1961	1963	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00 Perry	C%sT	1964 Apr 26  2:00
+ 			-5:00	-	EST	1967 Oct 29  2:00
+@@ -1026,7 +1026,7 @@ Rule	Pike	1955	1960	-	Sep	lastSun	2:00	0	S
+ Rule	Pike	1956	1964	-	Apr	lastSun	2:00	1:00	D
+ Rule	Pike	1961	1964	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1955
+ 			-6:00	Pike	C%sT	1965 Apr 25  2:00
+ 			-5:00	-	EST	1966 Oct 30  2:00
+@@ -1048,7 +1048,7 @@ Rule	Starke	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Starke	1957	1958	-	Sep	lastSun	2:00	0	S
+ Rule	Starke	1959	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1947
+ 			-6:00	Starke	C%sT	1962 Apr 29  2:00
+ 			-5:00	-	EST	1963 Oct 27  2:00
+@@ -1064,7 +1064,7 @@ Rule	Pulaski	1946	1954	-	Sep	lastSun	2:00	0	S
+ Rule	Pulaski	1955	1956	-	Oct	lastSun	2:00	0	S
+ Rule	Pulaski	1957	1960	-	Sep	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	Pulaski	C%sT	1961 Apr 30  2:00
+ 			-5:00	-	EST	1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1954 Apr 25  2:00
+ 			-5:00	-	EST	1969
+ 			-5:00	US	E%sT	1973
+@@ -1111,7 +1111,7 @@ Rule Louisville	1950	1961	-	Apr	lastSun	2:00	1:00	D
+ Rule Louisville	1950	1955	-	Sep	lastSun	2:00	0	S
+ Rule Louisville	1956	1961	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1921
+ 			-6:00 Louisville C%sT	1942
+ 			-6:00	US	C%sT	1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 18:00u
+ 			-6:00	US	C%sT	1946
+ 			-6:00	-	CST	1968
+ 			-6:00	US	C%sT	2000 Oct 29  2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
+ #    longitude they are located at.
+ 
+ # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
++Rule	Mexico	1931	only	-	May	1	23:00	1:00	D
++Rule	Mexico	1931	only	-	Oct	1	0:00	0	S
+ Rule	Mexico	1939	only	-	Feb	5	0:00	1:00	D
+ Rule	Mexico	1939	only	-	Jun	25	0:00	0	S
+ Rule	Mexico	1940	only	-	Dec	9	0:00	1:00	D
+@@ -2656,13 +2658,13 @@ Rule	Mexico	2002	max	-	Apr	Sun>=1	2:00	1:00	D
+ Rule	Mexico	2002	max	-	Oct	lastSun	2:00	0	S
+ # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  0:12:56
++Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	Mexico	E%sT	1998 Aug  2  2:00
+ 			-6:00	Mexico	C%sT	2015 Feb  1  2:00
+ 			-5:00	-	EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
++Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1981 Dec 23
+ 			-5:00	-	EST	1982 Dec  2
+ 			-6:00	Mexico	C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros	-6:40:00 -	LMT	1921 Dec 31 23:20:00
++Zone America/Matamoros	-6:30:00 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT	2010
+ 			-6:00	US	C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey	-6:41:16 -	LMT	1921 Dec 31 23:18:44
++Zone America/Monterrey	-6:41:16 -	LMT	1922 Jan  1  6:00u
+ 			-6:00	-	CST	1988
+ 			-6:00	US	C%sT	1989
+ 			-6:00	Mexico	C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
++Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	Mexico	C%sT	2001 Sep 30  2:00
+ 			-6:00	-	CST	2002 Feb 20
+ 			-6:00	Mexico	C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  0:02:20
++Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT	2010
+ 			-7:00	US	M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua	-7:04:20 -	LMT	1921 Dec 31 23:55:40
++Zone America/Chihuahua	-7:04:20 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1996
+ 			-6:00	Mexico	C%sT	1998
+ 			-6:00	-	CST	1998 Apr Sun>=1  3:00
+ 			-7:00	Mexico	M%sT
+ # Sonora
+-Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
++Zone America/Hermosillo	-7:23:52 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+ 
+ # Mazatlán
+-Zone America/Mazatlan	-7:05:40 -	LMT	1921 Dec 31 23:54:20
++Zone America/Mazatlan	-7:05:40 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+ 			-7:00	Mexico	M%sT
+ 
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1927 Jun 10 23:00
+ 			-6:00	-	CST	1930 Nov 15
+-			-7:00	-	MST	1931 May  1 23:00
+-			-6:00	-	CST	1931 Oct
+-			-7:00	-	MST	1932 Apr  1
++			-7:00	Mexico	M%sT	1932 Apr  1
+ 			-6:00	-	CST	1942 Apr 24
+ 			-7:00	-	MST	1949 Jan 14
+ 			-8:00	-	PST	1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
+ 			-6:00	Mexico	C%sT
+ 
+ # Baja California
+-Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  0:11:56
++Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  7:00u
+ 			-7:00	-	MST	1924
+ 			-8:00	-	PST	1927 Jun 10 23:00
+ 			-7:00	-	MST	1930 Nov 15
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+index 71470168456..0cad939008f 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022d
++tzdata2022e
+diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+index b3823958ae4..2f2786f1c69 100644
+--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+ America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+-Asia/Amman EET EEST
+ Asia/Beirut EET EEST
+-Asia/Damascus EET EEST
+ Asia/Famagusta EET EEST
+ Asia/Gaza EET EEST
+ Asia/Hebron EET EEST

From c0f97cd3e33641d659af543f4a57e74a7bcfb099 Mon Sep 17 00:00:00 2001
From: Andrew Hughes 
Date: Wed, 19 Oct 2022 21:21:26 +0100
Subject: [PATCH 52/61] Update to jdk-17.0.5+8 (GA)

Update release notes to 17.0.5+8 (GA)
Switch to GA mode for final release.
The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
Remove freetype sources along with zlib sources
---
 .gitignore                 |  1 +
 NEWS                       | 19 ++++++++++++++++---
 java-17-openjdk.spec       | 25 +++++++++++++++++++------
 remove-intree-libraries.sh | 11 +++++++++--
 sources                    |  2 +-
 5 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8a7b642..daec806 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@
 /openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.5+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.5+7.tar.xz
+/openjdk-jdk17u-jdk-17.0.5+8.tar.xz
diff --git a/NEWS b/NEWS
index 277319c..f611a71 100644
--- a/NEWS
+++ b/NEWS
@@ -7,8 +7,22 @@ New in release OpenJDK 17.0.5 (2022-10-18):
 ===========================================
 Live versions of these release notes can be found at:
   * https://bitly.com/openjdk1705
-  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.txt
+  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html
 
+* Security fixes
+  - JDK-8282252: Improve BigInteger/Decimal validation
+  - JDK-8285662: Better permission resolution
+  - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions
+  - JDK-8286511: Improve macro allocation
+  - JDK-8286519: Better memory handling
+  - JDK-8286526, CVE-2022-21619: Improve NTLM support
+  - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
+  - JDK-8286918, CVE-2022-21628: Better HttpServer service
+  - JDK-8287446: Enhance icon presentations
+  - JDK-8288508: Enhance ECDSA usage
+  - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage
+  - JDK-8289853: Update HarfBuzz to 4.4.1
+  - JDK-8290334: Update FreeType to 2.12.1
 * Other changes
   - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
   - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
@@ -211,7 +225,6 @@ Live versions of these release notes can be found at:
   - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
   - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad
   - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
-  - JDK-8289853: Update HarfBuzz to 4.4.1
   - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
   - JDK-8289910: unify os::message_box across posix platforms
   - JDK-8290000: Bump macOS GitHub actions to macOS 11
@@ -219,12 +232,12 @@ Live versions of these release notes can be found at:
   - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown
   - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers
   - JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
-  - JDK-8290334: Update FreeType to 2.12.1
   - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle
   - JDK-8290456: remove os::print_statistics()
   - JDK-8291595: [17u] Delete files missed in backport of 8269039
   - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr
   - JDK-8292579: (tz) Update Timezone Data to 2022c
+  - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5
 
 Notes on individual issues:
 ===========================
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 1dcf98c..6fc0908 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -368,8 +368,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        7
-%global rpmrelease      2
+%global buildver        8
+%global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -395,7 +395,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
@@ -1985,7 +1985,9 @@ function buildjdk() {
     local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
     local top_dir_abs_build_path=$(pwd)/${outputdir}
 
-    if [ "x${link_opt}" = "xbundled" ] ; then
+    # This must be set using the global, so that the
+    # static libraries still use a dynamic stdc++lib
+    if [ "x%{link_type}" = "xbundled" ] ; then
         libc_link_opt="static";
     else
         libc_link_opt="dynamic";
@@ -2002,6 +2004,10 @@ function buildjdk() {
     mkdir -p ${outputdir}
     pushd ${outputdir}
 
+    # Note: zlib and freetype use %{link_type}
+    # rather than ${link_opt} as the system versions
+    # are always used in a system_libs build, even
+    # for the static library build
     bash ${top_dir_abs_src_path}/configure \
 %ifarch %{zero_arches}
     --with-jvm-variants=zero \
@@ -2022,8 +2028,8 @@ function buildjdk() {
     --with-native-debug-symbols="%{debug_symbols}" \
     --disable-sysconf-nss \
     --enable-unlimited-crypto \
-    --with-zlib=${link_opt} \
-    --with-freetype=${link_opt} \
+    --with-zlib=%{link_type} \
+    --with-freetype=%{link_type} \
     --with-libjpeg=${link_opt} \
     --with-giflib=${link_opt} \
     --with-libpng=${link_opt} \
@@ -2681,6 +2687,13 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Wed Oct 19 2022 Andrew Hughes  - 1:17.0.5.0.8-1
+- Update to jdk-17.0.5+8 (GA)
+- Update release notes to 17.0.5+8 (GA)
+- Switch to GA mode for final release.
+- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
+- Remove freetype sources along with zlib sources
+
 * Fri Oct 14 2022 Andrew Hughes  - 1:17.0.5.0.7-0.2.ea
 - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
 - Update CLDR data with Europe/Kyiv (JDK-8293834)
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
index e999c7e..25c2fc8 100644
--- a/remove-intree-libraries.sh
+++ b/remove-intree-libraries.sh
@@ -5,6 +5,7 @@ TREE=${1}
 TYPE=${2}
 
 ZIP_SRC=src/java.base/share/native/libzip/zlib/
+FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
 JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
 GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
 PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@@ -31,15 +32,21 @@ cd ${TREE}
 
 echo "Removing built-in libs (they will be linked)"
 
-# On full runs, allow for zlib having already been deleted by minimal
+# On full runs, allow for zlib & freetype having already been deleted by minimal
 echo "Removing zlib"
 if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
 	echo "${ZIP_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${ZIP_SRC}
+echo "Removing freetype"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
+	echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi
+rm -rvf ${FREETYPE_SRC}
 
-# Minimal is limited to just zlib so finish here
+# Minimal is limited to just zlib and freetype so finish here
 if test "x${TYPE}" = "xminimal"; then
     echo "Finished.";
     exit 0;
diff --git a/sources b/sources
index d0a250a..e7c6383 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.5+7.tar.xz) = 43eb77ba56756748ce39e245824ca7d68c7cfe01fd4e72599e1b73f85bd522beadb3651029457c2b6dbb0080daf3d0550350929090e36fce8fc7892163222bc7
+SHA512 (openjdk-jdk17u-jdk-17.0.5+8.tar.xz) = 1acbda948374d7834347c9b98cfc25a7db24a5656e4466792831015158bdf24026a35a2cdbb8993c09e906a5f305b9e7749fa36b4dae3e75800a8976a2cb2b82

From 9253c5fd017a7bb658a8ab650f8d9ea6c0c0f2c7 Mon Sep 17 00:00:00 2001
From: Andrew Hughes 
Date: Wed, 9 Nov 2022 02:52:39 +0000
Subject: [PATCH 53/61] Update to jdk-17.0.6+1

Update release notes to 17.0.6+1
Switch to EA mode for 17.0.6 pre-release builds.
Re-enable EA upstream status check now it is being actively maintained.
Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
Bump tzdata requirement to 2022e now the package is available in Fedora
---
 .gitignore                   |   1 +
 NEWS                         | 181 +++++++++++++++
 java-17-openjdk.spec         |  33 ++-
 jdk8294357-tzdata2022d.patch | 303 -------------------------
 jdk8295173-tzdata2022e.patch | 420 -----------------------------------
 sources                      |   2 +-
 6 files changed, 199 insertions(+), 741 deletions(-)
 delete mode 100644 jdk8294357-tzdata2022d.patch
 delete mode 100644 jdk8295173-tzdata2022e.patch

