From 6531a6457b08d02652d33f241896459a4aa29c06 Mon Sep 17 00:00:00 2001 From: Petra Mikova Date: Wed, 1 Feb 2023 14:16:31 +0100 Subject: [PATCH] initial repacking Removed many pre-steps, build requires and patching. Removed build. added dependencies on portables extracted portabels to BUILD keep systemtap todo, repack it properly removed nss setup, enabled buildr and tuned "install" check debuginfo for jre only Print release repacked portables Remove javadoc.zip only for release build --- NEWS | 2222 ------ fips-17u-257d544b594.patch | 5956 ----------------- java-17-openjdk.spec | 570 +- nss.cfg.in | 5 - openjdk_news.sh | 76 - remove-intree-libraries.sh | 164 - ...sible_toolkit_crash_do_not_break_jvm.patch | 16 - ...ut_nss_cfg_provider_to_java_security.patch | 12 - ...va_access_bridge_privileged_security.patch | 20 - ...lite-libs_instead_of_pcsc-lite-devel.patch | 13 - rh1750419-redhat_alt_java.patch | 117 - ...eg_turbo_1_4_compat_for_jdk10_and_up.patch | 19 - sources | 1 - 13 files changed, 119 insertions(+), 9072 deletions(-) delete mode 100644 NEWS delete mode 100644 fips-17u-257d544b594.patch delete mode 100644 nss.cfg.in delete mode 100755 openjdk_news.sh delete mode 100644 remove-intree-libraries.sh delete mode 100644 rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch delete mode 100644 rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch delete mode 100644 rh1648644-java_access_bridge_privileged_security.patch delete mode 100644 rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch delete mode 100644 rh1750419-redhat_alt_java.patch delete mode 100644 rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch diff --git a/NEWS b/NEWS deleted file mode 100644 index 5a69f0d..0000000 --- a/NEWS +++ /dev/null @@ -1,2222 +0,0 @@ -Key: - -JDK-X - https://bugs.openjdk.java.net/browse/JDK-X -CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY - -New in release OpenJDK 17.0.6 (2023-01-17): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1706 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html - -* CVEs - - CVE-2023-21835 - - CVE-2023-21843 -* Security fixes - - JDK-8286070: Improve UTF8 representation - - JDK-8286496: Improve Thread labels - - JDK-8287411: Enhance DTLS performance - - JDK-8288516: Enhance font creation - - JDK-8289350: Better media supports - - JDK-8293554: Enhanced DH Key Exchanges - - JDK-8293598: Enhance InetAddress address handling - - JDK-8293717: Objective view of ObjectView - - JDK-8293734: Improve BMP image handling - - JDK-8293742: Better Banking of Sounds - - JDK-8295687: Better BMP bounds -* Other changes - - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows - - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails - - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails - - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails - - JDK-8029633: Raw inner class constructor ref should not perform diamond inference - - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails - - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled - - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails - - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java - - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java - - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout - - JDK-8202836: [macosx] test java/awt/Graphics/TextAAHintsTest.java fails - - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...' - - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" - - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs - - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos - - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos - - JDK-8244670: convert clhsdb "whatis" command from javascript to java - - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives. - - JDK-8255439: System Tray icons get corrupted when Windows scaling changes - - JDK-8256811: Delayed/missed jdwp class unloading events - - JDK-8257722: Improve "keytool -printcert -jarfile" output - - JDK-8262721: Add Tests to verify single iteration loops are properly optimized - - JDK-8265489: Stress test times out because of long ObjectSynchronizer::monitors_iterate(...) operation - - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint - - JDK-8266519: Cleanup resolve() leftovers from BarrierSet et al - - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java - - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow" - - JDK-8268276: Base64 Decoding optimization for x86 using AVX-512 - - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out - - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" - - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs - - JDK-8269404: Base64 Encoding optimization enhancements for x86 using AVX-512 - - JDK-8269571: NMT should print total malloc bytes and invocation count - - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m) - - JDK-8270086: ARM32-softfp: Do not load CONSTANT_double using the condy helper methods in the interpreter - - JDK-8270155: ARM32: Improve register dump in hs_err - - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction - - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns. - - JDK-8270947: AArch64: C1: use zero_words to initialize all objects - - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts - - JDK-8271834: TestStringDeduplicationAgeThreshold intermittent failures on Shenandoah - - JDK-8271956: AArch64: C1 build failed after JDK-8270947 - - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" - - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 - - JDK-8272608: java_lang_System::allow_security_manager() doesn't set its initialization flag - - JDK-8272776: NullPointerException not reported - - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947 - - JDK-8272809: JFR thread sampler SI_KERNEL SEGV in metaspace::VirtualSpaceList::contains - - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java - - JDK-8273108: RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 - - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints - - JDK-8273380: ARM32: Default to {ldrexd,strexd} in StubRoutines::atomic_{load|store}_long - - JDK-8273459: Update code segment alignment to 64 bytes - - JDK-8273497: building.md should link to both md and html - - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 - - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 - - JDK-8273685: Remove jtreg tag manual=yesno for java/awt/Graphics/LCDTextAndGraphicsState.java & show test instruction - - JDK-8273880: Zero: Print warnings when unsupported intrinsics are enabled - - JDK-8273881: Metaspace: test repeated deallocations - - JDK-8274029: Remove jtreg tag manual=yesno for java/awt/print/Dialog/DialogOrient.java - - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI - - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high - - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS - - JDK-8274456: Remove jtreg tag manual=yesno java/awt/print/PrinterJob/PageDialogTest.java - - JDK-8274527: Minimal VM build fails after JDK-8273459 - - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening - - JDK-8274903: Zero: Support AsyncGetCallTrace - - JDK-8275170: Some jtreg sound tests should be marked with sound keyword - - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList - - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked - - JDK-8275569: Add linux-aarch64 to test-make profiles - - JDK-8276108: Wrong instruction generation in aarch64 backend - - JDK-8276904: Optional.toString() is unnecessarily expensive - - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM" - - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 - - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 - - JDK-8277358: Accelerate CRC32-C - - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check - - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64 - - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64 - - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64 - - JDK-8277866: gc/epsilon/TestMemoryMXBeans.java failed with wrong initial heap size - - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode - - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108 - - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" - - JDK-8278826: Print error if Shenandoah flags are empty (instead of crashing) - - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore - - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" - - JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out - - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC - - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails - - JDK-8280016: gc/g1/TestShrinkAuxiliaryData30 test fails on large machines - - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes - - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947 - - JDK-8280391: NMT: Correct NMT tag on CollectedHeap - - JDK-8280511: AArch64: Combine shift and negate to a single instruction - - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered - - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object - - JDK-8280872: Reorder code cache segments to improve code density - - JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR - - JDK-8280948: Write a regression test for JDK-4659800 - - JDK-8281296: Create a regression test for JDK-4515999 - - JDK-8281744: x86: Use short jumps in TIG::set_vtos_entry_points - - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores - - JDK-8282276: Problem list failing two Robot Screen Capture tests - - JDK-8282347: AARCH64: Untaken branch in has_negatives stub - - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired - - JDK-8282402: Create a regression test for JDK-4666101 - - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template - - JDK-8282528: AArch64: Incorrect replicate2L_zero rule - - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary - - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 - - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure - - JDK-8282777: Create a Regression test for JDK-4515031 - - JDK-8282857: Create a regression test for JDK-4702690 - - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 - - JDK-8283199: Linux os::cpu_microcode_revision() stalls cold startup - - JDK-8283298: Make CodeCacheSegmentSize a product flag - - JDK-8283337: Posix signal handler modification warning triggering incorrectly - - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32 - - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name - - JDK-8283999: Update JMH devkit to 1.35 - - JDK-8284533: Improve InterpreterCodelet data footprint - - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction" - - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox - - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X - - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation - - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" - - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently - - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot - - JDK-8285093: Introduce UTIL_ARG_WITH - - JDK-8285305: Create an automated test for JDK-4495286 - - JDK-8285373: Create an automated test for JDK-4702233 - - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" - - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java - - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java - - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox - - JDK-8285794: AsyncGetCallTrace might acquire a lock via JavaThread::thread_from_jni_environment - - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" - - JDK-8286172: Create an automated test for JDK-4516019 - - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3" - - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable - - JDK-8286452: The array length of testSmallConstArray should be small and const - - JDK-8286460: Remove dependence on JAR filename in CDS tests - - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2 - - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 - - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray - - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows - - JDK-8286872: Refactor add/modify notification icon (TrayIcon) - - JDK-8287011: Improve container information - - JDK-8287076: Document.normalizeDocument() produces different results - - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance - - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path - - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative - - JDK-8287740: NSAccessibilityShowMenuAction not working for text editors - - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile - - JDK-8288132: Update test artifacts in QuoVadis CA interop tests - - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces - - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable - - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding - - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name - - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support - - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output - - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented - - JDK-8289301: P11Cipher should not throw out of bounds exception during padding - - JDK-8289524: Add JFR JIT restart event - - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException - - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https - - JDK-8290207: Missing notice in dom.md - - JDK-8290209: jcup.md missing additional text - - JDK-8290374: Shenandoah: Remove inaccurate comment on SBS::load_reference_barrier() - - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 - - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure - - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes - - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS - - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" - - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize - - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses - - JDK-8290839: jdk/jfr/event/compiler/TestJitRestart.java failed with "RuntimeException: No JIT restart event found: expected true, was false" - - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM - - JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false - - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 - - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) - - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 - - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath - - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region - - JDK-8292083: Detected container memory limit may exceed physical machine memory - - JDK-8292158: AES-CTR cipher state corruption with AVX-512 - - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out - - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory - - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle - - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update - - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library - - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free - - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h - - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures - - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading - - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java - - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6 - - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform - - JDK-8292903: enhance round_up_power_of_2 assertion output - - JDK-8293010: JDI ObjectReference/referringObjects/referringObjects001 fails: assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) failed: checking - - JDK-8293044: C1: Missing access check on non-accessible class - - JDK-8293232: Fix race condition in pkcs11 SessionManager - - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if - - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present - - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint - - JDK-8293535: jdk/javadoc/doclet/testJavaFX/TestJavaFxMode.java fail with jfx - - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts - - JDK-8293550: Optionally add get-task-allow entitlement to macos binaries - - JDK-8293578: Duplicate ldc generated by javac - - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" - - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details - - JDK-8293672: Update freetype md file - - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present - - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception - - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation - - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent - - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 - - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening - - JDK-8293834: Update CLDR data following tzdata 2022c update - - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum - - JDK-8293965: Code signing warnings after JDK-8293550 - - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8294307: ISO 4217 Amendment 173 Update - - JDK-8294310: compare.sh fails on macos after JDK-8293550 - - JDK-8294357: (tz) Update Timezone Data to 2022d - - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode - - JDK-8294740: Add cgroups keyword to TestDockerBasic.java - - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md - - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator - - JDK-8295173: (tz) Update Timezone Data to 2022e - - JDK-8295288: Some vm_flags tests associate with a wrong BugID - - JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests - - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp - - JDK-8295419: JFR: Change name of jdk.JitRestart - - JDK-8295429: Update harfbuzz md file - - JDK-8295469: S390X: Optimized builds are broken - - JDK-8295554: Move the "sizecalc.h" to the correct location - - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev - - JDK-8295714: GHA ::set-output is deprecated and will be removed - - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - - JDK-8295872: [PPC64] JfrGetCallTrace: Need pc == nullptr check before frame constructor - - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 - - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - - JDK-8296108: (tz) Update Timezone Data to 2022f - - JDK-8296239: ISO 4217 Amendment 174 Update - - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation - - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - - JDK-8296715: CLDR v42 update for tzdata 2022f - - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect - - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds - - JDK-8296956: [JVMCI] HotSpotResolvedJavaFieldImpl.getIndex returns wrong value - - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 - - JDK-8296958: [JVMCI] add API for retrieving ConstantValue attributes - - JDK-8296960: [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool - - JDK-8296961: [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField - - JDK-8296967: [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod - - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used - - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again - - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java - - JDK-8297309: Memory leak in ShenandoahFullGC - - JDK-8297481: Create a regression test for JDK-4424517 - - JDK-8297530: java.lang.IllegalArgumentException: Negative length on strings concatenation - - JDK-8297590: [TESTBUG] HotSpotResolvedJavaFieldTest does not run - - JDK-8297656: AArch64: Enable AES/GCM Intrinsics - - JDK-8297804: (tz) Update Timezone Data to 2022g - - JDK-8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6 - - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java - -Notes on individual issues: -=========================== - -client-libs/javax.imageio: - -JDK-8295687: Better BMP bounds -============================== -Loading a linked ICC profile within a BMP image is now disabled by -default. To re-enable it, set the new system property -`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property -replaces the old property, -`sun.imageio.plugins.bmp.disableLinkedProfiles`. - -client-libs/javax.sound: - -JDK-8293742: Better Banking of Sounds -===================================== -Previously, the SoundbankReader implementation, -`com.sun.media.sound.JARSoundbankReader`, would download a JAR -soundbank from a URL. This behaviour is now disabled by default. To -re-enable it, set the new system property `jdk.sound.jarsoundbank` to -`true`. - -security-libs/java.security: - -JDK-8282730: New Implementation Note for LoginModule on Removing Null from a Principals or Credentials Set -========================================================================================================== -Back in OpenJDK 9, JDK-8015081 changed the Set implementation used to -hold principals and credentials so that it rejected null -values. Attempts to call add(null), contains(null) or remove(null) -were changed to throw a NullPointerException. - -However, the logout() methods in the LoginModule implementations -within the JDK were not updated to check for null values, which may -occur in the event of a failed login. As a result, a logout() call may -throw a NullPointerException. - -The LoginModule implementations have now been updated with such checks -and an implementation note added to the specification to suggest that -the same change is made in third party modules. Developers of third -party modules are advised to verify that their logout() method does not -throw a NullPointerException. - -security-libs/javax.net.ssl: - -JDK-8287411: Enhance DTLS performance -===================================== -The JDK now exchanges DTLS cookies for all handshakes, new and -resumed. The previous behaviour can be re-enabled by setting the new -system property `jdk.tls.enableDtlsResumeCookie` to `false`. - -New in release OpenJDK 17.0.5 (2022-10-18): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1705 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html - -* Security fixes - - JDK-8282252: Improve BigInteger/Decimal validation - - JDK-8285662: Better permission resolution - - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions - - JDK-8286511: Improve macro allocation - - JDK-8286519: Better memory handling - - JDK-8286526, CVE-2022-21619: Improve NTLM support - - JDK-8286910, CVE-2022-21624: Improve JNDI lookups - - JDK-8286918, CVE-2022-21628: Better HttpServer service - - JDK-8287446: Enhance icon presentations - - JDK-8288508: Enhance ECDSA usage - - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage - - JDK-8289853: Update HarfBuzz to 4.4.1 - - JDK-8290334: Update FreeType to 2.12.1 -* Other changes - - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider - - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 - - JDK-7131823: bug in GIFImageReader - - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac - - JDK-8028265: Add legacy tz tests to OpenJDK - - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed - - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails - - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java - - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! - - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" - - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. - - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values - - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch - - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues - - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. - - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - - JDK-8240903: Add test to check that jmod hashes are reproducible - - JDK-8254318: Remove .hgtags - - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline - - JDK-8256844: Make NMT late-initializable - - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" - - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class - - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. - - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled" - - JDK-8269039: Disable SHA-1 Signed JARs - - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr - - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections - - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java - - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest - - JDK-8271344: Windows product version issue - - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 - - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData - - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals - - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] - - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) - - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts - - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 - - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms - - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] - - JDK-8274597: Some of the dnd tests time out and fail intermittently - - JDK-8274856: Failing jpackage tests with fastdebug/release build - - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test - - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled - - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold - - JDK-8276837: [macos]: Error when signing the additional launcher - - JDK-8277429: Conflicting jpackage static library name - - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged" - - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable - - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript - - JDK-8278311: Debian packaging doesn't work - - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS - - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS - - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4 - - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 - - JDK-8279622: C2: miscompilation of map pattern as a vector reduction - - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl - - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound - - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed - - JDK-8280863: Update build README to reflect that MSYS2 is supported - - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method - - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism - - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix - - JDK-8281181: Do not use CPU Shares to compute active processor count - - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 - - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) - - JDK-8281535: Create a regression test for JDK-4670051 - - JDK-8281569: Create tests for Frame.setMinimumSize() method - - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting - - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button - - JDK-8281745: Create a regression test for JDK-4514331 - - JDK-8281988: Create a regression test for JDK-4618767 - - JDK-8282007: Assorted enhancements to jpackage testing framework - - JDK-8282046: Create a regression test for JDK-8000326 - - JDK-8282214: Upgrade JQuery to version 3.6.0 - - JDK-8282234: Create a regression test for JDK-4532513 - - JDK-8282280: Update Xerces to Version 2.12.2 - - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access - - JDK-8282343: Create a regression test for JDK-4518432 - - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows - - JDK-8282407: Missing ')' in MacResources.properties - - JDK-8282467: add extra diagnostics for JDK-8268184 - - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler - - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 - - JDK-8282548: Create a regression test for JDK-4330998 - - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc - - JDK-8282640: Create a test for JDK-4740761 - - JDK-8282778: Create a regression test for JDK-4699544 - - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 - - JDK-8282860: Write a regression test for JDK-4164779 - - JDK-8282933: Create a test for JDK-4529616 - - JDK-8282936: Write a regression test for JDK-4615365 - - JDK-8282937: Write a regression test for JDK-4820080 - - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions - - JDK-8283015: Create a test for JDK-4715496 - - JDK-8283087: Create a test or JDK-4715503 - - JDK-8283245: Create a test for JDK-4670319 - - JDK-8283277: ISO 4217 Amendment 171 Update - - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) - - JDK-8283457: [macos] libpng build failures with Xcode13.3 - - JDK-8283493: Create an automated regression test for RFE 4231298 - - JDK-8283507: Create a regression test for RFE 4287690 - - JDK-8283562: JDK-8282306 breaks gtests on zero - - JDK-8283597: [REDO] Invalid generic signature for redefined classes - - JDK-8283621: Write a regression test for CCC4400728 - - JDK-8283623: Create an automated regression test for JDK-4525475 - - JDK-8283624: Create an automated regression test for RFE-4390885 - - JDK-8283712: Create a manual test framework class - - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows - - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test - - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee - - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode - - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 - - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS - - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt - - JDK-8284077: Create an automated test for JDK-4170173 - - JDK-8284294: Create an automated regression test for RFE 4138746 - - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph - - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 - - JDK-8284521: Write an automated regression test for RFE 4371575 - - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception - - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest - - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset - - JDK-8284686: Interval of < 1 ms disables ExecutionSample events - - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice - - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 - - JDK-8284898: Enhance PassFailJFrame - - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization - - JDK-8284950: CgroupV1 detection code should consider memory.swappiness - - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment - - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - - JDK-8285081: Improve XPath operators count accuracy - - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java - - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity - - JDK-8285380: Fix typos in security - - JDK-8285398: Cache the results of constraint checks - - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test - - JDK-8285693: Create an automated test for JDK-4702199 - - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null - - JDK-8285730: unify _WIN32_WINNT settings - - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 - - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities - - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java - - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe - - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure - - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 - - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes - - JDK-8286277: CDS VerifyError when calling clone() on object array - - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache - - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45] - - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage - - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled - - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect - - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis - - JDK-8286869: unify os::dir_is_empty across posix platforms - - JDK-8286870: Memory leak with RepeatCompilation - - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5 - - JDK-8287073: NPE from CgroupV2Subsystem.getInstance() - - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn - - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller - - JDK-8287113: JFR: Periodic task thread uses period for method sampling events - - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host - - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event - - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver - - JDK-8287366: Improve test failure reporting in GHA - - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number - - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node - - JDK-8287463: JFR: Disable TestDevNull.java on Windows - - JDK-8287663: Add a regression test for JDK-8287073 - - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run - - JDK-8287724: Fix various issues with msys2 - - JDK-8287735: Provide separate event category for dll operations - - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete - - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag - - JDK-8287895: Some langtools tests fail on msys2 - - JDK-8287896: PropertiesTest.sh fail on msys2 - - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows - - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests - - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier - - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs - - JDK-8288003: log events for os::dll_unload - - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic - - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes - - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds - - JDK-8288467: remove memory_operand assert for spilled instructions - - JDK-8288499: Restore cancel-in-progress in GHA - - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp - - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small - - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 - - JDK-8288992: AArch64: CMN should be handled the same way as CMP - - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible - - JDK-8289147: unify os::infinite_sleep on posix platforms - - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion - - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java - - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc - - JDK-8289486: Improve XSLT XPath operators count efficiency - - JDK-8289549: ISO 4217 Amendment 172 Update - - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl - - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun - - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad - - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter - - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 - - JDK-8289910: unify os::message_box across posix platforms - - JDK-8290000: Bump macOS GitHub actions to macOS 11 - - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown - - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers - - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle - - JDK-8290456: remove os::print_statistics() - - JDK-8291595: [17u] Delete files missed in backport of 8269039 - - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr - - JDK-8292579: (tz) Update Timezone Data to 2022c - - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5 - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable -=========================================================================== -Two system properties have been added which control the keep alive -behavior of HttpURLConnection in the case where the server does not -specify a keep alive time. Two properties are defined for controlling -connections to servers and proxies separately. They are: - -* `http.keepAlive.time.server` -* `http.keepAlive.time.proxy` - -respectively. More information about them can be found on the -Networking Properties page: -https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. - -security-libs/javax.crypto: - -JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location -===================================================================================== -The Windows KeyStore support in the SunMSCAPI provider has been -expanded to include access to the local machine location. The new -keystore types are: - -* "Windows-MY-LOCALMACHINE" -* "Windows-ROOT-LOCALMACHINE" - -The following keystore types were also added, allowing developers to -make it clear they map to the current user: - -* "Windows-MY-CURRENTUSER" (same as "Windows-MY") -* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") - -hotspot/runtime: - -JDK-8281181: CPU Shares Ignored When Computing Active Processor Count -===================================================================== -Previous JDK releases used an incorrect interpretation of the Linux -cgroups parameter "cpu.shares". This might cause the JVM to use fewer -CPUs than available, leading to an under utilization of CPU resources -when the JVM is used inside a container. - -Starting from this JDK release, by default, the JVM no longer -considers "cpu.shares" when deciding the number of threads to be used -by the various thread pools. The `-XX:+UseContainerCpuShares` -command-line option can be used to revert to the previous -behavior. This option is deprecated and may be removed in a future JDK -release. - -security-libs/java.security: - -JDK-8269039: Disabled SHA-1 Signed JARs -======================================= -JARs signed with SHA-1 algorithms are now restricted by default and -treated as if they were unsigned. This applies to the algorithms used -to digest, sign, and optionally timestamp the JAR. It also applies to -the signature and digest algorithms of the certificates in the -certificate chain of the code signer and the Timestamp Authority, and -any CRLs or OCSP responses that are used to verify if those -certificates have been revoked. These restrictions also apply to -signed JCE providers. - -To reduce the compatibility risk for JARs that have been previously -timestamped, there is one exception to this policy: - -- Any JAR signed with SHA-1 algorithms and timestamped prior to - January 01, 2019 will not be restricted. - -This exception may be removed in a future JDK release. To determine if -your signed JARs are affected by this change, run: - -$ jarsigner -verify -verbose -certs` - -on the signed JAR, and look for instances of "SHA1" or "SHA-1" and -"disabled" and a warning that the JAR will be treated as unsigned in -the output. - -For example: - - Signed by "CN="Signer"" - Digest algorithm: SHA-1 (disabled) - Signature algorithm: SHA1withRSA (disabled), 2048-bit key - - WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: - - jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 - -JARs affected by these new restrictions should be replaced or -re-signed with stronger algorithms. - -Users can, *at their own risk*, remove these restrictions by modifying -the `java.security` configuration file (or override it by using the -`java.security.properties` system property) and removing "SHA1 usage -SignedJAR & denyAfter 2019-01-01" from the -`jdk.certpath.disabledAlgorithms` security property and "SHA1 -denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security -property. - -New in release OpenJDK 17.0.4.1 (2022-08-16): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk17041 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt - -* Other changes - - JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1 - - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large - -Notes on individual issues: -=========================== - -hotspot/compiler: - -JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM -============================================================ -Fixes a regression in the C2 JIT compiler which caused the Java -Runtime to crash unpredictably. - -New in release OpenJDK 17.0.4 (2022-07-19): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1704 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt - -* Security fixes - - JDK-8272243: Improve DER parsing - - JDK-8272249: Better properties of loaded Properties - - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions - - JDK-8277608: Address IP Addressing - - JDK-8281859, CVE-2022-21540: Improve class compilation - - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations - - JDK-8283190: Improve MIDI processing - - JDK-8284370: Improve zlib usage - - JDK-8285407, CVE-2022-34169: Improve Xalan supports -* Other changes - - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn - - JDK-8181571: printing to CUPS fails on mac sandbox app - - JDK-8193682: Infinite loop in ZipOutputStream.close() - - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use - - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test - - JDK-8214733: runtime/8176717/TestInheritFD.java timed out - - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel - - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled - - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode - - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR - - JDK-8255266: Update Public Suffix List to 3c213aa - - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers - - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests - - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure - - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well - - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" - - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL - - JDK-8267163: Rename anonymous loader tests to hidden loader tests - - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo - - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout - - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) - - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum - - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest - - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs - - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM - - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform - - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message - - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support - - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java - - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree - - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output - - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled - - JDK-8270797: ShortECDSA.java test is not complete - - JDK-8270837: fix typos in test TestSigParse.java - - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom - - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack - - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code - - JDK-8271302: Regex Test Refresh - - JDK-8272146: Disable Fibonacci test on memory constrained systems - - JDK-8272168: some hotspot runtime/logging tests don't check exit code - - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty - - JDK-8272358: Some tests may fail when executed with other locales than the US - - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests - - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 - - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case - - JDK-8274172: Convert JavadocTester to use NIO - - JDK-8274233: Minor cleanup for ToolBox - - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun - - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines - - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend - - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image - - JDK-8274751: Drag And Drop hangs on Windows - - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed - - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS - - JDK-8274983: C1 optimizes the invocation of private interface methods - - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows - - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8275745: Reproducible copyright headers - - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers - - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt - - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win) - - JDK-8276657: XSLT compiler tries to define a class with empty name - - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC - - JDK-8276825: hotspot/runtime/SelectionResolution test errors - - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java - - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary - - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations - - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics - - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive - - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND - - JDK-8277123: jdeps does not report some exceptions correctly - - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories - - JDK-8277166: Data race in jdeps VersionHelper - - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread - - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch - - JDK-8277893: Arraycopy stress tests - - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP - - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge - - JDK-8278014: [vectorapi] Remove test run script - - JDK-8278065: Refactor subclassAudits to use ClassValue - - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method - - JDK-8278472: Invalid value set to CANDIDATEFORM structure - - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" - - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 - - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date - - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() - - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 - - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs - - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler - - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 - - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC - - JDK-8279219: [REDO] C2 crash when allocating array of size too large - - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display - - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! - - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM - - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked - - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism - - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 - - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java - - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment - - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking - - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores - - JDK-8279668: x86: AVX2 versions of vpxor should be asserted - - JDK-8279822: CI: Constant pool entries in error state are not supported - - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled - - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region - - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos - - JDK-8279958: Provide configure hints for Alpine/apk package managers - - JDK-8280004: DCmdArgument::parse_value() should handle NULL input - - JDK-8280041: Retry loop issues in java.io.ClassCache - - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN - - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized - - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang - - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS - - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor - - JDK-8280600: C2: assert(!had_error) failed: bad dominance - - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. - - JDK-8280799: ะก2: assert(false) failed: cyclic dependency prevents range check elimination - - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs - - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint - - JDK-8280940: gtest os.release_multi_mappings_vm is racy - - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range - - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y - - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly - - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 - - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter - - JDK-8281262: Windows builds in different directories are not fully reproducible - - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly - - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info - - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths - - JDK-8281318: Improve jfr/event/allocation tests reliability - - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working - - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor - - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants - - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ - - JDK-8281615: Deadlock caused by jdwp agent - - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions - - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature - - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 - - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling - - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder - - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway - - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 - - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test - - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads - - JDK-8282225: GHA: Allow one concurrent run per PR only - - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers - - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive - - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert - - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 - - JDK-8282345: handle latest VS2022 in abstract_vm_version - - JDK-8282382: Report glibc malloc tunables in error reports - - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale - - JDK-8282444: Module finder incorrectly assumes default file system path-separator character - - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 - - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output - - JDK-8282551: Properly initialize L32X64MixRandom state - - JDK-8282583: Update BCEL md to include the copyright notice - - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes - - JDK-8282592: C2: assert(false) failed: graph should be schedulable - - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() - - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap - - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows - - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value - - JDK-8283017: GHA: Workflows break with update release versions - - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails - - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c - - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing - - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize - - JDK-8283315: jrt-fs.jar not always deterministically built - - JDK-8283323: libharfbuzz optimization level results in extreme build times - - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled - - JDK-8283350: (tz) Update Timezone Data to 2022a - - JDK-8283408: Fix a C2 crash when filling arrays with unsafe - - JDK-8283422: Create a new test for JDK-8254790 - - JDK-8283451: C2: assert(_base == Long) failed: Not a Long - - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak - - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info - - JDK-8283641: Large value for CompileThresholdScaling causes assert - - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM - - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate - - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo - - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c - - JDK-8284094: Memory leak in invoker_completeInvokeRequest() - - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 - - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer - - JDK-8284437: Building from different users/workspace is not always deterministic - - JDK-8284458: CodeHeapState::aggregate() leaks blob_name - - JDK-8284507: GHA: Only check test results if testing was not skipped - - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler - - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member - - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 - - JDK-8284620: CodeBuffer may leak _overflow_arena - - JDK-8284622: Update versions of some Github Actions used in JDK workflow - - JDK-8284661: Reproducible assembly builds without relative linking - - JDK-8284754: print more interesting env variables in hs_err and VM.info - - JDK-8284758: [linux] improve print_container_info - - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping - - JDK-8284866: Add test to JDK-8273056 - - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java - - JDK-8284992: Fix misleading Vector API doc for LSHR operator - - JDK-8285342: Zero build failure with clang due to values not handled in switch - - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() - - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 - - JDK-8285445: cannot open file "NUL:" - - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 - - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java - - JDK-8285686: Update FreeType to 2.12.0 - - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head - - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head - - JDK-8285728: Alpine Linux build fails with busybox tar - - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols - - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine - - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService - - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java - - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc - - JDK-8286198: [linux] Fix process-memory information - - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources - - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause - - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups - - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk - - JDK-8286855: javac error on invalid jar should only print filename - - JDK-8287109: Distrust.java failed with CertificateExpiredException - - JDK-8287119: Add Distrust.java to ProblemList - - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions - - JDK-8287336: GHA: Workflows break on patch versions - - JDK-8287362: FieldAccessWatch testcase failed on AIX platform - - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows - -Notes on individual issues: -=========================== - -core-libs/java.net: - -JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos -================================================================ -Support has been added for TLS channel binding tokens for -Negotiate/Kerberos authentication over HTTPS through -javax.net.HttpsURLConnection. - -Channel binding tokens are increasingly required as an enhanced form -of security which can mitigate certain kinds of socially engineered, -man in the middle (MITM) attacks. They work by communicating from a -client to a server the client's understanding of the binding between -connection security (as represented by a TLS server cert) and higher -level authentication credentials (such as a username and -password). The server can then detect if the client has been fooled by -a MITM and shutdown the session/connection. - -The feature is controlled through a new system property -`jdk.https.negotiate.cbt` which is described fully at the following -page: - -https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt - -core-libs/java.lang: - -JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder -===================================================================== -ProcessBuilder on Windows is restored to address a regression caused -by JDK-8250568. Previously, an argument to ProcessBuilder that -started with a double-quote and ended with a backslash followed by a -double-quote was passed to a command incorrectly and may cause the -command to fail. For example the argument `"C:\\Program Files\"`, -would be seen by the command with extra double-quotes. This update -restores the long standing behavior that does not treat the backslash -before the final double-quote specially. - - -core-libs/java.util.jar: - -JDK-8278386: Default JDK compressor will be closed when IOException is encountered -================================================================================== -`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods -have been modified to close out the associated default JDK compressor -before propagating a Throwable up the -stack. `ZIPOutputStream.closeEntry()` method has been modified to -close out the associated default JDK compressor before propagating an -IOException, not of type ZipException, up the stack. - -core-libs/java.io: - -JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File -================================================================================================= -The Windows implementation of `java.io.File` allows access to NTFS -Alternate Data Streams (ADS) by default. Such streams have a structure -like โ€œfilename:streamnameโ€. A system property `jdk.io.File.enableADS` -has been added to control this behavior. To disable ADS support in -`java.io.File`, the system property `jdk.io.File.enableADS` should be -set to `false` (case ignored). Stricter path checking however prevents -the use of special devices such as `NUL:` - -New in release OpenJDK 17.0.3 (2022-04-19): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1703 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt - -* Security fixes - - JDK-8269938: Enhance XML processing passes redux - - JDK-8270504, CVE-2022-21426: Better XPath expression handling - - JDK-8272255: Completely handle MIDI files - - JDK-8272261: Improve JFR recording file processing - - JDK-8272588: Enhanced recording parsing - - JDK-8272594: Better record of recordings - - JDK-8274221: More definite BER encodings - - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 - - JDK-8275151, CVE-2022-21443: Improved Object Identification - - JDK-8277227: Better identification of OIDs - - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support - - JDK-8277672, CVE-2022-21434: Better invocation handler handling - - JDK-8278356: Improve file creation - - JDK-8278449: Improve keychain support - - JDK-8278798: Improve supported intrinsic - - JDK-8278805: Enhance BMP image loading - - JDK-8278972, CVE-2022-21496: Improve URL supports - - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo -* Other changes - - JDK-8177814: jdk/editpad is not in jdk TEST.groups - - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 - - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently - - JDK-8225559: assertion error at TransTypes.visitApply - - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful - - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails - - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test - - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 - - JDK-8251216: Implement MD5 intrinsics on AArch64 - - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" - - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" - - JDK-8263567: gtests don't terminate the VM safely - - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark - - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups - - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it - - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only - - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM - - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file - - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java - - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' - - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error - - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" - - JDK-8270117: Broken jtreg link in "Building the JDK" page - - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity - - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8271506: Add ResourceHashtable support for deleting selected entries - - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests - - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories - - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates - - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() - - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code - - JDK-8272600: (test) Use native "sleep" in Basic.java - - JDK-8272866: java.util.random package summary contains incorrect mixing function in table - - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled - - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt - - JDK-8273277: C2: Move conditional negation into rc_predicate - - JDK-8273341: Update Siphash to version 1.0 - - JDK-8273351: bad tag in jdk.random module-info.java - - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 - - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm - - JDK-8273387: remove some unreferenced gtk-related functions - - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests - - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - - JDK-8273526: Extend the OSContainer API pids controller with pids.current - - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java - - JDK-8273655: content-types.properties files are missing some common types - - JDK-8273682: Upgrade Jline to 3.20.0 - - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 - - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions - - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 - - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) - - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes - - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches - - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures - - JDK-8274471: Add support for RSASSA-PSS in OCSP Response - - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root - - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake - - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS - - JDK-8274658: ISO 4217 Amendment 170 Update - - JDK-8274714: Incorrect verifier protected access error message - - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 - - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes - - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - - JDK-8274935: dumptime_table has stale entry - - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - - JDK-8275586: Zero: Simplify interpreter initialization - - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow - - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault - - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg - - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 - - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 - - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException - - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock - - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method - - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue - - JDK-8276057: Update JMH devkit to 1.33 - - JDK-8276141: XPathFactory set/getProperty method - - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - - JDK-8276623: JDK-8275650 accidentally pushed "out" file - - JDK-8276654: element-list order is non deterministic - - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() - - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod - - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content - - JDK-8276841: Add support for Visual Studio 2022 - - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" - - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 - - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 - - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits - - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for - - JDK-8277383: VM.metaspace optionally show chunk freelist details - - JDK-8277385: Zero: Enable CompactStrings support - - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs - - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - - JDK-8277497: Last column cell in the JTable row is read as empty cell - - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." - - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER - - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad - - JDK-8277795: ldap connection timeout not honoured under contention - - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 - - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording - - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - - JDK-8278016: Add compiler tests to tier{2,3} - - JDK-8278020: ~13% variation in Renaissance-Scrabble - - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation - - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError - - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' - - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx - - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup - - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux - - JDK-8278185: Custom JRE cannot find non-ASCII named module inside - - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d - - JDK-8278241: Implement JVM SpinPause on linux-aarch64 - - JDK-8278309: [windows] use of uninitialized OSThread::_state - - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output - - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine - - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic - - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column - - JDK-8278604: SwingSet2 table demo does not have accessible description set for images - - JDK-8278627: Shenandoah: TestHeapDump test failed - - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 - - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 - - JDK-8278824: Uneven work distribution when scanning heap roots in G1 - - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob - - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 - - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ - - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t - - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 - - JDK-8279124: VM does not handle SIGQUIT during initialization - - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - - JDK-8279379: GHA: Print tests that are in error - - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 - - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it - - JDK-8279445: Update JMH devkit to 1.34 - - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms - - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT - - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition - - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - - JDK-8280002: jmap -histo may leak stream - - JDK-8280155: [PPC64, s390] frame size checks are not yet correct - - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 - - JDK-8280414: Memory leak in DefaultProxySelector - - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} - - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - - JDK-8281460: Let ObjectMonitor have its own NMT category - - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX - - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 - - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods - - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException - - JDK-8284920: Incorrect Token type causes XPath expression to return empty result - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8274791: Support for RSASSA-PSS in OCSP Response -==================================================== -An OCSP response signed with the RSASSA-PSS algorithm is now supported. - -New in release OpenJDK 17.0.2 (2022-01-18): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1702 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt - -* Security fixes - - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - - JDK-8268488: More valuable DerValues - - JDK-8268494: Better inlining of inlined interfaces - - JDK-8268512: More content for ContentInfo - - JDK-8268813, CVE-2022-21283: Better String matching - - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - - JDK-8269944: Better HTTP transport redux - - JDK-8270386, CVE-2022-21291: Better verification of scan methods - - JDK-8270392, CVE-2022-21293: Improve String constructions - - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - - JDK-8270492, CVE-2022-21282: Better resolution of URIs - - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - - JDK-8270952, CVE-2022-21277: Improve TIFF file handling - - JDK-8271962: Better TrueType font loading - - JDK-8271968: Better canonical naming - - JDK-8271987: Manifest improved manifest entries - - JDK-8272014, CVE-2022-21305: Better array indexing - - JDK-8272026, CVE-2022-21340: Verify Jar Verification - - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - - JDK-8272272: Enhance jcmd communication - - JDK-8272462: Enhance image handling - - JDK-8273290: Enhance sound handling - - JDK-8273756, CVE-2022-21360: Enhance BMP image support - - JDK-8273838, CVE-2022-21365: Enhanced BMP processing - - JDK-8274096, CVE-2022-21366: Improve decoding of image files -* Other changes - - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException - - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing - - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap - - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently - - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream - - JDK-8214761: Bug in parallel Kahan summation implementation - - JDK-8223923: C2: Missing interference with mismatched unsafe accesses - - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir(). - - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name - - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) - - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled - - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic - - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol - - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null - - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert - - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream - - JDK-8263375: Support stack watermarks in Zero VM - - JDK-8263773: Reenable German localization for builds at Oracle - - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer - - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer - - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer - - JDK-8264292: Create implementation for NSAccessibilityList protocol peer - - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer - - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer - - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer - - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer - - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer - - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer - - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer - - JDK-8266239: Some duplicated javac command-line options have repeated effect - - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color - - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true - - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl - - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility - - JDK-8267387: Create implementation for NSAccessibilityOutline protocol - - JDK-8267388: Create implementation for NSAccessibilityTable protocol - - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" - - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs. - - JDK-8268361: Fix the infinite loop in next_line - - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML - - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests - - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler - - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions - - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc - - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type - - JDK-8268893: jcmd to trim the glibc heap - - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition - - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" - - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783 - - JDK-8269113: Javac throws when compiling switch (null) - - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java - - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException - - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString() - - JDK-8269481: SctpMultiChannel never releases own file descriptor - - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows - - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles - - JDK-8269687: pauth_aarch64.hpp include name is incorrect - - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 - - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts - - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked - - JDK-8270110: Shenandoah: Add test for JDK-8269661 - - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS - - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests - - JDK-8270290: NTLM authentication fails if HEAD request is used - - JDK-8270317: Large Allocation in CipherSuite - - JDK-8270320: JDK-8270110 committed invalid copyright headers - - JDK-8270517: Add Zero support for LoongArch - - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS - - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling - - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file - - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType - - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String - - JDK-8271071: accessibility of a table on macOS lacks cell navigation - - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug - - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h - - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment - - JDK-8271215: Fix data races in G1PeriodicGCTask - - JDK-8271254: javac generates unreachable code when using empty semicolon statement - - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" - - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call - - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes - - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 - - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop - - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java - - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity - - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling - - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" - - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions - - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop - - JDK-8271605: Update JMH devkit to 1.32 - - JDK-8271718: Crash when during color transformation the color profile is replaced - - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers - - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest - - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used - - JDK-8271868: Warn user when using mac-sign option with unsigned app-image. - - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 - - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112 - - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 - - JDK-8272114: Unused _last_state in osThread_windows - - JDK-8272170: Missing memory barrier when checking active state for regions - - JDK-8272305: several hotspot runtime/modules don't check exit codes - - JDK-8272318: Improve performance of HeapDumpAllTest - - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher - - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes - - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions - - JDK-8272345: macos doesn't check `os::set_boot_path()` result - - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0" - - JDK-8272391: Undeleted debug information - - JDK-8272413: Incorrect num of element count calculation for vector cast - - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong - - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272570: C2: crash in PhaseCFG::global_code_motion - - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272639: jpackaged applications using microphone on mac - - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO - - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit - - JDK-8272783: Epsilon: Refactor tests to improve performance - - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests - - JDK-8272838: Move CriticalJNI tests out of tier1 - - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1 - - JDK-8272850: Drop zapping values in the Zap* option descriptions - - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test - - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag - - JDK-8272859: Javadoc external links should only have feature version number in URL - - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups - - JDK-8272970: Parallelize runtime/InvocationTests/ - - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop - - JDK-8273021: C2: Improve Add and Xor ideal optimizations - - JDK-8273026: Slow LoginContext.login() on multi threading application - - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 - - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8273176: handle latest VS2019 in abstract_vm_version - - JDK-8273229: Update OS detection code to recognize Windows Server 2022 - - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash - - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit - - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT - - JDK-8273308: PatternMatchTest.java fails on CI - - JDK-8273314: Add tier4 test groups - - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test - - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory - - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods - - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs - - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 - - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size - - JDK-8273361: InfoOptsTest is failing in tier1 - - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero - - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop - - JDK-8273376: Zero: Disable vtable/itableStub gtests - - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP - - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record - - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} - - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java - - JDK-8273450: Fix the copyright header of SVML files - - JDK-8273451: Remove unreachable return in mutexLocker::wait - - JDK-8273483: Zero: Clear pending JNI exception check in native method handler - - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option - - JDK-8273487: Zero: Handle "zero" variant in runtime tests - - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths - - JDK-8273498: compiler/c2/Test7179138_1.java timed out - - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes - - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure - - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated - - JDK-8273592: Backout JDK-8271868 - - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image. - - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian - - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch - - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests - - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F - - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher - - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease - - JDK-8273695: Safepoint deadlock on VMOperation_lock - - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem - - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly - - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java - - JDK-8273808: Cleanup AddFontsToX11FontPath - - JDK-8273826: Correct Manifest file name and NPE checks - - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out - - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral - - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release() - - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() - - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported - - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds - - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character - - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled - - JDK-8273968: JCK javax_xml tests fail in CI - - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects - - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM - - JDK-8274083: Update testing docs to mention tiered testing - - JDK-8274087: Windows DLL path not set correctly. - - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition - - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC - - JDK-8274215: Remove globalsignr2ca root from 17.0.2 - - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86 - - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp - - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated - - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160 - - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m - - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern - - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" - - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile - - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU - - JDK-8274381: missing CAccessibility definitions in JNI code - - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread - - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API - - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" - - JDK-8274407: (tz) Update Timezone Data to 2021c - - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl - - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b - - JDK-8274468: TimeZoneTest.java fails with tzdata2021b - - JDK-8274501: c2i entry barriers read int as long on AArch64 - - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected - - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah - - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah - - JDK-8274550: c2i entry barriers read int as long on PPC - - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah - - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test - - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 - - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume. - - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily - - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers - - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform - - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST - - JDK-8274840: Update OS detection code to recognize Windows 11 - - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior - - JDK-8274851: [ppc64] Port zgc to linux on ppc64le - - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) - - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 - - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register - - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag - - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed - - JDK-8275104: IR framework does not handle client VM builds correctly - - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8275131: Exceptions after a touchpad gesture on macOS - - JDK-8275141: recover corrupted line endings for the version-numbers.conf - - JDK-8275145: file.encoding system property has an incorrect value on Windows - - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges - - JDK-8275302: unexpected compiler error: cast, intersection types and sealed - - JDK-8275426: PretouchTask num_chunks calculation can overflow - - JDK-8275604: Zero: Reformat opclabels_data - - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless - - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem - - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak - - JDK-8275766: (tz) Update Timezone Data to 2021e - - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:] - - JDK-8275811: Incorrect instance to dispose - - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective - - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e - - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings - - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml - - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency - - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance - - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3 - - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly - - JDK-8276112: Inconsistent scalar replacement debug info at safepoints - - JDK-8276122: Change openjdk project in jcheck to jdk-updates - - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme - - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test - - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 - - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point - - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration - - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition - - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 - - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend - - JDK-8276572: Fake libsyslookup.so library causes tooling issues - - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie - - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah - - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager - - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32 - - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1 - - JDK-8276854: Windows GHA builds fail due to broken Cygwin - - JDK-8276864: Update boot JDKs to 17.0.1 in GHA - - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders - - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le - - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes - - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element - - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points - - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] - - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches - - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE - - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint - - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup - -Notes on individual issues: -=========================== - -core-libs/java.io:serialization: - -JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element -========================================================================================= -`java.util.Vector` is updated to correctly report -`ClassNotFoundException that occurs during deserialization using -`java.io.ObjectInputStream.GetField.get(name, object)` when the class -of an element of the Vector is not found. Without this fix, a -`StreamCorruptedException` is thrown that does not provide information -about the missing class. - -security-libs/java.security: - -JDK-8272535: Removed Google's GlobalSign Root Certificate -========================================================= -The following root certificate from Google has been removed from the -`cacerts` keystore: - -Alias Name: globalsignr2ca [jdk] -Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 - -core-libs/java.io: - -JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows -============================================================================ -The initialization of the `file.encoding` system property on non macOS -platforms has been reverted to align with the behavior on or before -JDK 11. This has been an issue especially on Windows where the system -and user's locales are not the same. - -hotspot/gc: - -JDK-8277533: ZGC: Fixed long Process Non-Strong References times -================================================================ -A bug has been fixed that could cause long "Concurrent Process -Non-Strong References" times with ZGC. The bug blocked the GC from -making significant progress, and caused both latency and throughput -issues for the Java application. - -The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g. - -[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms - -core-libs/java.time: - -JDK-8274857: Update Timezone Data to 2021c -=========================================== -IANA Time Zone Database, on which JDK's Date/Time libraries are based, -has been updated to version 2021c -(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note -that with this update, some of the time zone rules prior to the year -1970 have been modified according to the changes which were introduced -with 2021b. For more detail, refer to the announcement of 2021b -(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) - -New in release OpenJDK 17.0.1 (2021-10-19): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt - -* Security fixes - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268205: Enhance DTLS client handshake - - JDK-8268500: Better specified ParameterSpecs - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization -* Other changes - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked - - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations - - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - - JDK-8263531: Remove unused buffer int - - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms - - JDK-8269297: Bump version numbers for JDK 17.0.1 - - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269882: stack-use-after-scope in NewObjectA - - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible - - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations - - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error - - JDK-8270344: Session resumption errors - - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added - - JDK-8271276: C2: Wrong JVM state used for receiver null check - - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 - - JDK-8271589: fatal error with variable shift count integer rotate operation. - - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java - - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests - - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails - - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled - - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - - JDK-8273358: macOS Monterey does not have the font Times needed by Serif - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -New in release OpenJDK 17.0.0 (2021-09-14): -=========================================== -The full list of changes in the interim releases from 11u to 17u can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-12.txt - * https://builds.shipilev.net/backports-monitor/release-notes-13.txt - * https://builds.shipilev.net/backports-monitor/release-notes-14.txt - * https://builds.shipilev.net/backports-monitor/release-notes-15.txt - * https://builds.shipilev.net/backports-monitor/release-notes-16.txt - * https://builds.shipilev.net/backports-monitor/release-notes-17.txt - -Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 12 -through to 17. - -NEW FEATURES -============ - -Language Features -================= - -Switch Expressions -================== -https://openjdk.java.net/jeps/325 -https://openjdk.java.net/jeps/354 -https://openjdk.java.net/jeps/361 - -Extend the `switch` statement so that it can be used as either a -statement or an expression, and that both forms can use either a -"traditional" or "simplified" scoping and control flow behavior. Both -forms can use either traditional `case ... :` labels (with fall -through) or new `case ... ->` labels (with no fall through), with a -further new statement for yielding a value from a `switch` -expression. These changes will simplify everyday coding, and also -prepare the way for the use of pattern matching in `switch`. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 12 & 13 and became final in OpenJDK 14. - -Text Blocks -=========== -https://openjdk.java.net/jeps/355 -https://openjdk.java.net/jeps/368 -https://openjdk.java.net/jeps/378 - -Add text blocks to the Java language. A text block is a multi-line -string literal that avoids the need for most escape sequences, -automatically formats the string in a predictable way, and gives the -developer control over format when desired. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 13 & 14 and became final in OpenJDK 15. - -Pattern Matching for instanceof -=============================== -https://openjdk.java.net/jeps/305 -https://openjdk.java.net/jeps/375 -https://openjdk.java.net/jeps/394 -http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html - -Enhance the Java programming language with pattern matching for the -`instanceof` operator. Pattern matching allows common logic in a -program, namely the conditional extraction of components from objects, -to be expressed more concisely and safely. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Records -======= -https://openjdk.java.net/jeps/359 -https://openjdk.java.net/jeps/384 -https://openjdk.java.net/jeps/395 - -Enhance the Java programming language with records. Records provide a -compact syntax for declaring classes which are transparent holders for -shallowly immutable data. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Sealed Classes -============== -https://openjdk.java.net/jeps/360 -https://openjdk.java.net/jeps/397 -https://openjdk.java.net/jeps/409 -https://cr.openjdk.java.net/~briangoetz/amber/datum.html - -Enhance the Java programming language with sealed classes and -interfaces. Sealed classes and interfaces restrict which other classes -or interfaces may extend or implement them. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 15 & 16 and became final in OpenJDK 17. - -Restore Always-Strict Floating-Point Semantics -============================================== -https://openjdk.java.net/jeps/306 - -Make floating-point operations consistently strict, rather than have -both strict floating-point semantics (`strictfp`) and subtly different -default floating-point semantics. This will restore the original -floating-point semantics to the language and VM, matching the -semantics before the introduction of strict and default floating-point -modes in Java SE 1.2. - -Pattern Matching for switch -=========================== -https://openjdk.java.net/jeps/406 - -Enhance the Java programming language with pattern matching for -`switch` expressions and statements, along with extensions to the -language of patterns. Extending pattern matching to `switch` allows an -expression to be tested against a number of patterns, each with a -specific action, so that complex data-oriented queries can be -expressed concisely and safely. - -This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK -17. - -Library Features -================ - -JVM Constants API -================= -https://openjdk.java.net/jeps/334 - -Introduce an API to model nominal descriptions of key class-file and -run-time artifacts, in particular constants that are loadable from the -constant pool. - -Reimplement the Legacy Socket API -================================= -https://openjdk.java.net/jeps/353 - -Replace the underlying implementation used by the `java.net.Socket` -and `java.net.ServerSocket` APIs with a simpler and more modern -implementation that is easy to maintain and debug. The new -implementation will be easy to adapt to work with user-mode threads, -a.k.a. fibers, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). - -JFR Event Streaming -=================== -https://openjdk.java.net/jeps/349 - -Expose JDK Flight Recorder data for continuous monitoring. - -Non-Volatile Mapped Byte Buffers -================================ -https://openjdk.java.net/jeps/352 - -Add new JDK-specific file mapping modes so that the `FileChannel` API -can be used to create `MappedByteBuffer` instances that refer to -non-volatile memory. - -Helpful NullPointerExceptions -============================= -https://openjdk.java.net/jeps/358 - -Improve the usability of `NullPointerException`s generated by the JVM -by describing precisely which variable was `null`. - -Foreign-Memory Access API -========================= -https://openjdk.java.net/jeps/370 -https://openjdk.java.net/jeps/383 -https://openjdk.java.net/jeps/393 - -Introduce an API to allow Java programs to safely and efficiently -access foreign memory outside of the Java heap. - -This was a incubation feature (https://openjdk.java.net/jeps/11) in -OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory -API in OpenJDK 17 (see below). - -Edwards-Curve Digital Signature Algorithm (EdDSA) -================================================= -https://openjdk.java.net/jeps/339 - -Implement cryptographic signatures using the Edwards-Curve Digital -Signature Algorithm (EdDSA) as described by RFC 8032 -(https://tools.ietf.org/html/rfc8032). - -Hidden Classes -============== -https://openjdk.java.net/jeps/371 - -Introduce hidden classes, which are classes that cannot be used -directly by the bytecode of other classes. Hidden classes are intended -for use by frameworks that generate classes at run time and use them -indirectly, via reflection. A hidden class may be defined as a member -of an access control nest (https://openjdk.java.net/jeps/181), and may -be unloaded independently of other classes. - -Reimplement the Legacy DatagramSocket API -========================================= -https://openjdk.java.net/jeps/373 - -Replace the underlying implementations of the -`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with -simpler and more modern implementations that are easy to maintain and -debug. The new implementations will be easy to adapt to work with -virtual threads, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). This is a follow-on to JEP -353 (see above), which already reimplemented the legacy Socket API. - -Vector API -========== -https://openjdk.java.net/jeps/338 -https://openjdk.java.net/jeps/414 - -Provide an initial iteration of an incubator module, -`jdk.incubator.vector`, to express vector computations that reliably -compile at runtime to optimal vector hardware instructions on -supported CPU architectures and thus achieve superior performance to -equivalent scalar computations. - -This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16. - -Unix-Domain Socket Channels -=========================== -https://openjdk.java.net/jeps/380 - -Add Unix-domain (`AF_UNIX`) socket support to the socket channel and -server-socket channel APIs in the `java.nio.channels` package. Extend -the inherited channel mechanism to support Unix-domain socket channels -and server socket channels. - -Foreign Linker API (Incubator) -============================== -https://openjdk.java.net/jeps/389 - -Introduce an API that offers statically-typed, pure-Java access to -native code. This API, together with the Foreign-Memory API (see -above), will considerably simplify the otherwise error-prone process -of binding to a native library. - -This was an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16, now superseded by the Foreign Function & -Memory API in OpenJDK 17 (see below). - -Strongly Encapsulate JDK Internals by Default -============================================= -https://openjdk.java.net/jeps/396 -https://openjdk.java.net/jeps/403 - -Strongly encapsulate all internal elements of the JDK by default, -except for critical internal APIs such as `sun.misc.Unsafe`. It will -no longer be possible to relax the strong encapsulation of internal -elements via a single command-line option, as was possible in OpenJDK -9 through 16. - -Enhanced Pseudo-Random Number Generators -======================================== -https://openjdk.java.net/jeps/356 - -Provide new interface types and implementations for pseudo-random -number generators (PRNGs), including jumpable PRNGs and an additional -class of splittable PRNG algorithms (LXM). - -Foreign Function & Memory API -============================= -https://openjdk.java.net/jeps/412 - -Introduce an API by which Java programs can interoperate with code and -data outside of the Java runtime. By efficiently invoking foreign -functions (i.e., code outside the JVM), and by safely accessing -foreign memory (i.e., memory not managed by the JVM), the API enables -Java programs to call native libraries and process native data without -the brittleness and danger of JNI. - -This API is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 17, and is an evolution of the Foreign Memory -Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK -16) (see above). - -Context-Specific Deserialization Filters -======================================== -https://openjdk.java.net/jeps/415 - -Allow applications to configure context-specific and -dynamically-selected deserialization filters via a JVM-wide filter -factory that is invoked to select a filter for each individual -deserialization operation. - -Tools -===== - -Packaging Tool -============== -https://openjdk.java.net/jeps/343 -https://openjdk.java.net/jeps/392 - -Provide the `jpackage` tool, for packaging self-contained Java -applications. - -JVM Features -============ - -Shenandoah: A Low-Pause-Time Garbage Collector -============================================== -https://openjdk.java.net/jeps/189 -https://openjdk.java.net/jeps/379 - -Add a new garbage collection (GC) algorithm named Shenandoah which -reduces GC pause times by doing evacuation work concurrently with the -running Java threads. Pause times with Shenandoah are independent of -heap size, meaning you will have the same consistent pause times -whether your heap is 200 MB or 200 GB. - -Shenandoah has been provided in Red Hat builds of OpenJDK 8 since -8u131 in April 2017 and in all 11u builds. - -Upstream, it was introduced in OpenJDK 12 as an experimental feature -and became a production feature in OpenJDK 15. It was backported to -OpenJDK 11 with the 11.0.9 release in October 2020. - -Abortable Mixed Collections for G1 -================================== -https://openjdk.java.net/jeps/344 - -Make G1 mixed collections abortable if they might exceed the pause -target. - -Promptly Return Unused Committed Memory from G1 -=============================================== -https://openjdk.java.net/jeps/346 - -Enhance the G1 garbage collector to automatically return Java heap -memory to the operating system when idle. - -Dynamic CDS Archives -==================== -https://openjdk.java.net/jeps/310 -https://openjdk.java.net/jeps/350 - -Extend application class-data sharing to allow the dynamic archiving -of classes at the end of Java application execution. The archived -classes will include all loaded application classes and library -classes that are not present in the default, base-layer CDS archive. - -ZGC: Uncommit Unused Memory (Experimental) -========================================== -https://openjdk.java.net/jeps/351 - -Enhance ZGC to return unused heap memory to the operating system. - -NUMA-Aware Memory Allocation for G1 -=================================== -https://openjdk.java.net/jeps/345 - -Improve G1 performance on large machines by implementing NUMA-aware -memory allocation. - -ZGC on macOS (Experimental) -=========================== -https://openjdk.java.net/jeps/364 - -Port the ZGC garbage collector to macOS. - -ZGC on Windows (Experimental) -============================= -https://openjdk.java.net/jeps/365 - -Port the ZGC garbage collector to Windows. - -ZGC: A Scalable Low-Latency Garbage Collector (Production) -========================================================== -https://openjdk.java.net/jeps/377 - -Change the Z Garbage Collector from an experimental feature into a -product feature. - -ZGC: Concurrent Thread-Stack Processing -======================================= -https://openjdk.java.net/jeps/376 - -Move ZGC thread-stack processing from safepoints to a concurrent -phase. - -Elastic Metaspace -================= -https://openjdk.java.net/jeps/387 - -Return unused HotSpot class-metadata (i.e., metaspace) memory to the -operating system more promptly, reduce metaspace footprint, and -simplify the metaspace code in order to reduce maintenance costs. - -Ports -===== - -Alpine Linux Port -================= -https://openjdk.java.net/jeps/386 - -Port the JDK to Alpine Linux, and to other Linux distributions that -use musl as their primary C library, on both the x64 and AArch64 -architectures, - -Windows/AArch64 Port -==================== -https://openjdk.java.net/jeps/388 - -Port the JDK to Windows/AArch64. - -New macOS Rendering Pipeline -============================ -https://openjdk.java.net/jeps/382 - -Implement a Java 2D internal rendering pipeline for macOS using the -Apple Metal API as alternative to the existing pipeline, which uses -the deprecated Apple OpenGL API. - -macOS/AArch64 Port -================== -https://openjdk.java.net/jeps/391 - -Port the JDK to macOS/AArch64. - -DEPRECATIONS -============ - -Deprecate the ParallelScavenge + SerialOld GC Combination -========================================================= -https://openjdk.java.net/jeps/366 - -Deprecate the combination of the Parallel Scavenge and Serial Old -garbage collection algorithms. - -Deprecate and Disable Biased Locking -==================================== -https://openjdk.java.net/jeps/374 - -Disable biased locking by default, and deprecate all related -command-line options. - -Warnings for Value-Based Classes -================================ -https://openjdk.java.net/jeps/390 - -Designate the primitive wrapper classes as value-based and deprecate -their constructors for removal, prompting new deprecation -warnings. Provide warnings about improper attempts to synchronize on -instances of any value-based classes in the Java Platform. - -Deprecate the Applet API for Removal -==================================== -https://openjdk.java.net/jeps/398 - -Deprecate the Applet API for removal. It is essentially irrelevant -since all web-browser vendors have either removed support for Java -browser plug-ins or announced plans to do so. - -Deprecate the Security Manager for Removal -========================================== -https://openjdk.java.net/jeps/411 - -Deprecate the Security Manager for removal in a future release. The -Security Manager dates from Java 1.0. It has not been the primary -means of securing client-side Java code for many years, and it has -rarely been used to secure server-side code. To move Java forward, we -intend to deprecate the Security Manager for removal in concert with -the legacy Applet API (see above). . - -REMOVALS -======== - -Remove the Concurrent Mark Sweep (CMS) Garbage Collector -======================================================== -https://openjdk.java.net/jeps/363 - -Remove the Concurrent Mark Sweep (CMS) garbage collector. - -Remove the Pack200 Tools and API -================================ -https://openjdk.java.net/jeps/336 -https://openjdk.java.net/jeps/367 - -Remove the `pack200` and `unpack200` tools, and the `Pack200` API in -the `java.util.jar` package. These tools and API were deprecated for -removal in OpenJDK 11 with the express intent to remove them in a -future release. - -Remove the Nashorn JavaScript Engine -==================================== -https://openjdk.java.net/jeps/372 - -Remove the Nashorn JavaScript script engine and APIs, and the `jjs` -tool. The engine, the APIs, and the tool were deprecated for removal -in OpenJDK 11 with the express intent to remove them in a future -release. - -Remove the Solaris and SPARC Ports -================================== -https://openjdk.java.net/jeps/362 -https://openjdk.java.net/jeps/381 - -Remove the source code and build support for the Solaris/SPARC, -Solaris/x64, and Linux/SPARC ports. These ports were deprecated for -removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). - -Remove RMI Activation -===================== -https://openjdk.java.net/jeps/385 -https://openjdk.java.net/jeps/407 -https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html - -Remove the Remote Method Invocation (RMI) Activation mechanism, while -preserving the rest of RMI. RMI Activation is an obsolete part of RMI -that has been optional since OpenJDK 8 and was deprecated in OpenJDK -15. - -Remove the Experimental AOT and JIT Compiler -============================================ -https://openjdk.java.net/jeps/410 - -Remove the experimental Java-based ahead-of-time (AOT) and -just-in-time (JIT) compiler. This compiler has seen little use since -its introduction and the effort required to maintain it is -significant. Retain the experimental Java-level JVM compiler -interface (JVMCI) so that developers can continue to use -externally-built versions of the compiler for JIT compilation. diff --git a/fips-17u-257d544b594.patch b/fips-17u-257d544b594.patch deleted file mode 100644 index 6c03d6f..0000000 --- a/fips-17u-257d544b594.patch +++ /dev/null @@ -1,5956 +0,0 @@ -diff --git a/make/autoconf/build-aux/pkg.m4 b/make/autoconf/build-aux/pkg.m4 -index 5f4b22bb27f..1ca9f5b8ffe 100644 ---- a/make/autoconf/build-aux/pkg.m4 -+++ b/make/autoconf/build-aux/pkg.m4 -@@ -179,3 +179,19 @@ else - ifelse([$3], , :, [$3]) - fi[]dnl - ])# PKG_CHECK_MODULES -+ -+dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, -+dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -+dnl ------------------------------------------- -+dnl Since: 0.28 -+dnl -+dnl Retrieves the value of the pkg-config variable for the given module. -+AC_DEFUN([PKG_CHECK_VAR], -+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -+AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl -+ -+_PKG_CONFIG([$1], [variable="][$3]["], [$2]) -+AS_VAR_COPY([$1], [pkg_cv_][$1]) -+ -+AS_VAR_IF([$1], [""], [$5], [$4])dnl -+])dnl PKG_CHECK_VAR -diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 -new file mode 100644 -index 00000000000..f48fc7f7e80 ---- /dev/null -+++ b/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,87 @@ -+# -+# Copyright (c) 2021, Red Hat, Inc. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. Oracle designates this -+# particular file as subject to the "Classpath" exception as provided -+# by Oracle in the LICENSE file that accompanied this code. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ AC_MSG_CHECKING([for NSS library directory]) -+ PKG_CHECK_VAR(NSS_LIBDIR, nss, libdir, [AC_MSG_RESULT([$NSS_LIBDIR])], [AC_MSG_RESULT([not found])]) -+ -+ AC_MSG_CHECKING([whether to link the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+ AC_SUBST(NSS_LIBDIR) -+]) -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) - m4_include([lib-x11.m4]) - m4_include([lib-fontconfig.m4]) - m4_include([lib-tests.m4]) -+m4_include([lib-sysconf.m4]) - - ################################################################################ - # Determine which libraries are needed for this configuration -@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS - LIB_TESTS_SETUP_GTEST -+ LIB_SETUP_SYSCONF_LIBS - - BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index d557549adb3..1cb44bd2595 100644 ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -840,6 +840,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+NSS_LIBDIR:=@NSS_LIBDIR@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/modules/java.base/Gendata.gmk b/make/modules/java.base/Gendata.gmk -index 4b894eeae4a..51567071aa8 100644 ---- a/make/modules/java.base/Gendata.gmk -+++ b/make/modules/java.base/Gendata.gmk -@@ -98,3 +98,17 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS_JDK) $(GENDATA_JAVA_SECURITY_SRC) $(REST - TARGETS += $(GENDATA_JAVA_SECURITY) - - ################################################################################ -+ -+GENDATA_NSS_FIPS_CFG_SRC := $(TOPDIR)/src/java.base/share/conf/security/nss.fips.cfg.in -+GENDATA_NSS_FIPS_CFG := $(SUPPORT_OUTPUTDIR)/modules_conf/java.base/security/nss.fips.cfg -+ -+$(GENDATA_NSS_FIPS_CFG): $(GENDATA_NSS_FIPS_CFG_SRC) -+ $(call LogInfo, Generating nss.fips.cfg) -+ $(call MakeTargetDir) -+ $(call ExecuteWithLog, $(SUPPORT_OUTPUTDIR)/gensrc/java.base/_$(@F), \ -+ ( $(SED) -e 's:@NSS_LIBDIR@:$(NSS_LIBDIR):g' $< ) > $@ \ -+ ) -+ -+TARGETS += $(GENDATA_NSS_FIPS_CFG) -+ -+################################################################################ -diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 5658ff342e5..c8bc5bde1e1 100644 ---- a/make/modules/java.base/Lib.gmk -+++ b/make/modules/java.base/Lib.gmk -@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+)) -+ -+TARGETS += $(BUILD_LIBSYSTEMCONF) -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -index 1fd6230d83b..683e3dd3a8d 100644 ---- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -+++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java -@@ -25,13 +25,12 @@ - - package com.sun.crypto.provider; - --import java.util.Arrays; -- - import javax.crypto.SecretKey; - import javax.crypto.spec.SecretKeySpec; --import javax.crypto.spec.PBEParameterSpec; -+import javax.crypto.spec.PBEKeySpec; - import java.security.*; - import java.security.spec.*; -+import sun.security.util.PBEUtil; - - /** - * This is an implementation of the HMAC algorithms as defined -@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { - */ - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- char[] passwdChars; -- byte[] salt = null; -- int iCount = 0; -- if (key instanceof javax.crypto.interfaces.PBEKey) { -- javax.crypto.interfaces.PBEKey pbeKey = -- (javax.crypto.interfaces.PBEKey) key; -- passwdChars = pbeKey.getPassword(); -- salt = pbeKey.getSalt(); // maybe null if unspecified -- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified -- } else if (key instanceof SecretKey) { -- byte[] passwdBytes; -- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || -- (passwdBytes = key.getEncoded()) == null) { -- throw new InvalidKeyException("Missing password"); -- } -- passwdChars = new char[passwdBytes.length]; -- for (int i=0; i attrs = new HashMap<>(3); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -- + "|OAEPWITHMD5ANDMGF1PADDING" -- + "|OAEPWITHSHA1ANDMGF1PADDING" -- + "|OAEPWITHSHA-1ANDMGF1PADDING" -- + "|OAEPWITHSHA-224ANDMGF1PADDING" -- + "|OAEPWITHSHA-256ANDMGF1PADDING" -- + "|OAEPWITHSHA-384ANDMGF1PADDING" -- + "|OAEPWITHSHA-512ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -- ps("Cipher", "RSA", -- "com.sun.crypto.provider.RSACipher", null, attrs); -- -- // common block cipher modes, pads -- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -- final String BLOCK_MODES128 = BLOCK_MODES + -- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DES", -- "com.sun.crypto.provider.DESCipher", null, attrs); -- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -- attrs); -- ps("Cipher", "Blowfish", -- "com.sun.crypto.provider.BlowfishCipher", null, attrs); -- -- ps("Cipher", "RC2", -- "com.sun.crypto.provider.RC2Cipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES128); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES", -- "com.sun.crypto.provider.AESCipher$General", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -- attrs); -- ps("Cipher", "AES/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_128/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_128/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_128/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_128/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_192/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_192/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_192/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_192/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_256/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_256/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_256/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_256/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "GCM"); -- attrs.put("SupportedKeyFormats", "RAW"); -- -- ps("Cipher", "AES/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -- attrs); -- psA("Cipher", "AES_128/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES128", -- attrs); -- psA("Cipher", "AES_192/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES192", -- attrs); -- psA("Cipher", "AES_256/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES256", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "CBC"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DESedeWrap", -- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "ARCFOUR", -- "com.sun.crypto.provider.ARCFOURCipher", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "ChaCha20", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -- null, attrs); -- psA("Cipher", "ChaCha20-Poly1305", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -- attrs); -- -- // PBES1 -- psA("Cipher", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -- null); -- ps("Cipher", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -- psA("Cipher", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -- null); -- psA("Cipher", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -- null); -- -- psA("Cipher", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -- null); -- -- // PBES2 -- ps("Cipher", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -- -- /* -- * Key(pair) Generator engines -- */ -- ps("KeyGenerator", "DES", -- "com.sun.crypto.provider.DESKeyGenerator"); -- psA("KeyGenerator", "DESede", -- "com.sun.crypto.provider.DESedeKeyGenerator", -- null); -- ps("KeyGenerator", "Blowfish", -- "com.sun.crypto.provider.BlowfishKeyGenerator"); -- psA("KeyGenerator", "AES", -- "com.sun.crypto.provider.AESKeyGenerator", -- null); -- ps("KeyGenerator", "RC2", -- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -- psA("KeyGenerator", "ARCFOUR", -- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -- null); -- ps("KeyGenerator", "ChaCha20", -- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -- ps("KeyGenerator", "HmacMD5", -- "com.sun.crypto.provider.HmacMD5KeyGenerator"); -- -- psA("KeyGenerator", "HmacSHA1", -- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -- psA("KeyGenerator", "HmacSHA224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -- null); -- psA("KeyGenerator", "HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -- null); -- psA("KeyGenerator", "HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -- null); -- psA("KeyGenerator", "HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -- null); -- psA("KeyGenerator", "HmacSHA512/224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -- null); -- psA("KeyGenerator", "HmacSHA512/256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -- null); -- -- psA("KeyGenerator", "HmacSHA3-224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -- null); -- psA("KeyGenerator", "HmacSHA3-256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -- null); -- psA("KeyGenerator", "HmacSHA3-384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -- null); -- psA("KeyGenerator", "HmacSHA3-512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -- null); -- -- psA("KeyPairGenerator", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyPairGenerator", -- null); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -+ + "|OAEPWITHMD5ANDMGF1PADDING" -+ + "|OAEPWITHSHA1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-256ANDMGF1PADDING" -+ + "|OAEPWITHSHA-384ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ ps("Cipher", "RSA", -+ "com.sun.crypto.provider.RSACipher", null, attrs); -+ -+ // common block cipher modes, pads -+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -+ final String BLOCK_MODES128 = BLOCK_MODES + -+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DES", -+ "com.sun.crypto.provider.DESCipher", null, attrs); -+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -+ attrs); -+ ps("Cipher", "Blowfish", -+ "com.sun.crypto.provider.BlowfishCipher", null, attrs); -+ -+ ps("Cipher", "RC2", -+ "com.sun.crypto.provider.RC2Cipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES128); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES", -+ "com.sun.crypto.provider.AESCipher$General", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_128/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_128/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_128/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_192/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_192/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_192/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_256/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_256/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_256/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "GCM"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ -+ ps("Cipher", "AES/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -+ attrs); -+ psA("Cipher", "AES_128/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES128", -+ attrs); -+ psA("Cipher", "AES_192/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES192", -+ attrs); -+ psA("Cipher", "AES_256/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES256", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "CBC"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DESedeWrap", -+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "ARCFOUR", -+ "com.sun.crypto.provider.ARCFOURCipher", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "ChaCha20", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -+ null, attrs); -+ psA("Cipher", "ChaCha20-Poly1305", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -+ attrs); -+ -+ // PBES1 -+ psA("Cipher", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -+ null); -+ ps("Cipher", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -+ psA("Cipher", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("Cipher", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -+ null); -+ -+ // PBES2 -+ ps("Cipher", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -+ -+ /* -+ * Key(pair) Generator engines -+ */ -+ ps("KeyGenerator", "DES", -+ "com.sun.crypto.provider.DESKeyGenerator"); -+ psA("KeyGenerator", "DESede", -+ "com.sun.crypto.provider.DESedeKeyGenerator", -+ null); -+ ps("KeyGenerator", "Blowfish", -+ "com.sun.crypto.provider.BlowfishKeyGenerator"); -+ psA("KeyGenerator", "AES", -+ "com.sun.crypto.provider.AESKeyGenerator", -+ null); -+ ps("KeyGenerator", "RC2", -+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -+ psA("KeyGenerator", "ARCFOUR", -+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -+ null); -+ ps("KeyGenerator", "ChaCha20", -+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -+ ps("KeyGenerator", "HmacMD5", -+ "com.sun.crypto.provider.HmacMD5KeyGenerator"); -+ -+ psA("KeyGenerator", "HmacSHA1", -+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -+ psA("KeyGenerator", "HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -+ null); -+ psA("KeyGenerator", "HmacSHA256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -+ null); -+ psA("KeyGenerator", "HmacSHA384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -+ null); -+ psA("KeyGenerator", "HmacSHA512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -+ null); -+ psA("KeyGenerator", "HmacSHA512/224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -+ null); -+ psA("KeyGenerator", "HmacSHA512/256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -+ null); -+ -+ psA("KeyGenerator", "HmacSHA3-224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -+ null); -+ psA("KeyGenerator", "HmacSHA3-256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -+ null); -+ psA("KeyGenerator", "HmacSHA3-384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -+ null); -+ psA("KeyGenerator", "HmacSHA3-512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -+ null); -+ -+ psA("KeyPairGenerator", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyPairGenerator", -+ null); -+ } - - /* - * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { - "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", - null); - -- /* -- * Key Agreement engines -- */ -- attrs.clear(); -- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -- "|javax.crypto.interfaces.DHPrivateKey"); -- psA("KeyAgreement", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyAgreement", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key Agreement engines -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -+ "|javax.crypto.interfaces.DHPrivateKey"); -+ psA("KeyAgreement", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyAgreement", -+ attrs); -+ } - - /* - * Algorithm Parameter engines -@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { - ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", - "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); - -- // PBKDF2 -- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -- null); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -- -- /* -- * MAC -- */ -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -- attrs); -- psA("Mac", "HmacSHA224", -- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -- psA("Mac", "HmacSHA256", -- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -- psA("Mac", "HmacSHA384", -- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -- psA("Mac", "HmacSHA512", -- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -- psA("Mac", "HmacSHA512/224", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -- psA("Mac", "HmacSHA512/256", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -- psA("Mac", "HmacSHA3-224", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -- psA("Mac", "HmacSHA3-256", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -- psA("Mac", "HmacSHA3-384", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -- psA("Mac", "HmacSHA3-512", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -- -- ps("Mac", "HmacPBESHA1", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -- null, attrs); -- ps("Mac", "HmacPBESHA224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -- null, attrs); -- ps("Mac", "HmacPBESHA256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -- null, attrs); -- ps("Mac", "HmacPBESHA384", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -- null, attrs); -- ps("Mac", "HmacPBESHA512", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -- null, attrs); -- ps("Mac", "HmacPBESHA512/224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -- null, attrs); -- ps("Mac", "HmacPBESHA512/256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -- null, attrs); -- -- -- // PBMAC1 -- ps("Mac", "PBEWithHmacSHA1", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -- ps("Mac", "PBEWithHmacSHA224", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -- ps("Mac", "PBEWithHmacSHA256", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -- ps("Mac", "PBEWithHmacSHA384", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -- ps("Mac", "PBEWithHmacSHA512", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -- ps("Mac", "SslMacMD5", -- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -- ps("Mac", "SslMacSHA1", -- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -- -- /* -- * KeyStore -- */ -- ps("KeyStore", "JCEKS", -- "com.sun.crypto.provider.JceKeyStore"); -- -- /* -- * SSL/TLS mechanisms -- * -- * These are strictly internal implementations and may -- * be changed at any time. These names were chosen -- * because PKCS11/SunPKCS11 does not yet have TLS1.2 -- * mechanisms, and it will cause calls to come here. -- */ -- ps("KeyGenerator", "SunTlsPrf", -- "com.sun.crypto.provider.TlsPrfGenerator$V10"); -- ps("KeyGenerator", "SunTls12Prf", -- "com.sun.crypto.provider.TlsPrfGenerator$V12"); -- -- ps("KeyGenerator", "SunTlsMasterSecret", -- "com.sun.crypto.provider.TlsMasterSecretGenerator", -- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -- null); -- -- ps("KeyGenerator", "SunTlsKeyMaterial", -- "com.sun.crypto.provider.TlsKeyMaterialGenerator", -- List.of("SunTls12KeyMaterial"), null); -- -- ps("KeyGenerator", "SunTlsRsaPremasterSecret", -- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -- List.of("SunTls12RsaPremasterSecret"), null); -+ if (!systemFipsEnabled) { -+ // PBKDF2 -+ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -+ null); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -+ -+ /* -+ * MAC -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -+ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -+ attrs); -+ psA("Mac", "HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -+ psA("Mac", "HmacSHA256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -+ psA("Mac", "HmacSHA384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -+ psA("Mac", "HmacSHA512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -+ psA("Mac", "HmacSHA512/224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -+ psA("Mac", "HmacSHA512/256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -+ psA("Mac", "HmacSHA3-224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -+ psA("Mac", "HmacSHA3-256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -+ psA("Mac", "HmacSHA3-384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -+ psA("Mac", "HmacSHA3-512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -+ -+ ps("Mac", "HmacPBESHA1", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -+ null, attrs); -+ ps("Mac", "HmacPBESHA224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -+ null, attrs); -+ ps("Mac", "HmacPBESHA384", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -+ null, attrs); -+ -+ -+ // PBMAC1 -+ ps("Mac", "PBEWithHmacSHA1", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -+ ps("Mac", "PBEWithHmacSHA224", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -+ ps("Mac", "PBEWithHmacSHA256", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -+ ps("Mac", "PBEWithHmacSHA384", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -+ ps("Mac", "SslMacMD5", -+ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -+ ps("Mac", "SslMacSHA1", -+ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -+ -+ /* -+ * KeyStore -+ */ -+ ps("KeyStore", "JCEKS", -+ "com.sun.crypto.provider.JceKeyStore"); -+ -+ /* -+ * SSL/TLS mechanisms -+ * -+ * These are strictly internal implementations and may -+ * be changed at any time. These names were chosen -+ * because PKCS11/SunPKCS11 does not yet have TLS1.2 -+ * mechanisms, and it will cause calls to come here. -+ */ -+ ps("KeyGenerator", "SunTlsPrf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V10"); -+ ps("KeyGenerator", "SunTls12Prf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V12"); -+ -+ ps("KeyGenerator", "SunTlsMasterSecret", -+ "com.sun.crypto.provider.TlsMasterSecretGenerator", -+ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -+ null); -+ -+ ps("KeyGenerator", "SunTlsKeyMaterial", -+ "com.sun.crypto.provider.TlsKeyMaterialGenerator", -+ List.of("SunTls12KeyMaterial"), null); -+ -+ ps("KeyGenerator", "SunTlsRsaPremasterSecret", -+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -+ List.of("SunTls12RsaPremasterSecret"), null); -+ } - } - - // Return the instance of this class or create one if needed. -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index ff2bc942c03..96a3ba4040c 100644 ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -84,6 +106,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -99,6 +122,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -193,6 +217,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..98ffced455b ---- /dev/null -+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,249 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws Exception { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..3f3caac64dc ---- /dev/null -+++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index f6d3638c3dd..a1ee182d913 100644 ---- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -39,6 +39,7 @@ import java.io.FilePermission; - import java.io.ObjectInputStream; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -81,6 +82,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -442,4 +444,15 @@ public class SharedSecrets { - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index 9faee9cae36..27f43550aa4 100644 ---- a/src/java.base/share/classes/module-info.java -+++ b/src/java.base/share/classes/module-info.java -@@ -152,6 +152,8 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.cryptoki, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.net, -diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..709d32912ca 100644 ---- a/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetPropertyAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -94,99 +99,101 @@ public final class SunEntries { - // common attribute map - HashMap attrs = new HashMap<>(3); - -- /* -- * SecureRandom engines -- */ -- attrs.put("ThreadSafe", "true"); -- if (NativePRNG.isAvailable()) { -- add(p, "SecureRandom", "NativePRNG", -- "sun.security.provider.NativePRNG", attrs); -- } -- if (NativePRNG.Blocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGBlocking", -- "sun.security.provider.NativePRNG$Blocking", attrs); -- } -- if (NativePRNG.NonBlocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGNonBlocking", -- "sun.security.provider.NativePRNG$NonBlocking", attrs); -- } -- attrs.put("ImplementedIn", "Software"); -- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -- add(p, "SecureRandom", "SHA1PRNG", -- "sun.security.provider.SecureRandom", attrs); -- -- /* -- * Signature engines -- */ -- attrs.clear(); -- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -- "|java.security.interfaces.DSAPrivateKey"; -- attrs.put("SupportedKeyClasses", dsaKeyClasses); -- attrs.put("ImplementedIn", "Software"); -- -- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -- -- addWithAlias(p, "Signature", "SHA1withDSA", -- "sun.security.provider.DSA$SHA1withDSA", attrs); -- addWithAlias(p, "Signature", "NONEwithDSA", -- "sun.security.provider.DSA$RawDSA", attrs); -- -- // for DSA signatures with 224/256-bit digests -- attrs.put("KeySize", "2048"); -- -- addWithAlias(p, "Signature", "SHA224withDSA", -- "sun.security.provider.DSA$SHA224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA256withDSA", -- "sun.security.provider.DSA$SHA256withDSA", attrs); -- -- addWithAlias(p, "Signature", "SHA3-224withDSA", -- "sun.security.provider.DSA$SHA3_224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-256withDSA", -- "sun.security.provider.DSA$SHA3_256withDSA", attrs); -- -- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -- -- addWithAlias(p, "Signature", "SHA384withDSA", -- "sun.security.provider.DSA$SHA384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA512withDSA", -- "sun.security.provider.DSA$SHA512withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-384withDSA", -- "sun.security.provider.DSA$SHA3_384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-512withDSA", -- "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); - -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only - -- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ } - - /* - * Algorithm Parameter Generator engines -@@ -201,40 +208,42 @@ public final class SunEntries { - addWithAlias(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", attrs); - -- /* -- * Key factories -- */ -- addWithAlias(p, "KeyFactory", "DSA", -- "sun.security.provider.DSAKeyFactory", attrs); -- -- /* -- * Digest engines -- */ -- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); - -- addWithAlias(p, "MessageDigest", "SHA-224", -- "sun.security.provider.SHA2$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-256", -- "sun.security.provider.SHA2$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA-384", -- "sun.security.provider.SHA5$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512", -- "sun.security.provider.SHA5$SHA512", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/224", -- "sun.security.provider.SHA5$SHA512_224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/256", -- "sun.security.provider.SHA5$SHA512_256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-224", -- "sun.security.provider.SHA3$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-256", -- "sun.security.provider.SHA3$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-384", -- "sun.security.provider.SHA3$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-512", -- "sun.security.provider.SHA3$SHA512", attrs); -+ /* -+ * Digest engines -+ */ -+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..225517ac69b 100644 ---- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -@@ -27,6 +27,7 @@ package sun.security.rsa; - - import java.util.*; - import java.security.Provider; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityProviderConstants.getAliases; - - /** -@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - */ - public final class SunRsaSignEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private void add(Provider p, String type, String algo, String cn, - List aliases, HashMap attrs) { - services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ } - - add(p, "KeyFactory", "RSA", - "sun.security.rsa.RSAKeyFactory$Legacy", - getAliases("PKCS1"), null); -- add(p, "KeyPairGenerator", "RSA", -- "sun.security.rsa.RSAKeyPairGenerator$Legacy", -- getAliases("PKCS1"), null); -- addA(p, "Signature", "MD2withRSA", -- "sun.security.rsa.RSASignature$MD2withRSA", attrs); -- addA(p, "Signature", "MD5withRSA", -- "sun.security.rsa.RSASignature$MD5withRSA", attrs); -- addA(p, "Signature", "SHA1withRSA", -- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -- addA(p, "Signature", "SHA224withRSA", -- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -- addA(p, "Signature", "SHA256withRSA", -- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -- addA(p, "Signature", "SHA384withRSA", -- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -- addA(p, "Signature", "SHA512withRSA", -- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -- addA(p, "Signature", "SHA512/224withRSA", -- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -- addA(p, "Signature", "SHA512/256withRSA", -- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -- addA(p, "Signature", "SHA3-224withRSA", -- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -- addA(p, "Signature", "SHA3-256withRSA", -- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -- addA(p, "Signature", "SHA3-384withRSA", -- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -- addA(p, "Signature", "SHA3-512withRSA", -- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ -+ if (!systemFipsEnabled) { -+ add(p, "KeyPairGenerator", "RSA", -+ "sun.security.rsa.RSAKeyPairGenerator$Legacy", -+ getAliases("PKCS1"), null); -+ addA(p, "Signature", "MD2withRSA", -+ "sun.security.rsa.RSASignature$MD2withRSA", attrs); -+ addA(p, "Signature", "MD5withRSA", -+ "sun.security.rsa.RSASignature$MD5withRSA", attrs); -+ addA(p, "Signature", "SHA1withRSA", -+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -+ addA(p, "Signature", "SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -+ addA(p, "Signature", "SHA256withRSA", -+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -+ addA(p, "Signature", "SHA384withRSA", -+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -+ addA(p, "Signature", "SHA512withRSA", -+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -+ addA(p, "Signature", "SHA512/224withRSA", -+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -+ addA(p, "Signature", "SHA512/256withRSA", -+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-224withRSA", -+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -+ addA(p, "Signature", "SHA3-256withRSA", -+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-384withRSA", -+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -+ addA(p, "Signature", "SHA3-512withRSA", -+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ } - - addA(p, "KeyFactory", "RSASSA-PSS", - "sun.security.rsa.RSAKeyFactory$PSS", attrs); -- addA(p, "KeyPairGenerator", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -- addA(p, "Signature", "RSASSA-PSS", -- "sun.security.rsa.RSAPSSSignature", attrs); -+ -+ if (!systemFipsEnabled) { -+ addA(p, "KeyPairGenerator", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -+ addA(p, "Signature", "RSASSA-PSS", -+ "sun.security.rsa.RSAPSSSignature", attrs); -+ } -+ - addA(p, "AlgorithmParameters", "RSASSA-PSS", - "sun.security.rsa.PSSParameters", null); - } -diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java -new file mode 100644 -index 00000000000..dc8bc72fccb ---- /dev/null -+++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java -@@ -0,0 +1,297 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.util; -+ -+import java.security.AlgorithmParameters; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidKeyException; -+import java.security.Key; -+import java.security.NoSuchAlgorithmException; -+import java.security.Provider; -+import java.security.SecureRandom; -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidParameterSpecException; -+import java.util.Arrays; -+import javax.crypto.Cipher; -+import javax.crypto.SecretKey; -+import javax.crypto.spec.IvParameterSpec; -+import javax.crypto.spec.PBEKeySpec; -+import javax.crypto.spec.PBEParameterSpec; -+ -+public final class PBEUtil { -+ -+ // Used by SunJCE and SunPKCS11 -+ public final static class PBES2Helper { -+ private int iCount; -+ private byte[] salt; -+ private IvParameterSpec ivSpec; -+ private final int defaultSaltLength; -+ private final int defaultCount; -+ -+ public PBES2Helper(int defaultSaltLength, int defaultCount) { -+ this.defaultSaltLength = defaultSaltLength; -+ this.defaultCount = defaultCount; -+ } -+ -+ public IvParameterSpec getIvSpec() { -+ return ivSpec; -+ } -+ -+ public AlgorithmParameters getAlgorithmParameters( -+ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { -+ AlgorithmParameters params = null; -+ if (salt == null) { -+ // generate random salt and use default iteration count -+ salt = new byte[defaultSaltLength]; -+ random.nextBytes(salt); -+ iCount = defaultCount; -+ } -+ if (ivSpec == null) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } -+ PBEParameterSpec pbeSpec = new PBEParameterSpec( -+ salt, iCount, ivSpec); -+ try { -+ params = (p == null) ? -+ AlgorithmParameters.getInstance(pbeAlgo) : -+ AlgorithmParameters.getInstance(pbeAlgo, p); -+ params.init(pbeSpec); -+ } catch (NoSuchAlgorithmException nsae) { -+ // should never happen -+ throw new RuntimeException("AlgorithmParameters for " -+ + pbeAlgo + " not configured"); -+ } catch (InvalidParameterSpecException ipse) { -+ // should never happen -+ throw new RuntimeException("PBEParameterSpec not supported"); -+ } -+ return params; -+ } -+ -+ public PBEKeySpec getPBEKeySpec( -+ int blkSize, int keyLength, int opmode, Key key, -+ AlgorithmParameterSpec params, SecureRandom random) -+ throws InvalidKeyException, InvalidAlgorithmParameterException { -+ -+ if (key == null) { -+ throw new InvalidKeyException("Null key"); -+ } -+ -+ byte[] passwdBytes = key.getEncoded(); -+ char[] passwdChars = null; -+ PBEKeySpec pbeSpec; -+ try { -+ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( -+ true, 0, "PBE", 0, 3))) { -+ throw new InvalidKeyException("Missing password"); -+ } -+ -+ // TBD: consolidate the salt, ic and IV parameter checks below -+ -+ // Extract salt and iteration count from the key, if present -+ if (key instanceof javax.crypto.interfaces.PBEKey) { -+ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); -+ if (salt != null && salt.length < 8) { -+ throw new InvalidAlgorithmParameterException( -+ "Salt must be at least 8 bytes long"); -+ } -+ iCount = ((javax.crypto.interfaces.PBEKey)key) -+ .getIterationCount(); -+ if (iCount == 0) { -+ iCount = defaultCount; -+ } else if (iCount < 0) { -+ throw new InvalidAlgorithmParameterException( -+ "Iteration count must be a positive number"); -+ } -+ } -+ -+ // Extract salt, iteration count and IV from the params, -+ // if present -+ if (params == null) { -+ if (salt == null) { -+ // generate random salt and use default iteration count -+ salt = new byte[defaultSaltLength]; -+ random.nextBytes(salt); -+ iCount = defaultCount; -+ } -+ if ((opmode == Cipher.ENCRYPT_MODE) || -+ (opmode == Cipher.WRAP_MODE)) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } -+ } else { -+ if (!