From 87b704d81ec002600766d11d0563307349610ae6 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Thu, 24 Feb 2022 01:09:59 +0000 Subject: [PATCH 1/6] Detect NSS at runtime for FIPS detection Turn off build-time NSS linking and go back to an explicit Requires on NSS --- java-17-openjdk.spec | 18 +- rh2052829-fips_runtime_nss_detection.patch | 213 +++++++++++++++++++++ 2 files changed, 227 insertions(+), 4 deletions(-) create mode 100644 rh2052829-fips_runtime_nss_detection.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index f6aaf78..db24254 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -334,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 7 +%global rpmrelease 8 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1104,6 +1104,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1326,7 +1328,10 @@ Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch ############################################# # @@ -1361,8 +1366,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1757,6 +1762,7 @@ popd # openjdk %patch1014 %patch1015 %patch1016 +%patch1017 # Extract systemtap tapsets %if %{with_systemtap} @@ -1900,7 +1906,7 @@ function buildjdk() { --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ - --enable-sysconf-nss \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -2528,6 +2534,10 @@ cjc.mainProgram(args) %endif %changelog +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS + * Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-7 - Reinstate JIT builds on x86_32. - Add JDK-8282004 to fix missing CALL effects on x86_32. diff --git a/rh2052829-fips_runtime_nss_detection.patch b/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..c609fce --- /dev/null +++ b/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,213 @@ +commit 090ea0389db5c2e0c8ee13652bccd544b17872c2 +Author: Andrew Hughes +Date: Mon Feb 7 15:33:27 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index caf678a7dd6..8dcb7d9073f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -23,26 +23,37 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + +-#define MSG_MAX_SIZE 96 ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); + ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read +-#ifndef SYSCONF_NSS +- +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + static void throwIOException(JNIEnv *env, const char *msg) + { +@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg) + (*env)->ThrowNew(env, cls, msg); + } + +-#endif ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} + +-static void dbgPrint(JNIEnv *env, const char* msg) ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) + { +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } + } + ++#endif ++ + /* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad +@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ FILE *fe; + +-#else // SYSCONF_NSS +- +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS + } From 8c47abf37c9994a9d8283b382cf6ad45ad9fe744 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 30 Mar 2022 20:15:01 +0100 Subject: [PATCH 2/6] java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 --- java-17-openjdk.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index db24254..562b6c9 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -314,7 +314,7 @@ # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver 17 +%global buildjdkver %{featurever} # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -1372,7 +1372,7 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem -BuildRequires: java-latest-openjdk-devel +BuildRequires: java-%{buildjdkver}-openjdk-devel # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -2534,6 +2534,9 @@ cjc.mainProgram(args) %endif %changelog +* Wed Mar 30 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 + * Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-8 - Detect NSS at runtime for FIPS detection - Turn off build-time NSS linking and go back to an explicit Requires on NSS From 8a08a43c551d78d40fb56eea17a9cea27d1f3711 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 6 Apr 2022 17:42:56 +0100 Subject: [PATCH 3/6] Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode --- java-17-openjdk.spec | 8 +- ...ble_algorithmparameters_in_fips_mode.patch | 1182 +++++++++++++++++ 2 files changed, 1189 insertions(+), 1 deletion(-) create mode 100644 rh2052070-enable_algorithmparameters_in_fips_mode.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 562b6c9..1de2899 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -334,7 +334,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 8 +%global rpmrelease 9 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1332,6 +1332,8 @@ Patch1015: rh2021263-fips_missing_native_returns.patch Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch # RH2052829: Detect NSS at Runtime for FIPS detection Patch1017: rh2052829-fips_runtime_nss_detection.patch +# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch ############################################# # @@ -1763,6 +1765,7 @@ popd # openjdk %patch1015 %patch1016 %patch1017 +%patch1018 # Extract systemtap tapsets %if %{with_systemtap} @@ -2534,6 +2537,9 @@ cjc.mainProgram(args) %endif %changelog +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode + * Wed Mar 30 2022 Andrew Hughes - 1:17.0.2.0.8-8 - java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 diff --git a/rh2052070-enable_algorithmparameters_in_fips_mode.patch b/rh2052070-enable_algorithmparameters_in_fips_mode.patch new file mode 100644 index 0000000..7488ea5 --- /dev/null +++ b/rh2052070-enable_algorithmparameters_in_fips_mode.patch @@ -0,0 +1,1182 @@ +commit 6e74f283739af0d867df01d20f82865f559a45ea +Author: Martin Balao +Date: Mon Feb 28 04:58:05 2022 +0000 + + RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode + +diff --git openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index a020e1c15d8..6d459fdec01 100644 +--- openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { + psA("AlgorithmParameters", "ChaCha20-Poly1305", + "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); + +- /* +- * Key