diff --git a/.gitignore b/.gitignore
index daec806..b6a0653 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,3 +32,4 @@
 /openjdk-jdk17u-jdk-17.0.5+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.5+7.tar.xz
 /openjdk-jdk17u-jdk-17.0.5+8.tar.xz
+/openjdk-jdk17u-jdk-17.0.6+1.tar.xz
diff --git a/NEWS b/NEWS
index f611a71..231f074 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,187 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 17.0.6 (2023-01-17):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk1706
+  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html
+
+* Other changes
+  - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
+  - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
+  - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
+  - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails
+  - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
+  - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
+  - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java
+  - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...'
+  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
+  - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs
+  - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos
+  - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos
+  - JDK-8244670: convert clhsdb "whatis" command from javascript to java
+  - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives.
+  - JDK-8256811: Delayed/missed jdwp class unloading events
+  - JDK-8257722: Improve "keytool -printcert -jarfile" output
+  - JDK-8262721: Add Tests to verify single iteration loops are properly optimized
+  - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint
+  - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java
+  - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow"
+  - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
+  - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
+  - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs
+  - JDK-8269571: NMT should print total malloc bytes and invocation count
+  - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m)
+  - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction
+  - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns.
+  - JDK-8270947: AArch64: C1: use zero_words to initialize all objects
+  - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts
+  - JDK-8271956: AArch64: C1 build failed after JDK-8270947
+  - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
+  - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64
+  - JDK-8272776: NullPointerException not reported
+  - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947
+  - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java
+  - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints
+  - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368
+  - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12
+  - JDK-8273881: Metaspace: test repeated deallocations
+  - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI
+  - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high
+  - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS
+  - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
+  - JDK-8275170: Some jtreg sound tests should be marked with sound keyword
+  - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList
+  - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+  - JDK-8276108: Wrong instruction generation in aarch64 backend
+  - JDK-8276904: Optional.toString() is unnecessarily expensive
+  - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM"
+  - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64
+  - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
+  - JDK-8277358: Accelerate CRC32-C
+  - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
+  - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64
+  - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64
+  - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64
+  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
+  - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108
+  - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore
+  - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
+  - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC
+  - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes
+  - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947
+  - JDK-8280511: AArch64: Combine shift and negate to a single instruction
+  - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered
+  - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object
+  - JDK-8280872: Reorder code cache segments to improve code density
+  - JDK-8280948: Write a regression test for JDK-4659800
+  - JDK-8281296: Create a regression test for JDK-4515999
+  - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores
+  - JDK-8282276: Problem list failing two Robot Screen Capture tests
+  - JDK-8282347: AARCH64: Untaken branch in has_negatives stub
+  - JDK-8282402: Create a regression test for JDK-4666101
+  - JDK-8282528: AArch64: Incorrect replicate2L_zero rule
+  - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1
+  - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure
+  - JDK-8282777: Create a Regression test for JDK-4515031
+  - JDK-8282857: Create a regression test for JDK-4702690
+  - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2
+  - JDK-8283298: Make CodeCacheSegmentSize a product flag
+  - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32
+  - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
+  - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction"
+  - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
+  - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X
+  - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation
+  - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
+  - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently
+  - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp  -XX:+DeoptimizeALot
+  - JDK-8285305: Create an automated test for JDK-4495286
+  - JDK-8285373: Create an automated test for JDK-4702233
+  - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java
+  - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java
+  - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox
+  - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server"
+  - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3"
+  - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable
+  - JDK-8286452: The array length of testSmallConstArray should be small and const
+  - JDK-8286460: Remove dependence on JAR filename in CDS tests
+  - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2
+  - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray
+  - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows
+  - JDK-8287076: Document.normalizeDocument() produces different results
+  - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance
+  - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
+  - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative
+  - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile
+  - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces
+  - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable
+  - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
+  - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name
+  - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support
+  - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output
+  - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented
+  - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException
+  - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https
+  - JDK-8290207: Missing notice in dom.md
+  - JDK-8290209: jcup.md missing additional text
+  - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1
+  - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure
+  - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes
+  - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS
+  - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
+  - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize
+  - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses
+  - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM
+  - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
+  - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
+  - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
+  - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath
+  - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region
+  - JDK-8292083: Detected container memory limit may exceed physical machine memory
+  - JDK-8292158: AES-CTR cipher state corruption with AVX-512
+  - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out
+  - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
+  - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle
+  - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update
+  - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free
+  - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h
+  - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures
+  - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading
+  - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java
+  - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6
+  - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform
+  - JDK-8292903: enhance round_up_power_of_2 assertion output
+  - JDK-8293044: C1: Missing access check on non-accessible class
+  - JDK-8293232: Fix race condition in pkcs11 SessionManager
+  - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
+  - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
+  - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint
+  - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
+  - JDK-8293578: Duplicate ldc generated by javac
+  - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake"
+  - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details
+  - JDK-8293672: Update freetype md file
+  - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present
+  - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception
+  - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent
+  - JDK-8293826: Closed test fails after JDK-8276108 on aarch64
+  - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
+  - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum
+  - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
+  - JDK-8294357: (tz) Update Timezone Data to 2022d
+  - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode
+  - JDK-8294740: Add cgroups keyword to TestDockerBasic.java
+  - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md
+  - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator
+  - JDK-8295173: (tz) Update Timezone Data to 2022e
+  - JDK-8295288: Some vm_flags tests associate with a wrong BugID
+  - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp
+  - JDK-8295429: Update harfbuzz md file
+  - JDK-8295469: S390X: Optimized builds are broken
+  - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev
+
 New in release OpenJDK 17.0.5 (2022-10-18):
 ===========================================
 Live versions of these release notes can be found at:
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index 6fc0908..3fbd691 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -321,7 +321,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 5
+%global updatever 6
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -368,7 +368,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        8
+%global buildver        1
 %global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@@ -395,7 +395,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           1
+%global is_ga           0
 %if %{is_ga}
 %global build_type GA
 %global ea_designator ""
@@ -1160,9 +1160,8 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2022d required as of JDK-8294357
-# Should be bumped to 2022e once available (JDK-8295173)
-Requires: tzdata-java >= 2022d
+# 2022e required as of JDK-8295173
+Requires: tzdata-java >= 2022e
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@@ -1423,10 +1422,6 @@ Patch1001: fips-17u-%{fipsver}.patch
 #############################################
 # JDK-8293834: Update CLDR data following tzdata 2022c update
 Patch2001: jdk8293834-kyiv_cldr_update.patch
-# JDK-8294357: (tz) Update Timezone Data to 2022d
-Patch2002: jdk8294357-tzdata2022d.patch
-# JDK-8295173: (tz) Update Timezone Data to 2022e
-Patch2003: jdk8295173-tzdata2022e.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -1460,9 +1455,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2022d required as of JDK-8294357
-# Should be bumped to 2022e once available (JDK-8295173)
-BuildRequires: tzdata-java >= 2022d
+# 2022e required as of JDK-8295173
+BuildRequires: tzdata-java >= 2022e
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1862,8 +1856,6 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # tzdata updates targetted for 17.0.6
 %patch2001 -p1
-%patch2002 -p1
-%patch2003 -p1
 popd # openjdk
 
 %patch600
@@ -1885,8 +1877,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
     echo "WARNING: Designator mismatch";
     echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
     echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    # Don't fail at present as upstream are not maintaining the value correctly
-    #exit 17
+    exit 17
 fi
 
 # Extract systemtap tapsets
@@ -2687,6 +2678,14 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Wed Nov 09 2022 Andrew Hughes  - 1:17.0.6.0.1-0.1.ea
+- Update to jdk-17.0.6+1
+- Update release notes to 17.0.6+1
+- Switch to EA mode for 17.0.6 pre-release builds.
+- Re-enable EA upstream status check now it is being actively maintained.
+- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
+- Bump tzdata requirement to 2022e now the package is available in Fedora
+
 * Wed Oct 19 2022 Andrew Hughes  - 1:17.0.5.0.8-1
 - Update to jdk-17.0.5+8 (GA)
 - Update release notes to 17.0.5+8 (GA)
diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch
deleted file mode 100644
index 9eb6727..0000000
--- a/jdk8294357-tzdata2022d.patch
+++ /dev/null
@@ -1,303 +0,0 @@
-commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce
-Author: Goetz Lindenmaier 
-Date:   Wed Oct 5 07:13:43 2022 +0000
-
-    8294357: (tz) Update Timezone Data to 2022d
-    
-    Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54
-
-diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
-index decb8716b22..889d0e6dad7 100644
---- a/make/data/tzdata/VERSION
-+++ b/make/data/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022c
-+tzdata2022d
-diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
-index 3a150b0f36b..f9df7432947 100644
---- a/make/data/tzdata/asia
-+++ b/make/data/tzdata/asia
-@@ -3398,10 +3398,6 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
- # The winter time in 2015 started on October 23 at 01:00.
- # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
- # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
--#
--# From Paul Eggert (2019-04-10):
--# For now, guess spring-ahead transitions are at 00:00 on the Saturday
--# preceding March's last Sunday (i.e., Sat>=24).
- 
- # From P Chan (2021-10-18):
- # http://wafa.ps/Pages/Details/34701
-@@ -3418,6 +3414,18 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
- # From Heba Hamad (2022-03-10):
- # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
- 
-+# From Heba Hamad (2022-08-30):
-+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
-+# 60 minutes backwards.  Also the state of Palestine adopted the summer
-+# and winter time for the years: 2023,2024,2025,2026 ...
-+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
-+# (2022-08-31): ... the Saturday before the last Sunday in March and October
-+# at 2:00 AM ,for the years from 2023 to 2026.
-+# (2022-09-05): https://mtit.pna.ps/Site/New/1453
-+#
-+# From Paul Eggert (2022-08-31):
-+# For now, assume that this rule will also be used after 2026.
-+
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
- Rule EgyptAsia	1957	1958	-	Oct	 1	0:00	0	-
-@@ -3448,14 +3456,16 @@ Rule Palestine	2013	only	-	Sep	27	0:00	0	-
- Rule Palestine	2014	only	-	Oct	24	0:00	0	-
- Rule Palestine	2015	only	-	Mar	28	0:00	1:00	S
- Rule Palestine	2015	only	-	Oct	23	1:00	0	-
--Rule Palestine	2016	2018	-	Mar	Sat>=24	1:00	1:00	S
--Rule Palestine	2016	2018	-	Oct	Sat>=24	1:00	0	-
-+Rule Palestine	2016	2018	-	Mar	Sat<=30	1:00	1:00	S
-+Rule Palestine	2016	2018	-	Oct	Sat<=30	1:00	0	-
- Rule Palestine	2019	only	-	Mar	29	0:00	1:00	S
--Rule Palestine	2019	only	-	Oct	Sat>=24	0:00	0	-
--Rule Palestine	2020	2021	-	Mar	Sat>=24	0:00	1:00	S
-+Rule Palestine	2019	only	-	Oct	Sat<=30	0:00	0	-
-+Rule Palestine	2020	2021	-	Mar	Sat<=30	0:00	1:00	S
- Rule Palestine	2020	only	-	Oct	24	1:00	0	-
--Rule Palestine	2021	max	-	Oct	Fri>=23	1:00	0	-
--Rule Palestine	2022	max	-	Mar	Sun>=25	0:00	1:00	S
-+Rule Palestine	2021	only	-	Oct	29	1:00	0	-
-+Rule Palestine	2022	only	-	Mar	27	0:00	1:00	S
-+Rule Palestine	2022	max	-	Oct	Sat<=30	2:00	0	-
-+Rule Palestine	2023	max	-	Mar	Sat<=30	2:00	1:00	S
- 
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
-diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward
-index d4a29e8cf29..7765d99aedf 100644
---- a/make/data/tzdata/backward
-+++ b/make/data/tzdata/backward
-@@ -113,6 +113,8 @@ Link	Etc/UTC			Etc/UCT
- Link	Europe/London		Europe/Belfast
- Link	Europe/Kyiv		Europe/Kiev
- Link	Europe/Chisinau		Europe/Tiraspol
-+Link	Europe/Kyiv		Europe/Uzhgorod
-+Link	Europe/Kyiv		Europe/Zaporozhye
- Link	Europe/London		GB
- Link	Europe/London		GB-Eire
- Link	Etc/GMT			GMT+0
-diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
-index 879b5337536..accc845dbaf 100644
---- a/make/data/tzdata/europe
-+++ b/make/data/tzdata/europe
-@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
- # From Alexander Krivenyshev (2014-03-17):
- # time change at 2:00 (2am) on March 30, 2014
- # https://vz.ru/news/2014/3/17/677464.html
--# From Paul Eggert (2014-03-30):
--# Simferopol and Sevastopol reportedly changed their central town clocks
--# late the previous day, but this appears to have been ceremonial
--# and the discrepancies are small enough to not worry about.
-+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
-+# The clocks at the railway station in Simferopol were put forward from 22:00
-+# to 24:00 the previous day in a "symbolic ceremony"; however, per
-+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
-+# time switch at 2am" on Sunday.
-+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
-+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
-+# https://www.bbc.com/news/av/world-europe-26806583
- 			 2:00	EU	EE%sT	2014 Mar 30  2:00
- 			 4:00	-	MSK	2014 Oct 26  2:00s
- 			 3:00	-	MSK
-@@ -3774,8 +3778,8 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
- # US colleague David Cochrane) are still trying to get more
- # information upon these local deviations from Kiev rules.
- #
--# From Paul Eggert (2022-02-08):
--# For now, assume that Ukraine's other three zones followed the same rules,
-+# From Paul Eggert (2022-08-27):
-+# For now, assume that Ukraine's zones all followed the same rules,
- # except that Crimea switched to Moscow time in 1994 as described elsewhere.
- 
- # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
-@@ -3845,21 +3849,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
- # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
- # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
- 
--# From Paul Eggert (2022-04-12):
--# As is usual in tzdb, Ukrainian zones use the most common English spellings.
--# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
--# English for Ukraine's capital.  Although tzdb's former name was Europe/Kiev,
--# "Kyiv" is now more common due to widespread reporting of the current conflict.
--# Conversely, tzdb continues to use the names Europe/Uzhgorod and
--# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
--# certainly wrong as a transliteration of the Czech "Praha".
--# English-language spelling of Ukrainian names is in flux, and
--# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
--# common in English; in the meantime, do not change these
--# English spellings as that means less disruption for our users.
--
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--# This represents most of Ukraine.  See above for the spelling of "Kyiv".
- Zone Europe/Kyiv	2:02:04 -	LMT	1880
- 			2:02:04	-	KMT	1924 May  2 # Kyiv Mean Time
- 			2:00	-	EET	1930 Jun 21
-@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv	2:02:04 -	LMT	1880
- 			2:00	1:00	EEST	1991 Sep 29  3:00
- 			2:00	C-Eur	EE%sT	1996 May 13
- 			2:00	EU	EE%sT
--# Transcarpathia used CET 1990/1991.
--# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
--# "Uzhgorod" is more common in English.
--Zone Europe/Uzhgorod	1:29:12 -	LMT	1890 Oct
--			1:00	-	CET	1940
--			1:00	C-Eur	CE%sT	1944 Oct
--			1:00	1:00	CEST	1944 Oct 26
--			1:00	-	CET	1945 Jun 29
--			3:00	Russia	MSK/MSD	1990
--			3:00	-	MSK	1990 Jul  1  2:00
--			1:00	-	CET	1991 Mar 31  3:00
--			2:00	-	EET	1992 Mar 20
--			2:00	C-Eur	EE%sT	1996 May 13
--			2:00	EU	EE%sT
--# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
--# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
--# "Zaporozh'ye" is more common in English.  Use the common English
--# spelling, except omit the apostrophe as it is not allowed in
--# portable Posix file names.
--Zone Europe/Zaporozhye	2:20:40 -	LMT	1880
--			2:20	-	+0220	1924 May  2
--			2:00	-	EET	1930 Jun 21
--			3:00	-	MSK	1941 Aug 25
--			1:00	C-Eur	CE%sT	1943 Oct 25
--			3:00	Russia	MSK/MSD	1991 Mar 31  2:00
--			2:00	E-Eur	EE%sT	1992 Mar 20
--			2:00	C-Eur	EE%sT	1996 May 13
--			2:00	EU	EE%sT
- 
- # Vatican City
- # See Europe/Rome.
-diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica
-index 13ec081c7e0..3c0e0e2061c 100644
---- a/make/data/tzdata/southamerica
-+++ b/make/data/tzdata/southamerica
-@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
- # for America/Santiago will start on midnight of September 11th;
- # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
- # will keep UTC -3 "indefinitely"...  This is because on September 4th
--# we will have a voting whether to approve a new Constitution....
--# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
-+# we will have a voting whether to approve a new Constitution.
-+#
-+# From Eduardo Romero Urra (2022-08-17):
-+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
-+#
-+# From Paul Eggert (2022-08-17):
-+# Although the presidential decree stops at fall 2026, assume that
-+# similar DST rules will continue thereafter.
- 
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule	Chile	1927	1931	-	Sep	 1	0:00	1:00	-
-diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab
-index 51b65fa273c..ee025196e50 100644
---- a/make/data/tzdata/zone.tab
-+++ b/make/data/tzdata/zone.tab
-@@ -424,8 +424,6 @@ TV	-0831+17913	Pacific/Funafuti
- TW	+2503+12130	Asia/Taipei
- TZ	-0648+03917	Africa/Dar_es_Salaam
- UA	+5026+03031	Europe/Kyiv	Ukraine (most areas)
--UA	+4837+02218	Europe/Uzhgorod	Transcarpathia
--UA	+4750+03510	Europe/Zaporozhye	Zaporozhye and east Lugansk
- UG	+0019+03225	Africa/Kampala
- UM	+2813-17722	Pacific/Midway	Midway Islands
- UM	+1917+16637	Pacific/Wake	Wake Island
-diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-index 15c2f0d1275..6f6e190efcd 100644
---- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java
-@@ -574,12 +574,8 @@ public final class ZoneInfoFile {
-                     // we can then pass in the dom = -1, dow > 0 into ZoneInfo
-                     //
-                     // hacking, assume the >=24 is the result of ZRB optimization for
--                    // "last", it works for now. From tzdata2020d this hacking
--                    // will not work for Asia/Gaza and Asia/Hebron which follow
--                    // Palestine DST rules.
--                    if (dom < 0 || dom >= 24 &&
--                                   !(zoneId.equals("Asia/Gaza") ||
--                                     zoneId.equals("Asia/Hebron"))) {
-+                    // "last", it works for now.
-+                    if (dom < 0 || dom >= 24) {
-                         params[1] = -1;
-                         params[2] = toCalendarDOW[dow];
-                     } else {
-@@ -601,7 +597,6 @@ public final class ZoneInfoFile {
-                     params[7] = 0;
-                 } else {
-                     // hacking: see comment above
--                    // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
-                     if (dom < 0 || dom >= 24) {
-                         params[6] = -1;
-                         params[7] = toCalendarDOW[dow];
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-index c32bee39fba..71470168456 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-@@ -1 +1 @@
--tzdata2022c
-+tzdata2022d
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
-index a5e6428a3f5..e3ce742f887 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt
-@@ -183,6 +183,8 @@ Link	Etc/UTC			Etc/UCT
- Link	Europe/London		Europe/Belfast
- Link	Europe/Kyiv		Europe/Kiev
- Link	Europe/Chisinau		Europe/Tiraspol
-+Link	Europe/Kyiv		Europe/Uzhgorod
-+Link	Europe/Kyiv		Europe/Zaporozhye
- Link	Europe/London		GB
- Link	Europe/London		GB-Eire
- Link	Etc/GMT			GMT+0
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-index fc148537f1f..b3823958ae4 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-@@ -163,11 +163,9 @@ Europe/Simferopol MSK
- Europe/Sofia EET EEST
- Europe/Tallinn EET EEST
- Europe/Tirane CET CEST
--Europe/Uzhgorod EET EEST
- Europe/Vienna CET CEST
- Europe/Vilnius EET EEST
- Europe/Warsaw CET CEST
--Europe/Zaporozhye EET EEST
- Europe/Zurich CET CEST
- HST HST
- MET MET MEST
-diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
-index 7b50c342a0d..a7d14f1aa21 100644
---- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
-+++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java
-@@ -176,11 +176,12 @@ public class TestZoneInfo310 {
-              * save time in IANA tzdata. This bug is tracked via JDK-8223388.
-              *
-              * These are the zones/rules that employ negative DST in vanguard
--             * format (as of 2019a):
-+             * format (as of 2019a), Palestine added in 2022d:
-              *
-              *  - Rule "Eire"
-              *  - Rule "Morocco"
-              *  - Rule "Namibia"
-+             *  - Rule "Palestine"
-              *  - Zone "Europe/Prague"
-              *
-              * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
-@@ -196,6 +197,8 @@ public class TestZoneInfo310 {
-                 zid.equals("Europe/Dublin") || // uses "Eire" rule
-                 zid.equals("Europe/Prague") ||
-                 zid.equals("Asia/Tehran") || // last rule mismatch
-+                zid.equals("Asia/Gaza") || // uses "Palestine" rule
-+                zid.equals("Asia/Hebron") || // uses "Palestine" rule
-                 zid.equals("Iran")) { // last rule mismatch
-                     continue;
-             }
diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch
deleted file mode 100644
index 8ffd2ee..0000000
--- a/jdk8295173-tzdata2022e.patch
+++ /dev/null
@@ -1,420 +0,0 @@
-commit d159a377e0243bd2c80593689fd7cd20b2b578f7
-Author: duke 
-Date:   Fri Oct 14 03:37:19 2022 +0000
-
-    Backport 21407dec0156301871a83328615e4d975c4287c4
-
-diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION
-index 889d0e6dad7..b8cb36e69f4 100644
---- a/make/data/tzdata/VERSION
-+++ b/make/data/tzdata/VERSION
-@@ -21,4 +21,4 @@
- # or visit www.oracle.com if you need additional information or have any
- # questions.
- #
--tzdata2022d
-+tzdata2022e
-diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia
-index f9df7432947..5b2337fd0b6 100644
---- a/make/data/tzdata/asia
-+++ b/make/data/tzdata/asia
-@@ -2254,6 +2254,17 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
- # From the Arabic version, it seems to say it would be at midnight
- # (assume 24:00) on the last Thursday in February, starting from 2022.
- 
-+# From Issam Al-Zuwairi (2022-10-05):
-+# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
-+# that daylight saving time (DST) will be throughout the year....
-+#
-+# From Brian Inglis (2022-10-06):
-+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
-+#
-+# From Paul Eggert (2022-10-05):
-+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
-+# (non-DST) at the point where DST would otherwise have ended.
-+
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
- Rule	Jordan	1973	only	-	Jun	6	0:00	1:00	S
- Rule	Jordan	1973	1975	-	Oct	1	0:00	0	-
-@@ -2285,11 +2296,12 @@ Rule	Jordan	2005	only	-	Sep	lastFri	0:00s	0	-
- Rule	Jordan	2006	2011	-	Oct	lastFri	0:00s	0	-
- Rule	Jordan	2013	only	-	Dec	20	0:00	0	-
- Rule	Jordan	2014	2021	-	Mar	lastThu	24:00	1:00	S
--Rule	Jordan	2014	max	-	Oct	lastFri	0:00s	0	-
--Rule	Jordan	2022	max	-	Feb	lastThu	24:00	1:00	S
-+Rule	Jordan	2014	2022	-	Oct	lastFri	0:00s	0	-
-+Rule	Jordan	2022	only	-	Feb	lastThu	24:00	1:00	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- Zone	Asia/Amman	2:23:44 -	LMT	1931
--			2:00	Jordan	EE%sT
-+			2:00	Jordan	EE%sT	2022 Oct 28 0:00s
-+			3:00	-	+03
- 
- 
- # Kazakhstan
-@@ -3838,19 +3850,27 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
- # Our brief summary:
- # https://www.timeanddate.com/news/time/syria-dst-2012.html
- 
--# From Arthur David Olson (2012-03-27):
--# Assume last Friday in March going forward XXX.
-+# From Steffen Thorsen (2022-10-05):
-+# Syria is adopting year-round DST, starting this autumn....
-+# From https://www.enabbaladi.net/archives/607812
-+# "This [the decision] came after the weekly government meeting today,
-+# Tuesday 4 October ..."
-+#
-+# From Paul Eggert (2022-10-05):
-+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
-+# (non-DST) at the point where DST would otherwise have ended.
- 
- Rule	Syria	2008	only	-	Apr	Fri>=1	0:00	1:00	S
- Rule	Syria	2008	only	-	Nov	1	0:00	0	-
- Rule	Syria	2009	only	-	Mar	lastFri	0:00	1:00	S
- Rule	Syria	2010	2011	-	Apr	Fri>=1	0:00	1:00	S
--Rule	Syria	2012	max	-	Mar	lastFri	0:00	1:00	S
--Rule	Syria	2009	max	-	Oct	lastFri	0:00	0	-
-+Rule	Syria	2012	2022	-	Mar	lastFri	0:00	1:00	S
-+Rule	Syria	2009	2022	-	Oct	lastFri	0:00	0	-
- 
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- Zone	Asia/Damascus	2:25:12 -	LMT	1920 # Dimashq
--			2:00	Syria	EE%sT
-+			2:00	Syria	EE%sT	2022 Oct 28 0:00
-+			3:00	-	+03
- 
- # Tajikistan
- # From Shanks & Pottenger.
-diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe
-index accc845dbaf..2832c4b9763 100644
---- a/make/data/tzdata/europe
-+++ b/make/data/tzdata/europe
-@@ -3417,7 +3417,7 @@ Zone	Europe/Madrid	-0:14:44 -	LMT	1901 Jan  1  0:00u
- 			 0:00	Spain	WE%sT	1940 Mar 16 23:00
- 			 1:00	Spain	CE%sT	1979
- 			 1:00	EU	CE%sT
--Zone	Africa/Ceuta	-0:21:16 -	LMT	1900 Dec 31 23:38:44
-+Zone	Africa/Ceuta	-0:21:16 -	LMT	1901 Jan  1  0:00u
- 			 0:00	-	WET	1918 May  6 23:00
- 			 0:00	1:00	WEST	1918 Oct  7 23:00
- 			 0:00	-	WET	1924
-diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica
-index 114cef14cce..ce4ee74582c 100644
---- a/make/data/tzdata/northamerica
-+++ b/make/data/tzdata/northamerica
-@@ -462,7 +462,7 @@ Rule	Chicago	1922	1966	-	Apr	lastSun	2:00	1:00	D
- Rule	Chicago	1922	1954	-	Sep	lastSun	2:00	0	S
- Rule	Chicago	1955	1966	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
-+Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1920
- 			-6:00	Chicago	C%sT	1936 Mar  1  2:00
- 			-5:00	-	EST	1936 Nov 15  2:00
-@@ -471,7 +471,7 @@ Zone America/Chicago	-5:50:36 -	LMT	1883 Nov 18 12:09:24
- 			-6:00	Chicago	C%sT	1967
- 			-6:00	US	C%sT
- # Oliver County, ND switched from mountain to central time on 1992-10-25.
--Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
-+Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 19:00u
- 			-7:00	US	M%sT	1992 Oct 25  2:00
- 			-6:00	US	C%sT
- # Morton County, ND, switched from mountain to central time on
-@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT	1883 Nov 18 12:14:48
- # Jones, Mellette, and Todd Counties in South Dakota;
- # but in practice these other counties were already observing central time.
- # See .
--Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
-+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
- 			-7:00	US	M%sT	2003 Oct 26  2:00
- 			-6:00	US	C%sT
- 
-@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
- # largest city in Mercer County).  Google Maps places Beulah's city hall
- # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
- 
--Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 12:12:53
-+Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 19:00u
- 			-7:00	US	M%sT	2010 Nov  7  2:00
- 			-6:00	US	C%sT
- 
-@@ -530,7 +530,7 @@ Rule	Denver	1921	only	-	May	22	2:00	0	S
- Rule	Denver	1965	1966	-	Apr	lastSun	2:00	1:00	D
- Rule	Denver	1965	1966	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
-+Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 19:00u
- 			-7:00	US	M%sT	1920
- 			-7:00	Denver	M%sT	1942
- 			-7:00	US	M%sT	1946
-@@ -583,7 +583,7 @@ Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
- Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
- Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
-+Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 20:00u
- 			-8:00	US	P%sT	1946
- 			-8:00	CA	P%sT	1967
- 			-8:00	US	P%sT
-@@ -845,7 +845,7 @@ Zone Pacific/Honolulu	-10:31:26 -	LMT	1896 Jan 13 12:00
- # Go with the Arizona State Library instead.
- 
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 11:31:42
-+Zone America/Phoenix	-7:28:18 -	LMT	1883 Nov 18 19:00u
- 			-7:00	US	M%sT	1944 Jan  1  0:01
- 			-7:00	-	MST	1944 Apr  1  0:01
- 			-7:00	US	M%sT	1944 Oct  1  0:01
-@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
- # switched four weeks late in 1974.
- #
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
-+Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 20:00u
- 			-8:00	US	P%sT	1923 May 13  2:00
- 			-7:00	US	M%sT	1974
- 			-7:00	-	MST	1974 Feb  3  2:00
-@@ -945,7 +945,7 @@ Rule Indianapolis 1941	only	-	Jun	22	2:00	1:00	D
- Rule Indianapolis 1941	1954	-	Sep	lastSun	2:00	0	S
- Rule Indianapolis 1946	1954	-	Apr	lastSun	2:00	1:00	D
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Indianapolis -5:44:38 - LMT	1883 Nov 18 12:15:22
-+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1920
- 			-6:00 Indianapolis C%sT	1942
- 			-6:00	US	C%sT	1946
-@@ -965,7 +965,7 @@ Rule	Marengo	1951	only	-	Sep	lastSun	2:00	0	S
- Rule	Marengo	1954	1960	-	Apr	lastSun	2:00	1:00	D
- Rule	Marengo	1954	1960	-	Sep	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 12:14:37
-+Zone America/Indiana/Marengo -5:45:23 -	LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1951
- 			-6:00	Marengo	C%sT	1961 Apr 30  2:00
- 			-5:00	-	EST	1969
-@@ -989,7 +989,7 @@ Rule Vincennes	1960	only	-	Oct	lastSun	2:00	0	S
- Rule Vincennes	1961	only	-	Sep	lastSun	2:00	0	S
- Rule Vincennes	1962	1963	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 12:09:53
-+Zone America/Indiana/Vincennes -5:50:07 - LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1946
- 			-6:00 Vincennes	C%sT	1964 Apr 26  2:00
- 			-5:00	-	EST	1969
-@@ -1009,7 +1009,7 @@ Rule Perry	1955	1960	-	Sep	lastSun	2:00	0	S
- Rule Perry	1956	1963	-	Apr	lastSun	2:00	1:00	D
- Rule Perry	1961	1963	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 12:12:57
-+Zone America/Indiana/Tell_City -5:47:03 - LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1946
- 			-6:00 Perry	C%sT	1964 Apr 26  2:00
- 			-5:00	-	EST	1967 Oct 29  2:00
-@@ -1026,7 +1026,7 @@ Rule	Pike	1955	1960	-	Sep	lastSun	2:00	0	S
- Rule	Pike	1956	1964	-	Apr	lastSun	2:00	1:00	D
- Rule	Pike	1961	1964	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 12:10:53
-+Zone America/Indiana/Petersburg -5:49:07 - LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1955
- 			-6:00	Pike	C%sT	1965 Apr 25  2:00
- 			-5:00	-	EST	1966 Oct 30  2:00
-@@ -1048,7 +1048,7 @@ Rule	Starke	1955	1956	-	Oct	lastSun	2:00	0	S
- Rule	Starke	1957	1958	-	Sep	lastSun	2:00	0	S
- Rule	Starke	1959	1961	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 12:13:30
-+Zone America/Indiana/Knox -5:46:30 -	LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1947
- 			-6:00	Starke	C%sT	1962 Apr 29  2:00
- 			-5:00	-	EST	1963 Oct 27  2:00
-@@ -1064,7 +1064,7 @@ Rule	Pulaski	1946	1954	-	Sep	lastSun	2:00	0	S
- Rule	Pulaski	1955	1956	-	Oct	lastSun	2:00	0	S
- Rule	Pulaski	1957	1960	-	Sep	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
-+Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1946
- 			-6:00	Pulaski	C%sT	1961 Apr 30  2:00
- 			-5:00	-	EST	1969
-@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT	1883 Nov 18 12:13:35
- #
- # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 12:19:44
-+Zone America/Indiana/Vevay -5:40:16 -	LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1954 Apr 25  2:00
- 			-5:00	-	EST	1969
- 			-5:00	US	E%sT	1973
-@@ -1111,7 +1111,7 @@ Rule Louisville	1950	1961	-	Apr	lastSun	2:00	1:00	D
- Rule Louisville	1950	1955	-	Sep	lastSun	2:00	0	S
- Rule Louisville	1956	1961	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
--Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
-+Zone America/Kentucky/Louisville -5:43:02 - LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1921
- 			-6:00 Louisville C%sT	1942
- 			-6:00	US	C%sT	1946
-@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
- # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
- # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
- #
--Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
-+Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 18:00u
- 			-6:00	US	C%sT	1946
- 			-6:00	-	CST	1968
- 			-6:00	US	C%sT	2000 Oct 29  2:00
-@@ -2640,6 +2640,8 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
- #    longitude they are located at.
- 
- # Rule	NAME	FROM	TO	-	IN	ON	AT	SAVE	LETTER/S
-+Rule	Mexico	1931	only	-	May	1	23:00	1:00	D
-+Rule	Mexico	1931	only	-	Oct	1	0:00	0	S
- Rule	Mexico	1939	only	-	Feb	5	0:00	1:00	D
- Rule	Mexico	1939	only	-	Jun	25	0:00	0	S
- Rule	Mexico	1940	only	-	Dec	9	0:00	1:00	D
-@@ -2656,13 +2658,13 @@ Rule	Mexico	2002	max	-	Apr	Sun>=1	2:00	1:00	D
- Rule	Mexico	2002	max	-	Oct	lastSun	2:00	0	S
- # Zone	NAME		STDOFF	RULES	FORMAT	[UNTIL]
- # Quintana Roo; represented by Cancún
--Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  0:12:56
-+Zone America/Cancun	-5:47:04 -	LMT	1922 Jan  1  6:00u
- 			-6:00	-	CST	1981 Dec 23
- 			-5:00	Mexico	E%sT	1998 Aug  2  2:00
- 			-6:00	Mexico	C%sT	2015 Feb  1  2:00
- 			-5:00	-	EST
- # Campeche, Yucatán; represented by Mérida
--Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
-+Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  6:00u
- 			-6:00	-	CST	1981 Dec 23
- 			-5:00	-	EST	1982 Dec  2
- 			-6:00	Mexico	C%sT
-@@ -2676,23 +2678,21 @@ Zone America/Merida	-5:58:28 -	LMT	1922 Jan  1  0:01:32
- # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
- # 2016-03-12
- # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
--Zone America/Matamoros	-6:40:00 -	LMT	1921 Dec 31 23:20:00
-+Zone America/Matamoros	-6:30:00 -	LMT	1922 Jan  1  6:00u
- 			-6:00	-	CST	1988
- 			-6:00	US	C%sT	1989
- 			-6:00	Mexico	C%sT	2010
- 			-6:00	US	C%sT
- # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
--Zone America/Monterrey	-6:41:16 -	LMT	1921 Dec 31 23:18:44
-+Zone America/Monterrey	-6:41:16 -	LMT	1922 Jan  1  6:00u
- 			-6:00	-	CST	1988
- 			-6:00	US	C%sT	1989
- 			-6:00	Mexico	C%sT
- # Central Mexico
--Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
-+Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
- 			-6:00	-	CST	1930 Nov 15
--			-7:00	-	MST	1931 May  1 23:00
--			-6:00	-	CST	1931 Oct
--			-7:00	-	MST	1932 Apr  1
-+			-7:00	Mexico	M%sT	1932 Apr  1
- 			-6:00	Mexico	C%sT	2001 Sep 30  2:00
- 			-6:00	-	CST	2002 Feb 20
- 			-6:00	Mexico	C%sT
-@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 -	LMT	1922 Jan  1  0:23:24
- # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
- # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
- # (See the 2016-03-12 El Universal source mentioned above.)
--Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  0:02:20
-+Zone America/Ojinaga	-6:57:40 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
- 			-6:00	-	CST	1930 Nov 15
--			-7:00	-	MST	1931 May  1 23:00
--			-6:00	-	CST	1931 Oct
--			-7:00	-	MST	1932 Apr  1
-+			-7:00	Mexico	M%sT	1932 Apr  1
- 			-6:00	-	CST	1996
- 			-6:00	Mexico	C%sT	1998
- 			-6:00	-	CST	1998 Apr Sun>=1  3:00
- 			-7:00	Mexico	M%sT	2010
- 			-7:00	US	M%sT
- # Chihuahua (away from US border)
--Zone America/Chihuahua	-7:04:20 -	LMT	1921 Dec 31 23:55:40
-+Zone America/Chihuahua	-7:04:20 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
- 			-6:00	-	CST	1930 Nov 15
--			-7:00	-	MST	1931 May  1 23:00
--			-6:00	-	CST	1931 Oct
--			-7:00	-	MST	1932 Apr  1
-+			-7:00	Mexico	M%sT	1932 Apr  1
- 			-6:00	-	CST	1996
- 			-6:00	Mexico	C%sT	1998
- 			-6:00	-	CST	1998 Apr Sun>=1  3:00
- 			-7:00	Mexico	M%sT
- # Sonora
--Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
-+Zone America/Hermosillo	-7:23:52 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
- 			-6:00	-	CST	1930 Nov 15
--			-7:00	-	MST	1931 May  1 23:00
--			-6:00	-	CST	1931 Oct
--			-7:00	-	MST	1932 Apr  1
-+			-7:00	Mexico	M%sT	1932 Apr  1
- 			-6:00	-	CST	1942 Apr 24
- 			-7:00	-	MST	1949 Jan 14
- 			-8:00	-	PST	1970
-@@ -2763,24 +2757,20 @@ Zone America/Hermosillo	-7:23:52 -	LMT	1921 Dec 31 23:36:08
- # Use "Bahia_Banderas" to keep the name to fourteen characters.
- 
- # Mazatlán
--Zone America/Mazatlan	-7:05:40 -	LMT	1921 Dec 31 23:54:20
-+Zone America/Mazatlan	-7:05:40 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
- 			-6:00	-	CST	1930 Nov 15
--			-7:00	-	MST	1931 May  1 23:00
--			-6:00	-	CST	1931 Oct
--			-7:00	-	MST	1932 Apr  1
-+			-7:00	Mexico	M%sT	1932 Apr  1
- 			-6:00	-	CST	1942 Apr 24
- 			-7:00	-	MST	1949 Jan 14
- 			-8:00	-	PST	1970
- 			-7:00	Mexico	M%sT
- 
- # Bahía de Banderas
--Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
-+Zone America/Bahia_Banderas -7:01:00 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1927 Jun 10 23:00
- 			-6:00	-	CST	1930 Nov 15
--			-7:00	-	MST	1931 May  1 23:00
--			-6:00	-	CST	1931 Oct
--			-7:00	-	MST	1932 Apr  1
-+			-7:00	Mexico	M%sT	1932 Apr  1
- 			-6:00	-	CST	1942 Apr 24
- 			-7:00	-	MST	1949 Jan 14
- 			-8:00	-	PST	1970
-@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas	-7:01:00 -	LMT	1921 Dec 31 23:59:00
- 			-6:00	Mexico	C%sT
- 
- # Baja California
--Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  0:11:56
-+Zone America/Tijuana	-7:48:04 -	LMT	1922 Jan  1  7:00u
- 			-7:00	-	MST	1924
- 			-8:00	-	PST	1927 Jun 10 23:00
- 			-7:00	-	MST	1930 Nov 15
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-index 71470168456..0cad939008f 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION
-@@ -1 +1 @@
--tzdata2022d
-+tzdata2022e
-diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-index b3823958ae4..2f2786f1c69 100644
---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt
-@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
- America/Yakutat AKST AKDT
- America/Yellowknife MST MDT
- Antarctica/Macquarie AEST AEDT
--Asia/Amman EET EEST
- Asia/Beirut EET EEST
--Asia/Damascus EET EEST
- Asia/Famagusta EET EEST
- Asia/Gaza EET EEST
- Asia/Hebron EET EEST
diff --git a/sources b/sources
index e7c6383..a4137ba 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.5+8.tar.xz) = 1acbda948374d7834347c9b98cfc25a7db24a5656e4466792831015158bdf24026a35a2cdbb8993c09e906a5f305b9e7749fa36b4dae3e75800a8976a2cb2b82
+SHA512 (openjdk-jdk17u-jdk-17.0.6+1.tar.xz) = eceba28c43d2b5b3172df828faca2a8068067d133a14ca003978bae6405c0ac00d34dafa0f1b123049b13df1555b1b38af0ae89969ac927c1a2a441ed0b3febc