factories +- */ +- psA("KeyFactory", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyFactory", +- null); +- +- /* +- * Secret-key factories +- */ +- ps("SecretKeyFactory", "DES", +- "com.sun.crypto.provider.DESKeyFactory"); +- +- psA("SecretKeyFactory", "DESede", +- "com.sun.crypto.provider.DESedeKeyFactory", null); +- +- psA("SecretKeyFactory", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", +- null); +- +- /* +- * Internal in-house crypto algorithm used for +- * the JCEKS keystore type. Since this was developed +- * internally, there isn't an OID corresponding to this +- * algorithm. +- */ +- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", +- null); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); +- +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ psA("KeyFactory", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyFactory", ++ null); ++ ++ /* ++ * Secret-key factories ++ */ ++ ps("SecretKeyFactory", "DES", ++ "com.sun.crypto.provider.DESKeyFactory"); ++ ++ psA("SecretKeyFactory", "DESede", ++ "com.sun.crypto.provider.DESedeKeyFactory", null); ++ ++ psA("SecretKeyFactory", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", ++ null); ++ ++ /* ++ * Internal in-house crypto algorithm used for ++ * the JCEKS keystore type. Since this was developed ++ * internally, there isn't an OID corresponding to this ++ * algorithm. ++ */ ++ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", ++ null); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); ++ ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 7cb5ebcde51..709d32912ca 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -193,20 +193,22 @@ public final class SunEntries { + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + +- /* +- * Algorithm Parameter Generator engines +- */ +- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", +- "sun.security.provider.DSAParameterGenerator", attrs); +- attrs.remove("KeySize"); ++ /* ++ * Algorithm Parameter Generator engines ++ */ ++ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", ++ "sun.security.provider.DSAParameterGenerator", attrs); ++ attrs.remove("KeySize"); + +- /* +- * Algorithm Parameter engines +- */ +- addWithAlias(p, "AlgorithmParameters", "DSA", +- "sun.security.provider.DSAParameters", attrs); ++ /* ++ * Algorithm Parameter engines ++ */ ++ addWithAlias(p, "AlgorithmParameters", "DSA", ++ "sun.security.provider.DSAParameters", attrs); + ++ if (!systemFipsEnabled) { + /* + * Key factories + */ +diff --git openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index ca79f25cc44..16c5ad2e227 100644 +--- openjdk.orig/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ openjdk/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List aliases, HashMap attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -56,49 +61,52 @@ public final class SunRsaSignEntries { + // start populating content using the specified provider + // common attribute map + HashMap attrs = new HashMap<>(3); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ++ add(p, "KeyFactory", "RSA", ++ "sun.security.rsa.RSAKeyFactory$Legacy", ++ getAliases("PKCS1"), null); ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); + +- add(p, "KeyFactory", "RSA", +- "sun.security.rsa.RSAKeyFactory$Legacy", +- getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ addA(p, "KeyFactory", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyFactory$PSS", attrs); ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } + +- addA(p, "KeyFactory", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security +index 3a322854204..5a355e70cae 100644 +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -86,6 +86,8 @@ fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg + fips.provider.2=SUN + fips.provider.3=SunEC + fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign + + # + # A list of preferred providers for specific algorithms. These providers will From 52e513df50dce3236b17ac5f0fbc3bb9d6dea57e Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Fri, 8 Apr 2022 17:42:37 +0100 Subject: [PATCH 4/6] Update to jdk-17.0.3.0+1 Update release notes to 17.0.3.0+1 Switch to EA mode for 17.0.3 pre-release builds. Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value --- .gitignore | 1 + NEWS | 141 ++++++++++++++++++ java-17-openjdk.spec | 18 ++- jdk8283911-default_promoted_version_pre.patch | 16 ++ sources | 2 +- 5 files changed, 173 insertions(+), 5 deletions(-) create mode 100644 jdk8283911-default_promoted_version_pre.patch diff --git a/.gitignore b/.gitignore index 2bc3036..fa4239b 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /openjdk-jdk17u-jdk-17.0.1+12.tar.xz /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz /openjdk-jdk17u-jdk-17.0.2+8.tar.xz +/openjdk-jdk17u-jdk-17.0.3+1.tar.xz diff --git a/NEWS b/NEWS index 78938f4..50b37ae 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,147 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.3 (2022-04-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1703 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt + +* Other changes + - JDK-8177814: jdk/editpad is not in jdk TEST.groups + - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 + - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently + - JDK-8225559: assertion error at TransTypes.visitApply + - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful + - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails + - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test + - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 + - JDK-8251216: Implement MD5 intrinsics on AArch64 + - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" + - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" + - JDK-8263567: gtests don't terminate the VM safely + - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark + - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups + - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it + - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only + - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM + - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file + - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java + - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' + - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error + - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" + - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor + - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity + - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8271506: Add ResourceHashtable support for deleting selected entries + - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories + - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates + - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code + - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt + - JDK-8273277: C2: Move conditional negation into rc_predicate + - JDK-8273341: Update Siphash to version 1.0 + - JDK-8273351: bad tag in jdk.random module-info.java + - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 + - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm + - JDK-8273387: remove some unreferenced gtk-related functions + - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests + - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests + - JDK-8273526: Extend the OSContainer API pids controller with pids.current + - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java + - JDK-8273682: Upgrade Jline to 3.20.0 + - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time + - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 + - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions + - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 + - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) + - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes + - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures + - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274658: ISO 4217 Amendment 170 Update + - JDK-8274714: Incorrect verifier protected access error message + - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 + - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes + - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler + - JDK-8274935: dumptime_table has stale entry + - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info + - JDK-8275082: Update XML Security for Java to 2.3.0 + - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime + - JDK-8275586: Zero: Simplify interpreter initialization + - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow + - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault + - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg + - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 + - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 + - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException + - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock + - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method + - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue + - JDK-8276057: Update JMH devkit to 1.33 + - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" + - JDK-8276314: [JVMCI] check alignment of call displacement during code installation + - JDK-8276623: JDK-8275650 accidentally pushed "out" file + - JDK-8276654: element-list order is non deterministic + - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() + - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod + - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content + - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" + - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 + - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 + - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows + - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for + - JDK-8277385: Zero: Enable CompactStrings support + - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last + - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop + - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs + - JDK-8277497: Last column cell in the JTable row is read as empty cell + - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." + - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad + - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 + - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording + - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 + - JDK-8278016: Add compiler tests to tier{2,3} + - JDK-8278020: ~13% variation in Renaissance-Scrabble + - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError + - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' + - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx + - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx + - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux + - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d + - JDK-8278241: Implement JVM SpinPause on linux-aarch64 + - JDK-8278309: [windows] use of uninitialized OSThread::_state + - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output + - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec + - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT + - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic + - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column + - JDK-8278604: SwingSet2 table demo does not have accessible description set for images + - JDK-8278627: Shenandoah: TestHeapDump test failed + - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 + - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 + - JDK-8278824: Uneven work distribution when scanning heap roots in G1 + - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob + - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ + - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t + - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 + - JDK-8279124: VM does not handle SIGQUIT during initialization + - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers + - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest + - JDK-8279379: GHA: Print tests that are in error + - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it + - JDK-8279445: Update JMH devkit to 1.34 + - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms + - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 + - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 + - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks + - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" + - JDK-8280002: jmap -histo may leak stream + - JDK-8280155: [PPC64, s390] frame size checks are not yet correct + - JDK-8280414: Memory leak in DefaultProxySelector + - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + New in release OpenJDK 17.0.2 (2022-01-18): =========================================== Live versions of these release notes can be found at: diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 1de2899..035d14c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -305,7 +305,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 2 +%global updatever 3 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -333,8 +333,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 9 +%global buildver 1 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -357,7 +357,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA %global expected_ea_designator "" @@ -1342,6 +1342,8 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch ############################################# # JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects Patch7: jdk8282004-x86_32-missing_call_effects.patch +# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 +Patch2001: jdk8283911-default_promoted_version_pre.patch BuildRequires: autoconf BuildRequires: automake @@ -1767,6 +1769,8 @@ popd # openjdk %patch1017 %patch1018 +%patch2001 + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2537,6 +2541,12 @@ cjc.mainProgram(args) %endif %changelog +* Fri Apr 08 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value + * Wed Apr 06 2022 Andrew Hughes - 1:17.0.2.0.8-9 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode diff --git a/jdk8283911-default_promoted_version_pre.patch b/jdk8283911-default_promoted_version_pre.patch new file mode 100644 index 0000000..b94cbd5 --- /dev/null +++ b/jdk8283911-default_promoted_version_pre.patch @@ -0,0 +1,16 @@ +commit 37807a694f89611f60880260d2bb7162908bc0c8 +Author: Andrew Hughes +Date: Wed Mar 30 04:19:43 2022 +0100 + + 8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 + +diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf +index 71b19762f2e..7378ec67a48 100644 +--- openjdk.orig/make/conf/version-numbers.conf ++++ openjdk/make/conf/version-numbers.conf +@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0 + DEFAULT_VERSION_DOCS_API_SINCE=11 + DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17" + DEFAULT_JDK_SOURCE_TARGET_VERSION=17 +-DEFAULT_PROMOTED_VERSION_PRE= ++DEFAULT_PROMOTED_VERSION_PRE=ea diff --git a/sources b/sources index 22e666f..363f8f6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.2+8.tar.xz) = 03371771574c19c38f9091eaad7c46d1638c95e5a3ab16e5ce540bf0f9dcbf8f60fd3848f75fd6fb5eb5fa35a91ca8a6a7b582ce4cf5c7cd2efe6c0957c98719 +SHA512 (openjdk-jdk17u-jdk-17.0.3+1.tar.xz) = f6bc8ba86a3e7dcd7d5c9ac17fe0ff337b76cc654b667bd1d506778dfa76b3d140731119738fa330601f5f4751ce11c9bf9877bad403d6ed610f2c91570dd304 From a29fc2e2664f82174bee5f1e6956cbce2f0d2127 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 13 Apr 2022 03:34:46 +0100 Subject: [PATCH 5/6] Update to jdk-17.0.3.0+5 Update release notes to 17.0.3.0+5 --- .gitignore | 1 + NEWS | 42 ++++++++++++++++++++++++++++++++++++++++++ java-17-openjdk.spec | 6 +++++- sources | 2 +- 4 files changed, 49 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index fa4239b..a07e974 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz /openjdk-jdk17u-jdk-17.0.2+8.tar.xz /openjdk-jdk17u-jdk-17.0.3+1.tar.xz +/openjdk-jdk17u-jdk-17.0.3+5.tar.xz diff --git a/NEWS b/NEWS index 50b37ae..7c85481 100644 --- a/NEWS +++ b/NEWS @@ -32,14 +32,21 @@ Live versions of these release notes can be found at: - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" + - JDK-8270117: Broken jtreg link in "Building the JDK" page - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity + - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - JDK-8271506: Add ResourceHashtable support for deleting selected entries + - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() + - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code + - JDK-8272600: (test) Use native "sleep" in Basic.java + - JDK-8272866: java.util.random package summary contains incorrect mixing function in table + - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt - JDK-8273277: C2: Move conditional negation into rc_predicate - JDK-8273341: Update Siphash to version 1.0 @@ -51,6 +58,7 @@ Live versions of these release notes can be found at: - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - JDK-8273526: Extend the OSContainer API pids controller with pids.current - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java + - JDK-8273655: content-types.properties files are missing some common types - JDK-8273682: Upgrade Jline to 3.20.0 - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 @@ -58,8 +66,12 @@ Live versions of these release notes can be found at: - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes + - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures + - JDK-8274471: Add support for RSASSA-PSS in OCSP Response - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root + - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake + - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS - JDK-8274658: ISO 4217 Amendment 170 Update - JDK-8274714: Incorrect verifier protected access error message - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 @@ -69,6 +81,7 @@ Live versions of these release notes can be found at: - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - JDK-8275082: Update XML Security for Java to 2.3.0 - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - JDK-8275586: Zero: Simplify