From 57b38411b25d47c1927b6804c07421a8a35d98e4 Mon Sep 17 00:00:00 2001
From: Jiri Vanek 
Date: Mon, 21 Nov 2022 15:08:54 +0100
Subject: [PATCH 54/61] Renamed specfile

---
 java-17-openjdk.spec => java-17-openjdk-portable.spec | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename java-17-openjdk.spec => java-17-openjdk-portable.spec (100%)

diff --git a/java-17-openjdk.spec b/java-17-openjdk-portable.spec
similarity index 100%
rename from java-17-openjdk.spec
rename to java-17-openjdk-portable.spec

From c85c8f148e5efcc08a2bbf28071eb4d5bdfaa528 Mon Sep 17 00:00:00 2001
From: Jiri Vanek 
Date: Fri, 25 Nov 2022 14:29:40 +0100
Subject: [PATCH 55/61] WIP - rewoking fedora spec as portable

todo - tar the results
---
 java-17-openjdk-portable.spec | 1050 ++-------------------------------
 1 file changed, 36 insertions(+), 1014 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index 3fbd691..e129354 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -112,7 +112,7 @@
 
 # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
-%global is_system_jdk 1
+%global is_system_jdk 0
 
 %global aarch64         aarch64 arm64 armv8
 # we need to distinguish between big and little endian PPC64
@@ -312,8 +312,9 @@
 %global stapinstall %{nil}
 %endif
 
+# always off for portable builds
 %ifarch %{systemtap_arches}
-%global with_systemtap 1
+%global with_systemtap 0
 %else
 %global with_systemtap 0
 %endif
@@ -493,797 +494,27 @@ ExclusiveArch:  %{java_arches}
 ExcludeArch: %{ix86}
 %endif
 