interpreter initialization - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow @@ -81,6 +94,7 @@ Live versions of these release notes can be found at: - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue - JDK-8276057: Update JMH devkit to 1.33 + - JDK-8276141: XPathFactory set/getProperty method - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - JDK-8276623: JDK-8275650 accidentally pushed "out" file @@ -88,32 +102,42 @@ Live versions of these release notes can be found at: - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content + - JDK-8276841: Add support for Visual Studio 2022 - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 + - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for + - JDK-8277383: VM.metaspace optionally show chunk freelist details - JDK-8277385: Zero: Enable CompactStrings support - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs + - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - JDK-8277497: Last column cell in the JTable row is read as empty cell - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." + - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad + - JDK-8277795: ldap connection timeout not honoured under contention - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - JDK-8278016: Add compiler tests to tier{2,3} - JDK-8278020: ~13% variation in Renaissance-Scrabble + - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx + - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux + - JDK-8278185: Custom JRE cannot find non-ASCII named module inside - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d - JDK-8278241: Implement JVM SpinPause on linux-aarch64 - JDK-8278309: [windows] use of uninitialized OSThread::_state - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output + - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic @@ -124,6 +148,7 @@ Live versions of these release notes can be found at: - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 - JDK-8278824: Uneven work distribution when scanning heap roots in G1 - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob + - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 @@ -131,18 +156,35 @@ Live versions of these release notes can be found at: - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - JDK-8279379: GHA: Print tests that are in error + - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it - JDK-8279445: Update JMH devkit to 1.34 - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT + - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition + - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - JDK-8280002: jmap -histo may leak stream - JDK-8280155: [PPC64, s390] frame size checks are not yet correct + - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 - JDK-8280414: Memory leak in DefaultProxySelector - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames + - JDK-8281460: Let ObjectMonitor have its own NMT category + - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX + - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8274791: Support for RSASSA-PSS in OCSP Response +==================================================== +An OCSP response signed with the RSASSA-PSS algorithm is now supported. New in release OpenJDK 17.0.2 (2022-01-18): =========================================== diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 035d14c..eefa952 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -333,7 +333,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 +%global buildver 5 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -2541,6 +2541,10 @@ cjc.mainProgram(args) %endif %changelog +* Wed Apr 13 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 + * Fri Apr 08 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea - Update to jdk-17.0.3.0+1 - Update release notes to 17.0.3.0+1 diff --git a/sources b/sources index 363f8f6..dda3fdf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.3+1.tar.xz) = f6bc8ba86a3e7dcd7d5c9ac17fe0ff337b76cc654b667bd1d506778dfa76b3d140731119738fa330601f5f4751ce11c9bf9877bad403d6ed610f2c91570dd304 +SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) = a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160 From 3cbe105c02a34a9a45c741b1e5ea997241cfb84b Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Sun, 24 Apr 2022 22:13:48 +0100 Subject: [PATCH 6/6] April 2022 security update to jdk 17.0.3+7 Update release notes to 17.0.3.0+7 Update README.md and generate_source_tarball.sh to match CentOS Switch to GA mode for release JDK-8283911 patch no longer needed now we're GA... --- .gitignore | 2 ++ NEWS | 24 ++++++++++++++++++- README.md | 17 +++++++------ generate_source_tarball.sh | 6 ++--- java-17-openjdk.spec | 23 +++++++++++------- jdk8283911-default_promoted_version_pre.patch | 16 ------------- sources | 2 +- 7 files changed, 53 insertions(+), 37 deletions(-) delete mode 100644 jdk8283911-default_promoted_version_pre.patch diff --git a/.gitignore b/.gitignore index a07e974..9d53f89 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,5 @@ /openjdk-jdk17u-jdk-17.0.2+8.tar.xz /openjdk-jdk17u-jdk-17.0.3+1.tar.xz /openjdk-jdk17u-jdk-17.0.3+5.tar.xz +/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz +/openjdk-jdk17u-jdk-17.0.3+7.tar.xz diff --git a/NEWS b/NEWS index 7c85481..b0e58ad 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,25 @@ Live versions of these release notes can be found at: * https://bitly.com/openjdk1703 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt +* Security fixes + - JDK-8269938: Enhance XML processing passes redux + - JDK-8270504, CVE-2022-21426: Better XPath expression handling + - JDK-8272255: Completely handle MIDI files + - JDK-8272261: Improve JFR recording file processing + - JDK-8272588: Enhanced recording parsing + - JDK-8272594: Better record of recordings + - JDK-8274221: More definite BER encodings + - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 + - JDK-8275151, CVE-2022-21443: Improved Object Identification + - JDK-8277227: Better identification of OIDs + - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support + - JDK-8277672, CVE-2022-21434: Better invocation handler handling + - JDK-8278356: Improve file creation + - JDK-8278449: Improve keychain support + - JDK-8278798: Improve supported intrinsic + - JDK-8278805: Enhance BMP image loading + - JDK-8278972, CVE-2022-21496: Improve URL supports + - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo * Other changes - JDK-8177814: jdk/editpad is not in jdk TEST.groups - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 @@ -79,7 +98,6 @@ Live versions of these release notes can be found at: - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - JDK-8274935: dumptime_table has stale entry - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - - JDK-8275082: Update XML Security for Java to 2.3.0 - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime @@ -175,7 +193,11 @@ Live versions of these release notes can be found at: - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - JDK-8281460: Let ObjectMonitor have its own NMT category - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX + - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 + - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods + - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException + - JDK-8284920: Incorrect Token type causes XPath expression to return empty result Notes on individual issues: =========================== diff --git a/README.md b/README.md index 079e78c..3bfd7d2 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,13 @@ -Package of LTS OpenJDK 17 -OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. +OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. -JDK17 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/17/ and is landing to your Fedora. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. +* https://fedoraproject.org/wiki/Changes/Java17 -See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html -See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf +For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream +release page for OpenJDK 17 and the preceding interim releases: -https://fedoraproject.org/wiki/Changes/Java17 -https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview +* 12: https://openjdk.java.net/projects/jdk/12/ +* 13: https://openjdk.java.net/projects/jdk/13/ +* 14: https://openjdk.java.net/projects/jdk/14/ +* 15: https://openjdk.java.net/projects/jdk/15/ +* 16: https://openjdk.java.net/projects/jdk/16/ +* 17: https://openjdk.java.net/projects/jdk/17/ diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 1a019ff..bf21bc4 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -8,8 +8,8 @@ # # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=openjdk -# REPO_NAME=jdk16 -# VERSION=HEAD +# REPO_NAME=jdk17u +# VERSION=jdk-17.0.3+5 # or to eg prepare systemtap: # icedtea7's jstack and other tapsets # VERSION=6327cf1cea9e @@ -130,7 +130,7 @@ pushd "${FILE_NAME_ROOT}" # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) echo "PR3823 not found. Downloading..." - wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch + wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch echo "Applying ${PWD}/pr3823.patch" patch -Np1 < pr3823.patch rm pr3823.patch diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index eefa952..121bd41 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -333,7 +333,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 5 +%global buildver 7 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -353,11 +353,14 @@ # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global expected_ea_designator "" @@ -1249,9 +1252,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv URL: http://openjdk.java.net/ -# to regenerate source0 (jdk) run update_package.sh -# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz +# The source tarball, generated using generate_source_tarball.sh +Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1342,8 +1344,6 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch ############################################# # JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects Patch7: jdk8282004-x86_32-missing_call_effects.patch -# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 -Patch2001: jdk8283911-default_promoted_version_pre.patch BuildRequires: autoconf BuildRequires: automake @@ -1769,8 +1769,6 @@ popd # openjdk %patch1017 %patch1018 -%patch2001 - # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -2541,6 +2539,13 @@ cjc.mainProgram(args) %endif %changelog +* Sun Apr 24 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Update release notes to 17.0.3.0+7 +- Update README.md and generate_source_tarball.sh to match CentOS +- Switch to GA mode for release +- JDK-8283911 patch no longer needed now we're GA... + * Wed Apr 13 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea - Update to jdk-17.0.3.0+5 - Update release notes to 17.0.3.0+5 diff --git a/jdk8283911-default_promoted_version_pre.patch b/jdk8283911-default_promoted_version_pre.patch deleted file mode 100644 index b94cbd5..0000000 --- a/jdk8283911-default_promoted_version_pre.patch +++ /dev/null @@ -1,16 +0,0 @@ -commit 37807a694f89611f60880260d2bb7162908bc0c8 -Author: Andrew Hughes -Date: Wed Mar 30 04:19:43 2022 +0100 - - 8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 - -diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf -index 71b19762f2e..7378ec67a48 100644 ---- openjdk.orig/make/conf/version-numbers.conf -+++ openjdk/make/conf/version-numbers.conf -@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0 - DEFAULT_VERSION_DOCS_API_SINCE=11 - DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17" - DEFAULT_JDK_SOURCE_TARGET_VERSION=17 --DEFAULT_PROMOTED_VERSION_PRE= -+DEFAULT_PROMOTED_VERSION_PRE=ea diff --git a/sources b/sources index dda3fdf..e4816a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.3+5.tar.xz) = a08bc4a014493ad75594f1370ffc03852fa0601c3c9552c23b117a6f1f7f3b6b9689b3a2f5b52707875171ca60ebe3f3b0b453b9c31d9a946a322de85e4f1160 +SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567