-# not-duplicated scriptlets for normal/debug packages
-%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
-
-%define save_alternatives() %{expand:
-  # warning! alternatives are localised!
-  # LANG=cs_CZ.UTF-8  alternatives --display java | head
-  # LANG=en_US.UTF-8  alternatives --display java | head
-  function nonLocalisedAlternativesDisplayOfMaster() {
-    LANG=en_US.UTF-8 alternatives --display "$MASTER"
-  }
-  function headOfAbove() {
-    nonLocalisedAlternativesDisplayOfMaster | head -n $1
-  }
-  MASTER="%{?1}"
-  LOCAL_LINK="%{?2}"
-  FAMILY="%{?3}"
-  rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
-  if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
-      if headOfAbove 1 | grep -q manual ; then
-        if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
-           headOfAbove 2  > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
-        fi
-      fi
-  fi
-}
-
-%define save_and_remove_alternatives() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  upgrade1_uninstal0=%{?3}
-  if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
-    %{save_alternatives %{?1} %{?2} %{?4}}
-  fi
-  alternatives --remove  "%{?1}" "%{?2}"
-}
-
-%define set_if_needed_alternatives() %{expand:
-  MASTER="%{?1}"
-  FAMILY="%{?2}"
-  ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
-  if [ -e  "$ALTERNATIVES_FILE" ] ; then
-    rm "$ALTERNATIVES_FILE"
-    alternatives --set $MASTER $FAMILY
-  fi
-}
-
-
-%define post_script() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
-exit 0
-}
-
-%define alternatives_java_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-
-ext=.gz
-key=java
-alternatives \\
-  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
-  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
-  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
-  --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
-  --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
-  --slave %{_mandir}/man1/java.1$ext java.1$ext \\
-  %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
-  %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
-  %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
-  %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
-
-%{set_if_needed_alternatives $key %{family}}
-
-for X in %{origin} %{javaver} ; do
-  key=jre_"$X"
-  alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
-  %{set_if_needed_alternatives $key %{family}}
-done
-
-key=jre_%{javaver}_%{origin}
-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{family}
-%{set_if_needed_alternatives $key %{family}}
-}
-
-%define post_headless() %{expand:
-%ifarch %{share_arches}
-%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
-%endif
-
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
-
-# see pretrans where this file is declared
-# also see that pretrans is only for non-debug
-if [ ! "%{?1}" == %{debug_suffix} ]; then
-  if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
-    sh  %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch}  %{_jvmdir}/%{sdkdir -- %{?1}}
-  fi
-fi
-
-exit 0
-}
-
-%define postun_script() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-if [ $1 -eq 0 ] ; then
-    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
-    %{update_desktop_icons}
-fi
-exit 0
-}
-
-
-%define postun_headless() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  java  %{jrebindir -- %{?1}}/java $post_state %{family}}
-  %{save_and_remove_alternatives  jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
-}
-
-%define posttrans_script() %{expand:
-%{update_desktop_icons}
-}
-
-
-%define alternatives_javac_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-
-ext=.gz
-key=javac
-alternatives \\
-  --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{family} \\
-  --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
-  --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
-  --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
-%ifarch %{sa_arches}
-%ifnarch %{zero_arches}
-  --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
-%endif
-%endif
-  --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
-  --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
-  --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
-  --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
-  --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
-  --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
-  --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
-  --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
-  --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
-  --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
-  --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
-  --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
-  --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
-  --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
-  --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
-  --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
-  --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
-  --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
-  --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
-  --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
-  --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
-  --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
-  %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
-  %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
-  %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
-  %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
-  %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
-  %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
-  %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
-  %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
-  %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
-  %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
-  %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
-  %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
-  %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
-  %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
-  %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
-  %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
-  %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
-  --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
-  %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
-
-%{set_if_needed_alternatives  $key %{family}}
-
-for X in %{origin} %{javaver} ; do
-  key=java_sdk_"$X"
-  alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
-  %{set_if_needed_alternatives  $key %{family}}
-done
-
-key=java_sdk_%{javaver}_%{origin}
-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
-%{set_if_needed_alternatives  $key %{family}}
-}
-
-%define post_devel() %{expand:
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
-
-exit 0
-}
-
-%define postun_devel() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
-  %{save_and_remove_alternatives  java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-  %{save_and_remove_alternatives  java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
-
-update-desktop-database %{_datadir}/applications &> /dev/null || :
-
-if [ $1 -eq 0 ] ; then
-    /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
-    %{update_desktop_icons}
-fi
-exit 0
-}
-
-%define posttrans_devel() %{expand:
-%{alternatives_javac_install --  %{?1}}
-%{update_desktop_icons}
-}
-
-%define alternatives_javadoc_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-  for X in %{origin} %{javaver} ; do
-    key=javadocdir_"$X"
-    alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-    %{set_if_needed_alternatives $key %{family_noarch}}
-  done
-
-  key=javadocdir_%{javaver}_%{origin}
-  alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-  %{set_if_needed_alternatives  $key %{family_noarch}}
-
-  key=javadocdir
-  alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
-  %{set_if_needed_alternatives  $key %{family_noarch}}
-exit 0
-}
-
-%define postun_javadoc() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  javadocdir  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
-  %{save_and_remove_alternatives  javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
-  %{save_and_remove_alternatives  javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
-  %{save_and_remove_alternatives  javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
-exit 0
-}
-
-%define alternatives_javadoczip_install() %{expand:
-if [ "x$debug"  == "xtrue" ] ; then
-  set -x
-fi
-PRIORITY=%{priority}
-if [ "%{?1}" == %{debug_suffix} ]; then
-  let PRIORITY=PRIORITY-1
-fi
-  for X in %{origin} %{javaver} ; do
-    key=javadoczip_"$X"
-    alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-    %{set_if_needed_alternatives $key %{family_noarch}}
-  done
-
-  key=javadoczip_%{javaver}_%{origin}
-  alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
-  %{set_if_needed_alternatives  $key %{family_noarch}}
-
-  # Weird legacy filename for backwards-compatibility
-  key=javadoczip
-  alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
-  %{set_if_needed_alternatives  $key %{family_noarch}}
-exit 0
-}
-
-%define postun_javadoc_zip() %{expand:
-  if [ "x$debug"  == "xtrue" ] ; then
-    set -x
-  fi
-  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-  %{save_and_remove_alternatives  javadoczip  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
-  %{save_and_remove_alternatives  javadoczip_%{origin}  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
-  %{save_and_remove_alternatives  javadoczip_%{javaver}  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
-  %{save_and_remove_alternatives  javadoczip_%{javaver}_%{origin}  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
-exit 0
-}
-
-%define files_jre() %{expand:
-%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
-}
-
-
-%define files_jre_headless() %{expand:
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
-%dir %{_sysconfdir}/.java/.systemPrefs
-%dir %{_sysconfdir}/.java
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}
-%{_jvmdir}/%{sdkdir -- %{?1}}/release
-%{_jvmdir}/%{jrelnk -- %{?1}}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
-%ifarch %{jit_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
-%if ! %{system_libs}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
-# Some architectures don't have the serviceability agent
-%ifarch %{sa_arches}
-%ifnarch %{zero_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
-%endif
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
-%ifarch %{svml_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
-%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
-%ifarch %{share_arches}
-%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
-%endif
-%dir %{etcjavasubdir}
-%dir %{etcjavadir -- %{?1}}
-%dir %{etcjavadir -- %{?1}}/lib
-%dir %{etcjavadir -- %{?1}}/lib/security
-%{etcjavadir -- %{?1}}/lib/security/cacerts
-%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
-%dir %{etcjavadir -- %{?1}}/conf
-%dir %{etcjavadir -- %{?1}}/conf/sdp
-%dir %{etcjavadir -- %{?1}}/conf/management
-%dir %{etcjavadir -- %{?1}}/conf/security
-%dir %{etcjavadir -- %{?1}}/conf/security/policy
-%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
-%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
-%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
-%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
- %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
-# This is a config template, thus not config-noreplace
-%config  %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
-%config  %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
-%{_jvmdir}/%{sdkdir -- %{?1}}/conf
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_bindir}/java
-%ghost %{_bindir}/%{alt_java_name}
-%ghost %{_jvmdir}/jre
-%ghost %{_bindir}/keytool
-%ghost %{_bindir}/pack200
-%ghost %{_bindir}/rmid
-%ghost %{_bindir}/rmiregistry
-%ghost %{_bindir}/unpack200
-%ghost %{_jvmdir}/jre-%{origin}
-%ghost %{_jvmdir}/jre-%{javaver}
-%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
-%endif
-%endif
-# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
-# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
-%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
-%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
-}
-
-%define files_devel() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
-# Some architectures don't have the serviceability agent
-%ifarch %{sa_arches}
-%ifnarch %{zero_arches}
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
-%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
-%endif
-%endif
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
-%{_jvmdir}/%{sdkdir -- %{?1}}/include
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
-%if %{with_systemtap}
-%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
-%endif
-%{_datadir}/applications/*jconsole%{?1}.desktop
-%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
-
-%if %{with_systemtap}
-%dir %{tapsetroot}
-%dir %{tapsetdirttapset}
-%dir %{tapsetdir}
-%{tapsetdir}/*%{_arch}%{?1}.stp
-%endif
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_bindir}/javac
-%ghost %{_jvmdir}/java
-%ghost %{_jvmdir}/%{alt_java_name}
-%ghost %{_bindir}/jlink
-%ghost %{_bindir}/jmod
-%ghost %{_bindir}/jhsdb
-%ghost %{_bindir}/jar
-%ghost %{_bindir}/jarsigner
-%ghost %{_bindir}/javadoc
-%ghost %{_bindir}/javap
-%ghost %{_bindir}/jcmd
-%ghost %{_bindir}/jconsole
-%ghost %{_bindir}/jdb
-%ghost %{_bindir}/jdeps
-%ghost %{_bindir}/jdeprscan
-%ghost %{_bindir}/jimage
-%ghost %{_bindir}/jinfo
-%ghost %{_bindir}/jmap
-%ghost %{_bindir}/jps
-%ghost %{_bindir}/jrunscript
-%ghost %{_bindir}/jshell
-%ghost %{_bindir}/jstack
-%ghost %{_bindir}/jstat
-%ghost %{_bindir}/jstatd
-%ghost %{_bindir}/serialver
-%ghost %{_jvmdir}/java-%{origin}
-%ghost %{_jvmdir}/java-%{javaver}
-%ghost %{_jvmdir}/java-%{javaver}-%{origin}
-%endif
-%endif
-}
-
-%define files_jmods() %{expand:
-%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
-}
-
-%define files_demo() %{expand:
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%{_jvmdir}/%{sdkdir -- %{?1}}/demo
-%{_jvmdir}/%{sdkdir -- %{?1}}/sample
-}
-
-%define files_src() %{expand:
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
-}
-
-%define files_static_libs() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
-%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
-}
-
-%define files_javadoc() %{expand:
-%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_javadocdir}/java
-%ghost %{_javadocdir}/java-%{origin}
-%ghost %{_javadocdir}/java-%{javaver}
-%ghost %{_javadocdir}/java-%{javaver}-%{origin}
-%endif
-%endif
-}
-
-%define files_javadoc_zip() %{expand:
-%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
-%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
-%if %is_system_jdk
-%if %{is_release_build -- %{?1}}
-%ghost %{_javadocdir}/java-zip
-%ghost %{_javadocdir}/java-%{origin}.zip
-%ghost %{_javadocdir}/java-%{javaver}.zip
-%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip
-%endif
-%endif
-}
-
+# Portables have no rpo (requires/provides), but thsoe are awesome for orientation in spec
+# also scriptlets are hapily missing and files are handled old fashion
 # not-duplicated requires/provides/obsoletes for normal/debug packages
 %define java_rpo() %{expand:
-Requires: fontconfig%{?_isa}
-Requires: xorg-x11-fonts-Type1
-# Require libXcomposite explicitly since it's only dynamically loaded
-# at runtime. Fixes screenshot issues. See JDK-8150954.
-Requires: libXcomposite%{?_isa}
-# Requires rest of java
-Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-# for java-X-openjdk package's desktop binding
-# Where recommendations are available, recommend Gtk+ for the Swing look and feel
-%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
-Recommends: gtk3%{?_isa}
-%endif
-
-Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-
-# Standard JPackage base provides
-Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_headless_rpo() %{expand:
-# Require /etc/pki/java/cacerts
-Requires: ca-certificates
-# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
-Requires: javapackages-filesystem
-# Require zone-info data provided by tzdata-java sub-package
-# 2022e required as of JDK-8295173
-Requires: tzdata-java >= 2022e
-# for support of kernel stream control
-# libsctp.so.1 is being `dlopen`ed on demand
-Requires: lksctp-tools%{?_isa}
-%if ! 0%{?flatpak}
-# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
-# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
-# considered as regression
-Requires: copy-jdk-configs >= 4.0
-OrderWithRequires: copy-jdk-configs
-%endif
-# for printing support
-Requires: cups-libs
-# for system security properties
-Requires: crypto-policies
-# for FIPS PKCS11 provider
-Requires: nss
-# Post requires alternatives to install tool alternatives
-Requires(post):   %{alternatives_requires}
-# Postun requires alternatives to uninstall tool alternatives
-Requires(postun): %{alternatives_requires}
-# Where suggestions are available, recommend the sctp and pcsc libraries
-# for optional support of kernel stream control and card reader
-%if 0%{?rhel} >= 8 || 0%{?fedora} > 0
-Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
-%endif
-
-# Standard JPackage base provides
-Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
-%endif
 }
 
 %define java_devel_rpo() %{expand:
-# Requires base package
-Requires:         %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-# Post requires alternatives to install tool alternatives
-Requires(post):   %{alternatives_requires}
-# Postun requires alternatives to uninstall tool alternatives
-Requires(postun): %{alternatives_requires}
-
-# Standard JPackage devel provides
-Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
-%endif
 }
 
 %define java_static_libs_rpo() %{expand:
-Requires:         %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
 }
 
-%define java_jmods_rpo() %{expand:
-# Requires devel package
-# as jmods are bytecode, they should be OK without any _isa
-Requires:         %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
-
-Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_demo_rpo() %{expand:
-Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-
-Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_javadoc_rpo() %{expand:
-OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-# Post requires alternatives to install javadoc alternative
-Requires(post):   %{alternatives_requires}
-# Postun requires alternatives to uninstall javadoc alternative
-Requires(postun): %{alternatives_requires}
-
-# Standard JPackage javadoc provides
-Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
-%endif
-}
-
-%define java_src_rpo() %{expand:
-Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
-
-# Standard JPackage sources provides
-Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
-%if %is_system_jdk
-Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
-%endif
-}
 
 # Prevent brp-java-repack-jars from being run
 %global __jar_repack 0
 
-Name:    java-17-%{origin}
+# portables have grown out of its component, moving back to java-x-vendor
+# this expression, when declared as global, filled component with java-x-vendor portable
+%define component %(echo %{name} | sed "s;-portable;;g")
+
+Name:    java-%{javaver}-%{origin}-portable
 Version: %{newjavaver}.%{buildver}
 Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
@@ -1297,7 +528,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
 # provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
 
 Epoch:   1
-Summary: %{origin_nice} %{featurever} Runtime Environment
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition
 # Groups are only used up to RHEL 8 and on Fedora versions prior to F30
 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
 Group:   Development/Languages
@@ -1327,10 +558,12 @@ Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
-Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+# Disabled in portables
+#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
 
 # Desktop files. Adapted from IcedTea
-Source9: jconsole.desktop.in
+# Disabled in portables
+#Source9: jconsole.desktop.in
 
 # Release notes
 Source10: NEWS
@@ -1339,7 +572,8 @@ Source10: NEWS
 Source11: nss.cfg.in
 
 # Removed libraries that we link instead
-Source12: remove-intree-libraries.sh
+# Disabled in portables
+#Source12: remove-intree-libraries.sh
 
 # Ensure we aren't using the limited crypto policy
 Source13: TestCryptoLevel.java
@@ -1494,78 +728,37 @@ BuildRequires: libstdc++-static
 %{java_rpo %{nil}}
 
 %description
-The %{origin_nice} %{featurever} runtime environment.
+The %{origin_nice} %{featurever} runtime environment - portable edition.
 
 %if %{include_debug_build}
 %package slowdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on}
 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
 Group:   Development/Languages
 %endif
 
 %{java_rpo -- %{debug_suffix_unquoted}}
 %description slowdebug
-The %{origin_nice} %{featurever} runtime environment.
+The %{origin_nice} %{featurever} runtime environment - portable edition.
 %{debug_warning}
 %endif
 
 %if %{include_fastdebug_build}
 %package fastdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on}
 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
 Group:   Development/Languages
 %endif
 
 %{java_rpo -- %{fastdebug_suffix_unquoted}}
 %description fastdebug
-The %{origin_nice} %{featurever} runtime environment.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package headless
-Summary: %{origin_nice} %{featurever} Headless Runtime Environment
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_headless_rpo %{nil}}
-
-%description headless
-The %{origin_nice} %{featurever} runtime environment without audio and video support.
-%endif
-
-%if %{include_debug_build}
-%package headless-slowdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_headless_rpo -- %{debug_suffix_unquoted}}
-
-%description headless-slowdebug
-The %{origin_nice} %{featurever} runtime environment without audio and video support.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package headless-fastdebug
-Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description headless-fastdebug
-The %{origin_nice} %{featurever} runtime environment without audio and video support.
+The %{origin_nice} %{featurever} runtime environment - portable edition.
 %{fastdebug_warning}
 %endif
 
 %if %{include_normal_build}
 %package devel
-Summary: %{origin_nice} %{featurever} Development Environment
+Summary: %{origin_nice} %{featurever} Development Environment portable edition.
 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
 Group:   Development/Languages
 %endif
@@ -1573,12 +766,12 @@ Group:   Development/Languages
 %{java_devel_rpo %{nil}}
 
 %description devel
-The %{origin_nice} %{featurever} development tools.
+The %{origin_nice} %{featurever} development tools - portable edition.
 %endif
 
 %if %{include_debug_build}
 %package devel-slowdebug
-Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on}
 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
 Group:   Development/Languages
 %endif
@@ -1586,13 +779,13 @@ Group:   Development/Languages
 %{java_devel_rpo -- %{debug_suffix_unquoted}}
 
 %description devel-slowdebug
-The %{origin_nice} %{featurever} development tools.
+The %{origin_nice} %{featurever} development tools - portable edition.
 %{debug_warning}
 %endif
 
 %if %{include_fastdebug_build}
 %package devel-fastdebug
-Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on}
 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
 Group:   Development/Tools
 %endif
@@ -1600,7 +793,7 @@ Group:   Development/Tools
 %{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
 
 %description devel-fastdebug
-The %{origin_nice} %{featurever} development tools              .
+The %{origin_nice} %{featurever} development tools - portable edition.
 %{fastdebug_warning}
 %endif
 
@@ -1608,194 +801,39 @@ The %{origin_nice} %{featurever} development tools              .
 
 %if %{include_normal_build}
 %package static-libs
-Summary: %{origin_nice} %{featurever} libraries for static linking
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition.
 
 %{java_static_libs_rpo %{nil}}
 
 %description static-libs
-The %{origin_nice} %{featurever} libraries for static linking.
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
 %endif
 
 %if %{include_debug_build}
 %package static-libs-slowdebug
-Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on}
 
 %{java_static_libs_rpo -- %{debug_suffix_unquoted}}
 
 %description static-libs-slowdebug
-The %{origin_nice} %{featurever} libraries for static linking.
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
 %{debug_warning}
 %endif
 
 %if %{include_fastdebug_build}
 %package static-libs-fastdebug
-Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on}
 
 %{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
 
 %description static-libs-fastdebug
-The %{origin_nice} %{featurever} libraries for static linking.
+The %{origin_nice} %{featurever} libraries for static linking - portable edition.
 %{fastdebug_warning}
 %endif
 
 # staticlibs
 %endif
 
-%if %{include_normal_build}
-%package jmods
-Summary: JMods for %{origin_nice} %{featurever}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_jmods_rpo %{nil}}
-
-%description jmods
-The JMods for %{origin_nice} %{featurever}.
-%endif
-
-%if %{include_debug_build}
-%package jmods-slowdebug
-Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_jmods_rpo -- %{debug_suffix_unquoted}}
-
-%description jmods-slowdebug
-The JMods for %{origin_nice} %{featurever}.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package jmods-fastdebug
-Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Tools
-%endif
-
-%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description jmods-fastdebug
-The JMods for %{origin_nice} %{featurever}.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package demo
-Summary: %{origin_nice} %{featurever} Demos
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_demo_rpo %{nil}}
-
-%description demo
-The %{origin_nice} %{featurever} demos.
-%endif
-
-%if %{include_debug_build}
-%package demo-slowdebug
-Summary: %{origin_nice} %{featurever} Demos %{debug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_demo_rpo -- %{debug_suffix_unquoted}}
-
-%description demo-slowdebug
-The %{origin_nice} %{featurever} demos.
-%{debug_warning}
-%endif
-
-%if %{include_fastdebug_build}
-%package demo-fastdebug
-Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description demo-fastdebug
-The %{origin_nice} %{featurever} demos.
-%{fastdebug_warning}
-%endif
-
-%if %{include_normal_build}
-%package src
-Summary: %{origin_nice} %{featurever} Source Bundle
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_src_rpo %{nil}}
-
-%description src
-The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
-class library source code for use by IDE indexers and debuggers.
-%endif
-
-%if %{include_debug_build}
-%package src-slowdebug
-Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_src_rpo -- %{debug_suffix_unquoted}}
-
-%description src-slowdebug
-The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
- class library source code for use by IDE indexers and debuggers, %{for_debug}.
-%endif
-
-%if %{include_fastdebug_build}
-%package src-fastdebug
-Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Development/Languages
-%endif
-
-%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
-
-%description src-fastdebug
-The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
- class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
-%endif
-
-%if %{include_normal_build}
-%package javadoc
-Summary: %{origin_nice} %{featurever} API documentation
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Documentation
-%endif
-Requires: javapackages-filesystem
-Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling
-
-%{java_javadoc_rpo -- %{nil} %{nil}}
-
-%description javadoc
-The %{origin_nice} %{featurever} API documentation.
-%endif
-
-%if %{include_normal_build}
-%package javadoc-zip
-Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
-%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30)
-Group:   Documentation
-%endif
-Requires: javapackages-filesystem
-Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling
-
-%{java_javadoc_rpo -- %{nil} -zip}
-%{java_javadoc_rpo -- %{nil} %{nil}}
-
-%description javadoc-zip
-The %{origin_nice} %{featurever} API documentation compressed in a single archive.
-%endif
-
 %prep
 
 echo "Preparing %{oj_vendor_version}"
@@ -1910,21 +948,7 @@ done
 %endif
 
 # Prepare desktop files
-# The _X_ syntax indicates variables that are replaced by make upstream
-# The @X@ syntax indicates variables that are replaced by configure upstream
-for suffix in %{build_loop} ; do
-for file in %{SOURCE9}; do
-    FILE=`basename $file | sed -e s:\.in$::g`
-    EXT="${FILE##*.}"
-    NAME="${FILE%.*}"
-    OUTPUT_FILE=$NAME$suffix.$EXT
-    sed    -e  "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
-    sed -i -e  "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
-    sed -i -e  "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
-    sed -i -e  "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
-    sed -i -e  "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
-done
-done
+# Portables do not have desktop integration
 
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
@@ -2006,6 +1030,7 @@ function buildjdk() {
 %ifarch %{ppc64le}
     --with-jobs=1 \
 %endif
+    --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts`  \
     --with-version-build=%{buildver} \
     --with-version-pre="%{ea_designator}" \
     --with-version-opt=%{lts_designator} \
@@ -2073,9 +1098,6 @@ function installjdk() {
         sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
             ${imagepath}/conf/security/java.security
 
-        # Use system-wide tzdata
-        mv ${imagepath}/lib/tzdb.dat{,.upstream}
-        ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
 
         # Rename OpenJDK cacerts database
         mv ${imagepath}/lib/security/cacerts{,.upstream}

From d29ffaf550cc6aabfbb1521c2bab28d7af2975c4 Mon Sep 17 00:00:00 2001
From: Jiri Vanek 
Date: Mon, 28 Nov 2022 15:45:50 +0100
Subject: [PATCH 56/61] Aligning files and packages with future portbale
 version

added few if el7.

Note, this is nto buildbale, brekaing changes with tarball creation
needs to land now
---
 java-17-openjdk-portable.spec | 597 ++++++++--------------------------
 1 file changed, 138 insertions(+), 459 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index e129354..3f7500f 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -1,3 +1,14 @@
+#FOR TESTING ONLY! REMOVE!
+%define rhel %{nil}
+
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# portable jdk 17 specific bug, _jvmdir being missing
+%define _jvmdir /usr/lib/jvm
+%endif
+
+# debug_package %%{nil} is portable-jdks specific
+%define  debug_package %{nil}
+
 # RPM conditionals so as to be able to dynamically produce
 # slowdebug/release builds. See:
 # http://rpm.org/user_doc/conditional_builds.html
@@ -26,6 +37,15 @@
 # Build with system libraries
 %bcond_with system_libs
 
+
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# This is RHEL 7 specific as it doesn't seem to have the
+# __brp_strip_static_archive macro.
+%define __os_install_post %{nil}
+%endif
+
+%global unpacked_lilcenses %{_datarootdir}/licenses
+
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
 %define __brp_strip_static_archive %{nil}
@@ -149,7 +169,12 @@
 # Set of architectures for which java has short vector math library (libsvml.so)
 %global svml_arches x86_64
 # Set of architectures where we verify backtraces with gdb
+# s390x fails on RHEL 7 so we exclude it there
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
+%else
 %global gdb_arches %{jit_arches} %{zero_arches}
+%endif
 
 # By default, we build a debug build during main build on JIT architectures
 %if %{with slowdebug}
@@ -423,10 +448,30 @@
 %global static_libs_install_dir %{static_libs_arch_dir}/glibc
 # output dir stub
 %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
 %define uniquesuffix()        %{expand:%{fullversion}.%{_arch}%{?1}}
+# portable only declarations
+%global jreimage                jre
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\\(_[0-9]\\)*;portable%{1}.jre.;g" | sed "s;openjdkportable;el;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\\(_[0-9]\\)*;portable%{1}.jdk.;g" | sed "s;openjdkportable;el;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\\(_[0-9]\\)*;portable%{1}.static-libs.;g" | sed "s;openjdkportable;el;g")
+%else
+%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\\([0-9]\\)*;\\0.portable%{1}.jre;g" | sed "s;openjdkportable;el;g")
+%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\\([0-9]\\)*;\\0.portable%{1}.jdk;g" | sed "s;openjdkportable;el;g")
+%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\\([0-9]\\)*;\\0.portable%{1}.static-libs;g" | sed "s;openjdkportable;el;g")
+%endif
+%define jreportablearchive()  %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz}
+%define jdkportablearchive()  %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz}
+%define staticlibsportablearchive()  %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz}
+%define jreportablename()     %{expand:%{jreportablenameimpl -- %%{1}}}
+%define jdkportablename()     %{expand:%{jdkportablenameimpl -- %%{1}}}
+# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
+# top of the JDK archive
+%define staticlibsportablename()     %{expand:%{jdkportablenameimpl -- %%{1}}}
 
 #################################################################
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
@@ -470,9 +515,6 @@
 %global alternatives_requires %{_sbindir}/alternatives
 %endif
 
-%global family %{name}.%{_arch}
-%global family_noarch  %{name}
-
 %if %{with_systemtap}
 # Where to install systemtap tapset (links)
 # We would like these to be in a package specific sub-dir,
@@ -593,6 +635,14 @@ Source17: nss.fips.cfg.in
 # Ensure translations are available for new timezones
 Source18: TestTranslations.java
 
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# boot jdk for portable build root on
+Source1001: ojdk17-aarch64-17.35.tar.gz
+Source1002: ojdk17-ppc64le-17.35.tar.gz
+Source1003: ojdk17-x86_64-17.35.tar.gz
+Source1004: ojdk17-s390x-17.35.tar.gz
+%endif
+
 ############################################
 #
 # RPM/distribution specific patches
@@ -666,8 +716,21 @@ BuildRequires: desktop-file-utils
 # elfutils only are OK for build without AOT
 BuildRequires: elfutils-devel
 BuildRequires: fontconfig-devel
+BuildRequires: freetype-devel
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+BuildRequires: devtoolset-8-gcc
+BuildRequires: devtoolset-8-gcc-c++
+%else
+BuildRequires: gcc
+# gcc-c++ is already needed
+BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
 BuildRequires: gcc-c++
 BuildRequires: gdb
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# rhel7 only, portables only. Rhel8 have gtk3, rpms have runtime recommends of gtk
+BuildRequires: gtk2-devel
+%endif
 BuildRequires: libxslt
 BuildRequires: libX11-devel
 BuildRequires: libXi-devel
@@ -679,18 +742,31 @@ BuildRequires: libXtst-devel
 # Requirement for setting up nss.cfg and nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
 BuildRequires: crypto-policies
+%endif
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
+# to pack portable tarballs
+BuildRequires: tar
+BuildRequires: unzip
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+# No javapackages-filesystem on el7,nor is needed for portables
+%else
 BuildRequires: javapackages-filesystem
 BuildRequires: java-%{buildjdkver}-openjdk-devel
+%endif
+
 # Zero-assembler build requirement
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
 # 2022e required as of JDK-8295173
 BuildRequires: tzdata-java >= 2022e
+
+# cacerts build requirement in portable mode
+BuildRequires: ca-certificates
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -957,6 +1033,26 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
 
 %build
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+mkdir bootjdk
+pushd bootjdk
+%ifarch %{aarch64}
+tar --strip-components=1 -xf %{SOURCE1001} 
+%endif
+%ifarch %{ppc64le}
+tar --strip-components=1 -xf %{SOURCE1002} 
+%endif
+%ifarch x86_64
+tar --strip-components=1 -xf %{SOURCE1003} 
+%endif
+%ifarch s390x
+tar --strip-components=1 -xf %{SOURCE1004}
+%endif
+BOOT_JDK=$PWD
+popd
+%else
+BOOT_JDK=%{bootjdk}
+%endif
 
 # How many CPU's do we have?
 export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@@ -1023,7 +1119,11 @@ function buildjdk() {
     # rather than ${link_opt} as the system versions
     # are always used in a system_libs build, even
     # for the static library build
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+    scl enable devtoolset-8 -- bash ${top_dir_abs_src_path}/configure \
+%else
     bash ${top_dir_abs_src_path}/configure \
+%endif
 %ifarch %{zero_arches}
     --with-jvm-variants=zero \
 %endif
@@ -1064,8 +1164,11 @@ function buildjdk() {
     --disable-warnings-as-errors
 
     cat spec.gmk
-
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+    scl enable devtoolset-8  -- make \
+%else
     make \
+%endif
       LOG=trace \
       WARNINGS_ARE_ERRORS="-Wno-error" \
       CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
@@ -1456,494 +1559,70 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
 # build cycles check
 done
 
-%if %{include_normal_build}
-# intentionally only for non-debug
-%pretrans headless -p 
--- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
--- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
--- if copy-jdk-configs is in transaction, it installs in pretrans to temp
--- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction  and so is
--- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
--- whether copy-jdk-configs is installed or not. If so, then configs are copied
--- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
-local posix = require "posix"
-
-if (os.getenv("debug") == "true") then
-  debug = true;
-  print("cjc: in spec debug is on")
-else
-  debug = false;
-end
-
-SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
-SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
-
-local stat1 = posix.stat(SOURCE1, "type");
-local stat2 = posix.stat(SOURCE2, "type");
-
-  if (stat1 ~= nil) then
-  if (debug) then
-    print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
-  end;
-  package.path = package.path .. ";" .. SOURCE1
-else
-  if (stat2 ~= nil) then
-  if (debug) then
-    print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
-  end;
-  package.path = package.path .. ";" .. SOURCE2
-  else
-    if (debug) then
-      print(SOURCE1 .." does NOT exists")
-      print(SOURCE2 .." does NOT exists")
-      print("No config files will be copied")
-    end
-  return
-  end
-end
-arg = nil ;  -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
-cjc = require "copy_jdk_configs.lua"
-args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
-cjc.mainProgram(args)
-
-%post
-%{post_script %{nil}}
-
-%post headless
-%{post_headless %{nil}}
-
-%postun
-%{postun_script %{nil}}
-
-%postun headless
-%{postun_headless %{nil}}
-
-%posttrans
-%{posttrans_script %{nil}}
-
-%posttrans headless
-%{alternatives_java_install %{nil}}
-
-%post devel
-%{post_devel %{nil}}
-
-%postun devel
-%{postun_devel %{nil}}
-
-%posttrans  devel
-%{posttrans_devel %{nil}}
-
-%posttrans javadoc
-%{alternatives_javadoc_install %{nil}}
-
-%postun javadoc
-%{postun_javadoc %{nil}}
-
-%posttrans javadoc-zip
-%{alternatives_javadoczip_install %{nil}}
-
-%postun javadoc-zip
-%{postun_javadoc_zip %{nil}}
-%endif
-
-%if %{include_debug_build}
-%post slowdebug
-%{post_script -- %{debug_suffix_unquoted}}
-
-%post headless-slowdebug
-%{post_headless -- %{debug_suffix_unquoted}}
-
-%posttrans headless-slowdebug
-%{alternatives_java_install -- %{debug_suffix_unquoted}}
-
-%postun slowdebug
-%{postun_script -- %{debug_suffix_unquoted}}
-
-%postun headless-slowdebug
-%{postun_headless -- %{debug_suffix_unquoted}}
-
-%posttrans slowdebug
-%{posttrans_script -- %{debug_suffix_unquoted}}
-
-%post devel-slowdebug
-%{post_devel -- %{debug_suffix_unquoted}}
-
-%postun devel-slowdebug
-%{postun_devel -- %{debug_suffix_unquoted}}
-
-%posttrans  devel-slowdebug
-%{posttrans_devel -- %{debug_suffix_unquoted}}
-%endif
-
-%if %{include_fastdebug_build}
-%post fastdebug
-%{post_script -- %{fastdebug_suffix_unquoted}}
-
-%post headless-fastdebug
-%{post_headless -- %{fastdebug_suffix_unquoted}}
-
-%postun fastdebug
-%{postun_script -- %{fastdebug_suffix_unquoted}}
-
-%postun headless-fastdebug
-%{postun_headless -- %{fastdebug_suffix_unquoted}}
-
-%posttrans fastdebug
-%{posttrans_script -- %{fastdebug_suffix_unquoted}}
-
-%posttrans headless-fastdebug
-%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
-
-%post devel-fastdebug
-%{post_devel -- %{fastdebug_suffix_unquoted}}
-
-%postun devel-fastdebug
-%{postun_devel -- %{fastdebug_suffix_unquoted}}
-
-%posttrans  devel-fastdebug
-%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
-
-%endif
-
 %if %{include_normal_build}
 %files
 # main package builds always
-%{files_jre %{nil}}
+%{_jvmdir}/%{jreportablearchive -- %%{nil}}
+%{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}}
 %else
 %files
 # placeholder
 %endif
 
-
-%if %{include_normal_build}
-%files headless
-# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
-# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
-%{files_jre_headless %{nil}}
-
 %files devel
-%{files_devel %{nil}}
+%{_jvmdir}/%{jdkportablearchive -- %%{nil}}
+%{_jvmdir}/%{jdkportablearchive -- .debuginfo}
+%{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum
+%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}}
 
 %if %{include_staticlibs}
 %files static-libs
-%{files_static_libs %{nil}}
-%endif
-
-%files jmods
-%{files_jmods %{nil}}
-
-%files demo
-%{files_demo %{nil}}
-
-%files src
-%{files_src %{nil}}
-
-%files javadoc
-%{files_javadoc %{nil}}
-
-# This puts a huge documentation file in /usr/share
-# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
-# same for debug variant
-%files javadoc-zip
-%{files_javadoc_zip %{nil}}
+%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}
+%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}}
 %endif
 
 %if %{include_debug_build}
 %files slowdebug
-%{files_jre -- %{debug_suffix_unquoted}}
-
-%files headless-slowdebug
-%{files_jre_headless -- %{debug_suffix_unquoted}}
+%{_jvmdir}/%{jreportablearchive -- .slowdebug}
+%{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug}
 
 %files devel-slowdebug
-%{files_devel -- %{debug_suffix_unquoted}}
+%{_jvmdir}/%{jdkportablearchive -- .slowdebug}
+%{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug}
 
 %if %{include_staticlibs}
 %files static-libs-slowdebug
-%{files_static_libs -- %{debug_suffix_unquoted}}
+%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}
+%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug}
 %endif
-
-%files jmods-slowdebug
-%{files_jmods -- %{debug_suffix_unquoted}}
-
-%files demo-slowdebug
-%{files_demo -- %{debug_suffix_unquoted}}
-
-%files src-slowdebug
-%{files_src -- %{debug_suffix_unquoted}}
 %endif
 
 %if %{include_fastdebug_build}
 %files fastdebug
-%{files_jre -- %{fastdebug_suffix_unquoted}}
-
-%files headless-fastdebug
-%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+%{_jvmdir}/%{jreportablearchive -- .fastdebug}
+%{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug}
 
 %files devel-fastdebug
-%{files_devel -- %{fastdebug_suffix_unquoted}}
+%{_jvmdir}/%{jdkportablearchive -- .fastdebug}
+%{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug}
 
 %if %{include_staticlibs}
 %files static-libs-fastdebug
-%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}
+%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum
+%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug}
 %endif
-
-%files jmods-fastdebug
-%{files_jmods -- %{fastdebug_suffix_unquoted}}
-
-%files demo-fastdebug
-%{files_demo -- %{fastdebug_suffix_unquoted}}
-
-%files src-fastdebug
-%{files_src -- %{fastdebug_suffix_unquoted}}
-
 %endif
 
 %changelog
-* Wed Nov 09 2022 Andrew Hughes  - 1:17.0.6.0.1-0.1.ea
-- Update to jdk-17.0.6+1
-- Update release notes to 17.0.6+1
-- Switch to EA mode for 17.0.6 pre-release builds.
-- Re-enable EA upstream status check now it is being actively maintained.
-- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
-- Bump tzdata requirement to 2022e now the package is available in Fedora
+* Mon Oct 31 2022 Jiri Vanek  - 1:17.0.5.0.8-2
+- initial import
 
-* Wed Oct 19 2022 Andrew Hughes  - 1:17.0.5.0.8-1
-- Update to jdk-17.0.5+8 (GA)
-- Update release notes to 17.0.5+8 (GA)
-- Switch to GA mode for final release.
-- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
-- Remove freetype sources along with zlib sources
-
-* Fri Oct 14 2022 Andrew Hughes  - 1:17.0.5.0.7-0.2.ea
-- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
-- Update CLDR data with Europe/Kyiv (JDK-8293834)
-- Drop JDK-8292223 patch which we found to be unnecessary
-- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
-
-* Tue Oct 04 2022 Andrew Hughes  - 1:17.0.5.0.7-0.1.ea
-- Update to jdk-17.0.5+7
-- Update release notes to 17.0.5+7
-
-* Mon Oct 03 2022 Andrew Hughes  - 1:17.0.5.0.1-0.1.ea
-- Update to jdk-17.0.5+1
-- Update release notes to 17.0.5+1
-- Switch to EA mode for 17.0.5 pre-release builds.
-- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
-- Bump FreeType bundled version to 2.12.1 following JDK-8290334
-
-* Tue Aug 30 2022 Andrew Hughes  - 1:17.0.4.1.1-3
-- Switch to static builds, reducing system dependencies and making build more portable
-
-* Mon Aug 29 2022 Andrew Hughes  - 1:17.0.4.1.1-2
-- Update FIPS support to bring in latest changes
-- * RH2048582: Support PKCS#12 keystores
-- * RH2020290: Support TLS 1.3 in FIPS mode
-
-* Sun Aug 21 2022 Andrew Hughes  - 1:17.0.4.1.1-1
-- Update to jdk-17.0.4.1+1
-- Update release notes to 17.0.4.1+1
-- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
-- Add test to ensure timezones can be translated
-
-* Mon Aug 15 2022 Andrew Hughes  - 1:17.0.4.0.8-2
-- Update FIPS support to bring in latest changes
-- * RH2104724: Avoid import/export of DH private keys
-- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-- * Build the systemconf library on all platforms
-
-* Fri Jul 22 2022 Andrew Hughes  - 1:17.0.4.0.8-1
-- Update to jdk-17.0.4.0+8
-- Update release notes to 17.0.4.0+8
-- Switch to GA mode for release
-- Exclude x86 where java_arches is undefined, in order to unbreak build
-
-* Fri Jul 22 2022 Jiri Vanek  - 1:17.0.4.0.7-0.3.ea
-- moved to build only on %%{java_arches}
--- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
-- reverted :
--- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release)
--- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
--- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
--- Replaced binaries and .so files with bash-stubs on i686
-- added ExclusiveArch:  %%{java_arches}
--- this now excludes i686
--- this is safely backport-able to older fedoras, as the macro was  backported proeprly (with i686 included)
-- https://bugzilla.redhat.com/show_bug.cgi?id=2104128
-
-* Thu Jul 21 2022 Fedora Release Engineering  - 1:17.0.4.0.7-0.2.ea.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue Jul 19 2022 Andrew Hughes  - 1:17.0.4.0.7-0.2.ea
-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself
-
-* Sat Jul 16 2022 Andrew Hughes  - 1:17.0.4.0.7-0.1.ea
-- Update to jdk-17.0.3.0+7
-- Update release notes to 17.0.3.0+7
-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable
-- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
-
-* Thu Jul 14 2022 Andrew Hughes  - 1:17.0.4.0.1-0.5.ea
-- Explicitly require crypto-policies during build and runtime for system security properties
-
-* Thu Jul 14 2022 Jiri Vanek  - 1:17.0.4.0.1-0.4.ea
-- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture:
-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
-
-* Thu Jul 14 2022 FeRD (Frank Dana)  - 1:17.0.4.0.1-0.3.ea
-- Add javaver- and origin-specific javadoc and javadoczip alternatives.
-
-* Thu Jul 14 2022 Andrew Hughes  - 1:17.0.4.0.1-0.2.ea
-- Make use of the vendor version string to store our version & release rather than an upstream release date
-- Include a test in the RPM to check the build has the correct vendor information.
-
-* Thu Jul 14 2022 Jayashree Huttanagoudar  - 1:17.0.4.0.1-0.2.ea
-- Fix issue where CheckVendor.java test erroneously passes when it should fail.
-- Add proper quoting so '&' is not treated as a special character by the shell.
-
-* Mon Jul 11 2022 Andrew Hughes  - 1:17.0.4.0.1-0.1.ea
-- Update to jdk-17.0.4.0+1
-- Update release notes to 17.0.4.0+1
-- Switch to EA mode for 17.0.4 pre-release builds.
-- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231
-- Print release file during build, which should now include a correct SOURCE value from .src-rev
-- Update tarball script with IcedTea GitHub URL and .src-rev generation
-- Include script to generate bug list for release notes
-- Update tzdata requirement to 2022a to match JDK-8283350
-- Move EA designator check to prep so failures can be caught earlier
-- Make EA designator check non-fatal while upstream is not maintaining it
-
-* Thu Jul 07 2022 Andrew Hughes  - 1:17.0.3.0.7-7
-- Fix whitespace in spec file
-
-* Thu Jul 07 2022 Andrew Hughes  - 1:17.0.3.0.7-7
-- Sequence spec file sections as they are run by rpmbuild (build, install then test)
-
-* Tue Jul 05 2022 Andrew Hughes  - 1:17.0.3.0.7-7
-- Turn on system security properties as part of the build's install section
-- Move cacerts replacement to install section and retain original of this and tzdb.dat
-- Run tests on the installed image, rather than the build image
-- Introduce variables to refer to the static library installation directories
-- Use relative symlinks so they work within the image
-- Run debug symbols check during build stage, before the install strips them
-
-* Fri Jul 01 2022 Stephan Bergmann  - 1:17.0.3.0.7-6
-- Fix flatpak builds by exempting them from bootstrap
-
-* Thu Jun 30 2022 Francisco Ferrari Bihurriet  - 1:17.0.3.0.7-5
-- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
-
-* Mon Jun 27 2022 Stephan Bergmann  - 1:17.0.3.0.7-4
-- Fix flatpak builds (catering for their uncompressed manual pages)
-
-* Wed Jun 22 2022 Andrew Hughes  - 1:17.0.3.0.7-3
-- Update FIPS support to bring in latest changes
-- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-- * RH2090378: Revert to disabling system security properties and FIPS mode support together
-- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
-- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
-- Improve security properties test to check both enabled and disabled behaviour
-- Run security properties test with property debugging on
-
-* Sun Jun 12 2022 Andrew Hughes  - 1:17.0.3.0.7-2
-- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
-- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
-- RH2023467: Enable FIPS keys export
-- RH2094027: SunEC runtime permission for FIPS
-
-* Sun Apr 24 2022 Andrew Hughes  - 1:17.0.3.0.7-1
-- April 2022 security update to jdk 17.0.3+7
-- Update release notes to 17.0.3.0+7
-- Update README.md and generate_source_tarball.sh to match CentOS
-- Switch to GA mode for release
-- JDK-8283911 patch no longer needed now we're GA...
-
-* Wed Apr 13 2022 Andrew Hughes  - 1:17.0.3.0.5-0.1.ea
-- Update to jdk-17.0.3.0+5
-- Update release notes to 17.0.3.0+5
-
-* Fri Apr 08 2022 Andrew Hughes  - 1:17.0.3.0.1-0.1.ea
-- Update to jdk-17.0.3.0+1
-- Update release notes to 17.0.3.0+1
-- Switch to EA mode for 17.0.3 pre-release builds.
-- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
-
-* Wed Apr 06 2022 Andrew Hughes  - 1:17.0.2.0.8-9
-- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-
-* Wed Mar 30 2022 Andrew Hughes  - 1:17.0.2.0.8-8
-- java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18
-
-* Wed Feb 23 2022 Andrew Hughes  - 1:17.0.2.0.8-8
-- Detect NSS at runtime for FIPS detection
-- Turn off build-time NSS linking and go back to an explicit Requires on NSS
-
-* Tue Feb 08 2022 Andrew Hughes  - 1:17.0.2.0.8-7
-- Reinstate JIT builds on x86_32.
-- Add JDK-8282004 to fix missing CALL effects on x86_32.
-
-* Mon Feb 07 2022 Severin Gehwolf  - 1:17.0.2.0.8-6
-- Re-enable gdb backtrace check.
-
-* Mon Feb 07 2022 Andrew Hughes  - 1:17.0.2.0.8-5
-- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
-- Need to support noarch for creating source RPMs for non-scratch builds.
-
-* Fri Feb 04 2022 Jiri Vanek  - 1:17.0.2.0.8-4
-- moved to become system jdk
-
-* Fri Feb 04 2022 Andrew Hughes  - 1:17.0.2.0.8-2
-- Temporarily move x86 to use Zero in order to get a working build
-- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
-- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
-- Explicitly list JIT architectures rather than relying on those with slowdebug builds
-- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
-
-* Mon Jan 24 2022 Andrew Hughes  - 1:17.0.2.0.8-1.rolling
-- January 2022 security update to jdk 17.0.2+8
-- Extend LTS check to exclude EPEL.
-- Rename libsvml.so to libjsvml.so following JDK-8276025
-- Remove JDK-8276572 patch which is now upstream.
-- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
-
-* Mon Jan 24 2022 Severin Gehwolf  - 1:17.0.2.0.8-1.rolling
-- Set LTS designator.
-
-* Mon Jan 24 2022 Andrew Hughes  - 1:17.0.1.0.12-16.rolling
-- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
-
-* Thu Jan 20 2022 Fedora Release Engineering  - 1:17.0.1.0.12-15.rolling.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Jan 18 2022 Andrew Hughes  - 1:17.0.1.0.12-15.rolling
-- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
-- Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide.
-
-* Thu Jan 13 2022 Andrew Hughes  - 1:17.0.1.0.12-14.rolling
-- Fix FIPS issues in native code and with initialisation of java.security.Security
-
-* Thu Dec 09 2021 Jiri Vanek  - 1:17.0.1.0.12-13.rolling
-- Storing and restoring alterntives during update manually
-- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
--- The move of alternatives creation to posttrans to fix:
--- Bug 1200302 - dnf reinstall breaks alternatives
--- Had caused the alternatives to be removed, and then created again,
--- instead of being added, and then removing the old, and thus persisting
--- the selection in family
--- Thus this fix, is storing the family of manually selected master, and if
--- stored, then it is restoring the family of the master
-
-* Thu Dec 09 2021 Jiri Vanek  - 1:17.0.1.0.12-12.rolling
-- Family extracted to globals
-
-* Thu Dec 09 2021 Jiri Vanek  - 1:17.0.1.0.12-11.rolling
-- javadoc-zip got its own provides next to plain javadoc ones
-
-* Thu Dec 09 2021 Jiri Vanek  - 1:17.0.1.0.12-10.rolling
-- replaced tabs by sets of spaces to make rpmlint happy
-
-* Mon Nov 29 2021 Andrew Hughes  - 1:17.0.1.0.12-9.rolling
-- Handle Fedora in distro conditionals that currently only pertain to RHEL.
-
-* Thu Nov 18 2021 Jiri Vanek  - 1:17.0.0.0.35-8
--- inital import

From d904c40a00511e8f39f35f100b371c273d2f5206 Mon Sep 17 00:00:00 2001
From: Jiri Vanek 
Date: Mon, 28 Nov 2022 17:42:31 +0100
Subject: [PATCH 57/61] WIP added tarring

---
 java-17-openjdk-portable.spec | 74 ++++++++++++++++++++++++++++-------
 1 file changed, 59 insertions(+), 15 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index 3f7500f..3d9cac0 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -44,7 +44,7 @@
 %define __os_install_post %{nil}
 %endif
 
-%global unpacked_lilcenses %{_datarootdir}/licenses
+%global unpacked_licenses %{_datarootdir}/licenses
 
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@@ -251,10 +251,10 @@
 %global debug_symbols internal
 
 # unlike portables,the rpms have to use static_libs_target very dynamically
-%global bootstrap_targets images
-%global release_targets images docs-zip
+%global bootstrap_targets images legacy-jre-image
+%global release_targets images docs-zip legacy-jre-image
 # No docs nor bootcycle for debug builds
-%global debug_targets images
+%global debug_targets images legacy-jre-image
 # Target to use to just build HotSpot
 %global hotspot_target hotspot
 
@@ -448,7 +448,6 @@
 %global static_libs_install_dir %{static_libs_arch_dir}/glibc
 # output dir stub
 %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
-%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@@ -1367,26 +1366,58 @@ for suffix in %{build_loop} ; do
   # Print release information
   cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
 
+################################################################################
+  pushd ${top_dir_abs_main_build_path}/images
+    mv %{jdkimage} %{jdkportablename -- "$nameSuffix"}
+    mv %{jreimage} %{jreportablename -- "$nameSuffix"}
+    tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"}  --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"}
+    sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum
+    tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"}  --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"}
+    sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum
+    # copy licenses so they are avialable out of tarball
+    cp -r  %{jdkportablename -- "$nameSuffix"}/legal  ../../../../%{jdkportablearchive -- "$nameSuffix"}-legal
+    mv %{jdkportablename -- "$nameSuffix"} %{jdkimage}
+    mv %{jreportablename -- "$nameSuffix"} %{jreimage}
+  popd #images
+%if %{include_staticlibs}
+  top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}
+  pushd ${top_dir_abs_staticlibs_build_path}/images
+    # Static libraries (needed for building graal vm with native image)
+    # Tar as overlay. Transform to the JDK name, since we just want to "add"
+    # static libraries to that folder
+    portableJDKname=%{staticlibsportablename -- "$nameSuffix"}
+    tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+    sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum
+  popd #staticlibs-images
+%endif
+################################################################################
+# note, currently no debuginfo, consult portbale spec for external (zipped) debuginof, being tarred alone
+################################################################################
+
 # build cycles
 done # end of release / debug cycle loop
 
 %install
 STRIP_KEEP_SYMTAB=libjvm*
 
+if [ "fixme" == "todo" ] ; then
 for suffix in %{build_loop} ; do
 
+# done in build
 top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
 %if %{include_staticlibs}
 top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
 %endif
 jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
 
+# tbd in rpms
 # Install the jdk
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
 cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
 
 pushd ${jdk_image}
 
+# tbd in rpms
 %if %{with_systemtap}
   # Install systemtap support files
   install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
@@ -1402,11 +1433,13 @@ pushd ${jdk_image}
   done
 %endif
 
+# tbd in rpms
   # Install version-ed symlinks
   pushd $RPM_BUILD_ROOT%{_jvmdir}
     ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
   popd
 
+# todo fix in build
   # Install man pages
   install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1
   for manpage in man/man1/*
@@ -1422,6 +1455,7 @@ pushd ${jdk_image}
 
 popd
 
+# done in build
 # Install static libs artefacts
 %if %{include_staticlibs}
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
@@ -1429,6 +1463,7 @@ cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
   $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
 %endif
 
+# todo fix in build
 if ! echo $suffix | grep -q "debug" ; then
   # Install Javadoc documentation
   install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
@@ -1438,6 +1473,7 @@ if ! echo $suffix | grep -q "debug" ; then
      $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/
 fi
 
+# todo fix in build
 # Install release notes
 commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
 install -d -m 755 ${commondocdir}
@@ -1450,6 +1486,7 @@ for s in 16 24 32 48 ; do
     $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
 done
 
+# tbd in rpms
 # Install desktop files
 install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps}
 for e in jconsole$suffix ; do
@@ -1457,14 +1494,17 @@ for e in jconsole$suffix ; do
         --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop
 done
 
+# tbd in rpms
 # Install /etc/.java/.systemPrefs/ directory
 # See https://bugzilla.redhat.com/show_bug.cgi?id=741821
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs
 
+# todo fix in build
 # copy samples next to demos; samples are mostly js files
 cp -r %{top_level_dir_name}/src/sample  $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/
 
 
+# tbd in rpms
 # moving config files to /etc
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
@@ -1478,6 +1518,7 @@ pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
 popd
 # end moving files to /etc
 
+# todo fix in build
 # stabilize permissions
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
@@ -1485,6 +1526,7 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
 
 # end, dual install
 done
+fi
 
 %check
 
@@ -1493,7 +1535,9 @@ for suffix in %{build_loop} ; do
 
 # Tests in the check stage are performed on the installed image
 # rpmbuild operates as follows: build -> install -> test
-export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
+# however in portbales, we test built image instead of installed one
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
 
 #check Shenandoah is enabled
 %if %{use_shenandoah_hotspot}
@@ -1564,7 +1608,7 @@ done
 # main package builds always
 %{_jvmdir}/%{jreportablearchive -- %%{nil}}
 %{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 %else
 %files
 # placeholder
@@ -1575,31 +1619,31 @@ done
 %{_jvmdir}/%{jdkportablearchive -- .debuginfo}
 %{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum
 %{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 
 %if %{include_staticlibs}
 %files static-libs
 %{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}
 %{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 %endif
 
 %if %{include_debug_build}
 %files slowdebug
 %{_jvmdir}/%{jreportablearchive -- .slowdebug}
 %{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug}
 
 %files devel-slowdebug
 %{_jvmdir}/%{jdkportablearchive -- .slowdebug}
 %{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug}
 
 %if %{include_staticlibs}
 %files static-libs-slowdebug
 %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}
 %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug}
 %endif
 %endif
 
@@ -1607,18 +1651,18 @@ done
 %files fastdebug
 %{_jvmdir}/%{jreportablearchive -- .fastdebug}
 %{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug}
 
 %files devel-fastdebug
 %{_jvmdir}/%{jdkportablearchive -- .fastdebug}
 %{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug}
 
 %if %{include_staticlibs}
 %files static-libs-fastdebug
 %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}
 %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum
-%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug}
 %endif
 %endif
 

From c22c08ba1b7dce7b661b59c0ddb2bd9df964f36a Mon Sep 17 00:00:00 2001
From: Jiri 
Date: Tue, 29 Nov 2022 19:38:36 +0100
Subject: [PATCH 58/61] Merge all legal to one and pack just once for all
 tarballs

---
 java-17-openjdk-portable.spec | 36 +++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index 3d9cac0..96e6413 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -1368,16 +1368,16 @@ for suffix in %{build_loop} ; do
 
 ################################################################################
   pushd ${top_dir_abs_main_build_path}/images
-    mv %{jdkimage} %{jdkportablename -- "$nameSuffix"}
-    mv %{jreimage} %{jreportablename -- "$nameSuffix"}
-    tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"}  --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"}
-    sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum
-    tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"}  --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"}
-    sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum
+    mv %{jdkimage} %{jdkportablename -- "$suffix"}
+    mv %{jreimage} %{jreportablename -- "$suffix"}
+    tar -cJf ../../../../%{jdkportablearchive -- "$suffix"}  --exclude='**.debuginfo' %{jdkportablename -- "$suffix"}
+    sha256sum ../../../../%{jdkportablearchive -- "$suffix"} > ../../../../%{jdkportablearchive -- "$suffix"}.sha256sum
+    tar -cJf ../../../../%{jreportablearchive -- "$suffix"}  --exclude='**.debuginfo' %{jreportablename -- "$suffix"}
+    sha256sum ../../../../%{jreportablearchive -- "$suffix"} > ../../../../%{jreportablearchive -- "$suffix"}.sha256sum
     # copy licenses so they are avialable out of tarball
-    cp -r  %{jdkportablename -- "$nameSuffix"}/legal  ../../../../%{jdkportablearchive -- "$nameSuffix"}-legal
-    mv %{jdkportablename -- "$nameSuffix"} %{jdkimage}
-    mv %{jreportablename -- "$nameSuffix"} %{jreimage}
+    cp -rf  %{jdkportablename -- "$suffix"}/legal  ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal
+    mv %{jdkportablename -- "$suffix"} %{jdkimage}
+    mv %{jreportablename -- "$suffix"} %{jreimage}
   popd #images
 %if %{include_staticlibs}
   top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}
@@ -1385,9 +1385,9 @@ for suffix in %{build_loop} ; do
     # Static libraries (needed for building graal vm with native image)
     # Tar as overlay. Transform to the JDK name, since we just want to "add"
     # static libraries to that folder
-    portableJDKname=%{staticlibsportablename -- "$nameSuffix"}
-    tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
-    sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum
+    portableJDKname=%{staticlibsportablename -- "$suffix"}
+    tar -cJf ../../../../%{staticlibsportablearchive -- "$suffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+    sha256sum ../../../../%{staticlibsportablearchive -- "$suffix"} > ../../../../%{staticlibsportablearchive -- "$suffix"}.sha256sum
   popd #staticlibs-images
 %endif
 ################################################################################
@@ -1632,18 +1632,18 @@ done
 %files slowdebug
 %{_jvmdir}/%{jreportablearchive -- .slowdebug}
 %{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum
-%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 
 %files devel-slowdebug
 %{_jvmdir}/%{jdkportablearchive -- .slowdebug}
 %{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum
-%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 
 %if %{include_staticlibs}
 %files static-libs-slowdebug
 %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}
 %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum
-%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 %endif
 %endif
 
@@ -1651,18 +1651,18 @@ done
 %files fastdebug
 %{_jvmdir}/%{jreportablearchive -- .fastdebug}
 %{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum
-%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 
 %files devel-fastdebug
 %{_jvmdir}/%{jdkportablearchive -- .fastdebug}
 %{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum
-%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 
 %if %{include_staticlibs}
 %files static-libs-fastdebug
 %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}
 %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum
-%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug}
+%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 %endif
 %endif
 

From db7c3cb247e87206b93370d953fbd7cb521ac8ca Mon Sep 17 00:00:00 2001
From: Jiri 
Date: Tue, 29 Nov 2022 21:08:20 +0100
Subject: [PATCH 59/61] Fixed path to tested static libs image

---
 java-17-openjdk-portable.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index 96e6413..4d92688 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -1391,7 +1391,7 @@ for suffix in %{build_loop} ; do
   popd #staticlibs-images
 %endif
 ################################################################################
-# note, currently no debuginfo, consult portbale spec for external (zipped) debuginof, being tarred alone
+# note, currently no debuginfo, consult portbale spec for external (zipped) debuginfo, being tarred alone
 ################################################################################
 
 # build cycles
@@ -1582,7 +1582,7 @@ $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|
 
 %if %{include_staticlibs}
 # Check debug symbols in static libraries (smoke test)
-export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
+export STATIC_LIBS_HOME=${top_dir_abs_main_build_path}/../../%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}/images/static-libs/lib/
 readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
 readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
 %endif

From 9c0f77627afb9bed999e795dd67d9eeb32d2d935 Mon Sep 17 00:00:00 2001
From: Jiri 
Date: Wed, 30 Nov 2022 09:26:53 +0100
Subject: [PATCH 60/61] Now finally installing the tarballs

---
 java-17-openjdk-portable.spec | 41 ++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index 4d92688..6537058 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -1400,11 +1400,12 @@ done # end of release / debug cycle loop
 %install
 STRIP_KEEP_SYMTAB=libjvm*
 
-if [ "fixme" == "todo" ] ; then
+
 for suffix in %{build_loop} ; do
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+if [ "fixme" == "todo" ] ; then  #todo, extract some parts to build, drop the rest - but keep it in rpms after repack
 
 # done in build
-top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
 %if %{include_staticlibs}
 top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
 %endif
@@ -1524,9 +1525,39 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
 
+fi # fixme, todo
+
+################################################################################
+  if [ "x$suffix" == "x" ] ; then
+    nameSuffix=""
+  else
+    nameSuffix=`echo "$suffix"| sed s/-/./`
+  fi
+  mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+  mv ../%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+  mv ../%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+  mv ../%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+  mv ../%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+%if %{include_staticlibs}
+  mv ../%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+  mv ../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+%endif
+  if [ "x$suffix" == "x" ] ; then
+      dnameSuffix="$nameSuffix".debuginfo
+# todo handle debuginfo, see note at build (we will need to pack one stripped and one unstripped release build)
+#      mv ../%{jdkportablearchive -- "$dnameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
+#      mv ../%{jdkportablearchive -- "$dnameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
+  fi
+################################################################################
 # end, dual install
 done
-fi
+################################################################################
+# the licenses are packed onloy once and shared
+mkdir -p $RPM_BUILD_ROOT%{unpacked_licenses}
+mv ../%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablearchive -- "%{normal_suffix}"}
+# To show sha in the build log
+for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do ls -l $file ; cat $file ; done
+################################################################################
 
 %check
 
@@ -1616,9 +1647,9 @@ done
 
 %files devel
 %{_jvmdir}/%{jdkportablearchive -- %%{nil}}
-%{_jvmdir}/%{jdkportablearchive -- .debuginfo}
+#%{_jvmdir}/%{jdkportablearchive -- .debuginfo}
 %{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum
-%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
+#%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum
 %license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}}
 
 %if %{include_staticlibs}

From 71c1e3f09e9dddcc04e21608d981e5e198a04041 Mon Sep 17 00:00:00 2001
From: Jiri 
Date: Wed, 30 Nov 2022 13:25:44 +0100
Subject: [PATCH 61/61] Returned properly nameSuffix, as .debug is correct, not
 -debug

---
 java-17-openjdk-portable.spec | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec
index 6537058..173459c 100644
--- a/java-17-openjdk-portable.spec
+++ b/java-17-openjdk-portable.spec
@@ -1368,16 +1368,21 @@ for suffix in %{build_loop} ; do
 
 ################################################################################
   pushd ${top_dir_abs_main_build_path}/images
-    mv %{jdkimage} %{jdkportablename -- "$suffix"}
-    mv %{jreimage} %{jreportablename -- "$suffix"}
-    tar -cJf ../../../../%{jdkportablearchive -- "$suffix"}  --exclude='**.debuginfo' %{jdkportablename -- "$suffix"}
-    sha256sum ../../../../%{jdkportablearchive -- "$suffix"} > ../../../../%{jdkportablearchive -- "$suffix"}.sha256sum
-    tar -cJf ../../../../%{jreportablearchive -- "$suffix"}  --exclude='**.debuginfo' %{jreportablename -- "$suffix"}
-    sha256sum ../../../../%{jreportablearchive -- "$suffix"} > ../../../../%{jreportablearchive -- "$suffix"}.sha256sum
+  if [ "x$suffix" == "x" ] ; then
+    nameSuffix=""
+  else
+    nameSuffix=`echo "$suffix"| sed s/-/./`
+  fi
+    mv %{jdkimage} %{jdkportablename -- "$nameSuffix"}
+    mv %{jreimage} %{jreportablename -- "$nameSuffix"}
+    tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"}  --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"}
+    sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum
+    tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"}  --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"}
+    sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum
     # copy licenses so they are avialable out of tarball
-    cp -rf  %{jdkportablename -- "$suffix"}/legal  ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal
-    mv %{jdkportablename -- "$suffix"} %{jdkimage}
-    mv %{jreportablename -- "$suffix"} %{jreimage}
+    cp -rf  %{jdkportablename -- "$nameSuffix"}/legal  ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal
+    mv %{jdkportablename -- "$nameSuffix"} %{jdkimage}
+    mv %{jreportablename -- "$nameSuffix"} %{jreimage}
   popd #images
 %if %{include_staticlibs}
   top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}
@@ -1385,9 +1390,9 @@ for suffix in %{build_loop} ; do
     # Static libraries (needed for building graal vm with native image)
     # Tar as overlay. Transform to the JDK name, since we just want to "add"
     # static libraries to that folder
-    portableJDKname=%{staticlibsportablename -- "$suffix"}
-    tar -cJf ../../../../%{staticlibsportablearchive -- "$suffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
-    sha256sum ../../../../%{staticlibsportablearchive -- "$suffix"} > ../../../../%{staticlibsportablearchive -- "$suffix"}.sha256sum
+    portableJDKname=%{staticlibsportablename -- "$nameSuffix"}
+    tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
+    sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum
   popd #staticlibs-images
 %endif
 ################################################################################