(params instanceof PBEParameterSpec)) { -+ throw new InvalidAlgorithmParameterException -+ ("Wrong parameter type: PBE expected"); -+ } -+ // salt and iteration count from the params take precedence -+ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); -+ if (specSalt != null && specSalt.length < 8) { -+ throw new InvalidAlgorithmParameterException( -+ "Salt must be at least 8 bytes long"); -+ } -+ salt = specSalt; -+ int specICount = ((PBEParameterSpec) params) -+ .getIterationCount(); -+ if (specICount == 0) { -+ specICount = defaultCount; -+ } else if (specICount < 0) { -+ throw new InvalidAlgorithmParameterException( -+ "Iteration count must be a positive number"); -+ } -+ iCount = specICount; -+ -+ AlgorithmParameterSpec specParams = -+ ((PBEParameterSpec) params).getParameterSpec(); -+ if (specParams != null) { -+ if (specParams instanceof IvParameterSpec) { -+ ivSpec = (IvParameterSpec)specParams; -+ } else { -+ throw new InvalidAlgorithmParameterException( -+ "Wrong parameter type: IV expected"); -+ } -+ } else if ((opmode == Cipher.ENCRYPT_MODE) || -+ (opmode == Cipher.WRAP_MODE)) { -+ // generate random IV -+ byte[] ivBytes = new byte[blkSize]; -+ random.nextBytes(ivBytes); -+ ivSpec = new IvParameterSpec(ivBytes); -+ } else { -+ throw new InvalidAlgorithmParameterException( -+ "Missing parameter type: IV expected"); -+ } -+ } -+ -+ passwdChars = new char[passwdBytes.length]; -+ for (int i = 0; i < passwdChars.length; i++) -+ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); -+ -+ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); -+ // password char[] was cloned in PBEKeySpec constructor, -+ // so we can zero it out here -+ } finally { -+ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); -+ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); -+ } -+ return pbeSpec; -+ } -+ -+ public static AlgorithmParameterSpec getParameterSpec( -+ AlgorithmParameters params) -+ throws InvalidAlgorithmParameterException { -+ AlgorithmParameterSpec pbeSpec = null; -+ if (params != null) { -+ try { -+ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); -+ } catch (InvalidParameterSpecException ipse) { -+ throw new InvalidAlgorithmParameterException( -+ "Wrong parameter type: PBE expected"); -+ } -+ } -+ return pbeSpec; -+ } -+ } -+ -+ // Used by SunJCE and SunPKCS11 -+ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) -+ throws InvalidKeyException, InvalidAlgorithmParameterException { -+ char[] passwdChars; -+ byte[] salt = null; -+ int iCount = 0; -+ if (key instanceof javax.crypto.interfaces.PBEKey) { -+ javax.crypto.interfaces.PBEKey pbeKey = -+ (javax.crypto.interfaces.PBEKey) key; -+ passwdChars = pbeKey.getPassword(); -+ salt = pbeKey.getSalt(); // maybe null if unspecified -+ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified -+ } else if (key instanceof SecretKey) { -+ byte[] passwdBytes; -+ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || -+ (passwdBytes = key.getEncoded()) == null) { -+ throw new InvalidKeyException("Missing password"); -+ } -+ passwdChars = new char[passwdBytes.length]; -+ for (int i=0; i -+# Value: clear text PIN value. -+# 2) env: -+# Value: environment variable containing the PIN value. -+# 3) file: -+# Value: path to a file containing the PIN value in its first -+# line. -+# -+# If the system property fips.nssdb.pin is also specified, it supersedes -+# the security property value defined here. -+# -+# When used as a system property, UTF-8 encoded values are valid. When -+# used as a security property (such as in this file), encode non-Basic -+# Latin Unicode characters with \uXXXX. -+# -+fips.nssdb.pin=pin: -+ - # - # Controls compatibility mode for JKS and PKCS12 keystore types. - # -@@ -326,6 +377,13 @@ package.definition=sun.misc.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/src/java.base/share/conf/security/nss.fips.cfg.in b/src/java.base/share/conf/security/nss.fips.cfg.in -new file mode 100644 -index 00000000000..55bbba98b7a ---- /dev/null -+++ b/src/java.base/share/conf/security/nss.fips.cfg.in -@@ -0,0 +1,8 @@ -+name = NSS-FIPS -+nssLibraryDirectory = @NSS_LIBDIR@ -+nssSecmodDirectory = ${fips.nssdb.path} -+nssDbMode = readWrite -+nssModule = fips -+ -+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } -+ -diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index b22f26947af..02bea84e210 100644 ---- a/src/java.base/share/lib/security/default.policy -+++ b/src/java.base/share/lib/security/default.policy -@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { - grant codeBase "jrt:/jdk.crypto.ec" { - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "loadLibrary.sunec"; - permission java.security.SecurityPermission "putProviderProperty.SunEC"; - permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.util.PropertyPermission "os.name", "read"; - permission java.util.PropertyPermission "os.arch", "read"; - permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read"; -+ permission java.util.PropertyPermission "fips.nssdb.path", "read,write"; -+ permission java.util.PropertyPermission "fips.nssdb.pin", "read"; - permission java.security.SecurityPermission "putProviderProperty.*"; - permission java.security.SecurityPermission "clearProviderProperties.*"; - permission java.security.SecurityPermission "removeProviderProperty.*"; -diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..ddf9befe5bc ---- /dev/null -+++ b/src/java.base/share/native/libsystemconf/systemconf.c -@@ -0,0 +1,236 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef LINUX -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} -+ -+#else // !LINUX -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ return JNI_FALSE; -+} -+ -+#endif -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..d3f0bffb821 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,457 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.security.interfaces.RSAPrivateCrtKey; -+import java.security.interfaces.RSAPrivateKey; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.SecretKeyFactory; -+import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAPrivateCrtKeyImpl; -+import sun.security.rsa.RSAUtil; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static volatile P11Key importerKey = null; -+ private static SecretKeySpec exporterKey = null; -+ private static volatile P11Key exporterKeyP11 = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ // Do not take the exporterKeyLock with the importerKeyLock held. -+ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); -+ private static volatile CK_MECHANISM importerKeyMechanism = null; -+ private static volatile CK_MECHANISM exporterKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ private static Cipher exporterCipher = null; -+ -+ private static volatile Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ importerKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, -+ long keyClass, long keyType, Map sensitiveAttrs) -+ throws PKCS11Exception { -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be exported in" + -+ " system FIPS mode."); -+ } -+ if (exporterKeyP11 == null) { -+ try { -+ exporterKeyLock.lock(); -+ if (exporterKeyP11 == null) { -+ if (exporterKeyMechanism == null) { -+ // Exporter Key creation has not been tried yet. Try it. -+ createExporterKey(token); -+ } -+ if (exporterKeyP11 == null || exporterCipher == null) { -+ if (debug != null) { -+ debug.println("Exporter Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ if (debug != null) { -+ debug.println("Exporter Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ } -+ long exporterKeyID = exporterKeyP11.getKeyID(); -+ try { -+ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, -+ exporterKeyMechanism, exporterKeyID, hObject); -+ byte[] plainExportedKey = null; -+ exporterKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ if (keyClass == CKO_PRIVATE_KEY) { -+ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); -+ } else if (keyClass == CKO_SECRET_KEY) { -+ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ exporterKeyP11.releaseKeyID(); -+ } -+ } -+ -+ private static void exportPrivateKey( -+ Map sensitiveAttrs, long keyType, -+ byte[] plainExportedKey) throws Throwable { -+ if (keyType == CKK_RSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, -+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); -+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( -+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey); -+ CK_ATTRIBUTE attr; -+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { -+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); -+ } -+ if (rsaPKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { -+ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); -+ } -+ } else { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT); -+ } -+ } else if (keyType == CKK_DSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ new sun.security.provider.DSAPrivateKey(plainExportedKey) -+ .getX().toByteArray(); -+ } else if (keyType == CKK_EC) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) -+ .getS().toByteArray(); -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " unsupported CKO_PRIVATE_KEY key type: " + keyType); -+ } -+ } -+ -+ private static void checkAttrs(Map sensitiveAttrs, -+ String keyName, long... validAttrs) -+ throws PKCS11Exception { -+ int sensitiveAttrsCount = sensitiveAttrs.size(); -+ if (sensitiveAttrsCount <= validAttrs.length) { -+ int validAttrsCount = 0; -+ for (long validAttr : validAttrs) { -+ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; -+ } -+ if (validAttrsCount == sensitiveAttrsCount) return; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " invalid attribute types for a " + keyName + " key object"); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec( -+ (byte[])importerKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Importer Key"); -+ } -+ } -+ } -+ -+ private static void createExporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Exporter Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ byte[] exporterKeyRaw = new byte[32]; -+ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); -+ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); -+ try { -+ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); -+ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); -+ if (exporterKeyP11 != null) { -+ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, -+ new IvParameterSpec( -+ (byte[])exporterKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ exporterKey = null; -+ exporterKeyP11 = null; -+ exporterCipher = null; -+ // exporterKeyMechanism value is kept initialized to indicate that -+ // Exporter Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Exporter Key"); -+ } -+ } -+ } -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java -new file mode 100644 -index 00000000000..f8d505ca815 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSTokenLoginHandler.java -@@ -0,0 +1,149 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.io.BufferedReader; -+import java.io.ByteArrayInputStream; -+import java.io.InputStream; -+import java.io.InputStreamReader; -+import java.io.IOException; -+import java.nio.charset.StandardCharsets; -+import java.nio.file.Files; -+import java.nio.file.Path; -+import java.nio.file.Paths; -+import java.nio.file.StandardOpenOption; -+import java.security.ProviderException; -+ -+import javax.security.auth.callback.Callback; -+import javax.security.auth.callback.CallbackHandler; -+import javax.security.auth.callback.PasswordCallback; -+import javax.security.auth.callback.UnsupportedCallbackException; -+ -+import sun.security.util.Debug; -+import sun.security.util.SecurityProperties; -+ -+final class FIPSTokenLoginHandler implements CallbackHandler { -+ -+ private static final String FIPS_NSSDB_PIN_PROP = "fips.nssdb.pin"; -+ -+ private static final Debug debug = Debug.getInstance("sunpkcs11"); -+ -+ public void handle(Callback[] callbacks) -+ throws IOException, UnsupportedCallbackException { -+ if (!(callbacks[0] instanceof PasswordCallback)) { -+ throw new UnsupportedCallbackException(callbacks[0]); -+ } -+ PasswordCallback pc = (PasswordCallback)callbacks[0]; -+ pc.setPassword(getFipsNssdbPin()); -+ } -+ -+ private static char[] getFipsNssdbPin() throws ProviderException { -+ if (debug != null) { -+ debug.println("FIPS: Reading NSS DB PIN for token..."); -+ } -+ String pinProp = SecurityProperties -+ .privilegedGetOverridable(FIPS_NSSDB_PIN_PROP); -+ if (pinProp != null && !pinProp.isEmpty()) { -+ String[] pinPropParts = pinProp.split(":", 2); -+ if (pinPropParts.length < 2) { -+ throw new ProviderException("Invalid " + FIPS_NSSDB_PIN_PROP + -+ " property value."); -+ } -+ String prefix = pinPropParts[0].toLowerCase(); -+ String value = pinPropParts[1]; -+ String pin = null; -+ if (prefix.equals("env")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the '" + value + -+ "' environment variable."); -+ } -+ pin = System.getenv(value); -+ } else if (prefix.equals("file")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the '" + value + -+ "' file."); -+ } -+ pin = getPinFromFile(Paths.get(value)); -+ } else if (prefix.equals("pin")) { -+ if (debug != null) { -+ debug.println("FIPS: PIN value from the " + -+ FIPS_NSSDB_PIN_PROP + " property."); -+ } -+ pin = value; -+ } else { -+ throw new ProviderException("Unsupported prefix for " + -+ FIPS_NSSDB_PIN_PROP + "."); -+ } -+ if (pin != null && !pin.isEmpty()) { -+ if (debug != null) { -+ debug.println("FIPS: non-empty PIN."); -+ } -+ /* -+ * C_Login in libj2pkcs11 receives the PIN in a char[] and -+ * discards the upper byte of each char, before passing -+ * the value to the NSS Software Token. However, the -+ * NSS Software Token accepts any UTF-8 PIN value. Thus, -+ * expand the PIN here to account for later truncation. -+ */ -+ byte[] pinUtf8 = pin.getBytes(StandardCharsets.UTF_8); -+ char[] pinChar = new char[pinUtf8.length]; -+ for (int i = 0; i < pinChar.length; i++) { -+ pinChar[i] = (char)(pinUtf8[i] & 0xFF); -+ } -+ return pinChar; -+ } -+ } -+ if (debug != null) { -+ debug.println("FIPS: empty PIN."); -+ } -+ return null; -+ } -+ -+ /* -+ * This method extracts the token PIN from the first line of a password -+ * file in the same way as NSS modutil. See for example the -newpwfile -+ * argument used to change the password for an NSS DB. -+ */ -+ private static String getPinFromFile(Path f) throws ProviderException { -+ try (InputStream is = -+ Files.newInputStream(f, StandardOpenOption.READ)) { -+ /* -+ * SECU_FilePasswd in NSS (nss/cmd/lib/secutil.c), used by modutil, -+ * reads up to 4096 bytes. In addition, the NSS Software Token -+ * does not accept PINs longer than 500 bytes (see SFTK_MAX_PIN -+ * in nss/lib/softoken/pkcs11i.h). -+ */ -+ BufferedReader in = -+ new BufferedReader(new InputStreamReader( -+ new ByteArrayInputStream(is.readNBytes(4096)), -+ StandardCharsets.UTF_8)); -+ return in.readLine(); -+ } catch (IOException ioe) { -+ throw new ProviderException("Error reading " + FIPS_NSSDB_PIN_PROP + -+ " from the '" + f + "' file.", ioe); -+ } -+ } -+} -\ No newline at end of file -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..5696b904979 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -@@ -37,6 +37,8 @@ import javax.crypto.*; - import javax.crypto.interfaces.*; - import javax.crypto.spec.*; - -+import jdk.internal.access.SharedSecrets; -+ - import sun.security.rsa.RSAUtil.KeyType; - import sun.security.rsa.RSAPublicKeyImpl; - import sun.security.rsa.RSAPrivateCrtKeyImpl; -@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; - */ - abstract class P11Key implements Key, Length { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - private static final long serialVersionUID = -2575874101938349339L; - - private static final String PUBLIC = "public"; -@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length { - this.tokenObject = tokenObject; - this.sensitive = sensitive; - this.extractable = extractable; -- char[] tokenLabel = this.token.tokenInfo.label; -- boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -- && tokenLabel[2] == 'S'); -+ boolean isNSS = P11Util.isNSS(this.token); - boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && - extractable && !tokenObject); - this.keyIDHolder = new NativeKeyHolder(this, keyID, session, -@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); -- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { -+ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); -+ if (!exportable && (attributes[1].getBoolean() || -+ (attributes[2].getBoolean() == false))) { - return new P11PrivateKey - (session, keyID, algorithm, keyLength, attributes); - } else { -@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length { - } - public String getFormat() { - token.ensureValid(); -- if (sensitive || (extractable == false)) { -+ if (!plainKeySupportEnabled && -+ (sensitive || (extractable == false))) { - return null; - } else { - return "RAW"; -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -index ba0b7faf3f8..4840a116b34 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; - - import java.security.*; - import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidKeySpecException; - - import javax.crypto.MacSpi; -+import javax.crypto.spec.PBEKeySpec; - - import sun.nio.ch.DirectBuffer; - - import sun.security.pkcs11.wrapper.*; - import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.util.PBEUtil; - - /** - * MAC implementation class. This class currently supports HMAC using -@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { - // see JCE spec - protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- if (params != null) { -- throw new InvalidAlgorithmParameterException -- ("Parameters not supported"); -+ if (algorithm.startsWith("HmacPBE")) { -+ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); -+ reset(true); -+ try { -+ p11Key = P11SecretKeyFactory.derivePBEKey( -+ token, pbeSpec, algorithm); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ } else { -+ if (params != null) { -+ throw new InvalidAlgorithmParameterException -+ ("Parameters not supported"); -+ } -+ reset(true); -+ p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - } -- reset(true); -- p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); - try { - initialize(); - } catch (PKCS11Exception e) { -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java -new file mode 100644 -index 00000000000..ae4262703e6 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java -@@ -0,0 +1,200 @@ -+/* -+ * Copyright (c) 2022, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.security.AlgorithmParameters; -+import java.security.Key; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.InvalidKeyException; -+import java.security.NoSuchAlgorithmException; -+import java.security.SecureRandom; -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.spec.InvalidKeySpecException; -+import javax.crypto.BadPaddingException; -+import javax.crypto.CipherSpi; -+import javax.crypto.IllegalBlockSizeException; -+import javax.crypto.NoSuchPaddingException; -+import javax.crypto.ShortBufferException; -+import javax.crypto.spec.PBEKeySpec; -+ -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.util.PBEUtil; -+ -+final class P11PBECipher extends CipherSpi { -+ -+ private static final int DEFAULT_SALT_LENGTH = 20; -+ private static final int DEFAULT_COUNT = 4096; -+ -+ private final Token token; -+ private final String pbeAlg; -+ private final P11Cipher cipher; -+ private final int blkSize; -+ private final int keyLen; -+ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( -+ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); -+ -+ P11PBECipher(Token token, String pbeAlg, long cipherMech) -+ throws PKCS11Exception, NoSuchAlgorithmException { -+ super(); -+ String cipherTrans; -+ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { -+ cipherTrans = "AES/CBC/PKCS5Padding"; -+ } else { -+ throw new NoSuchAlgorithmException( -+ "Cipher transformation not supported."); -+ } -+ cipher = new P11Cipher(token, cipherTrans, cipherMech); -+ blkSize = cipher.engineGetBlockSize(); -+ assert P11Util.kdfDataMap.get(pbeAlg) != null; -+ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; -+ this.pbeAlg = pbeAlg; -+ this.token = token; -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineSetMode(String mode) -+ throws NoSuchAlgorithmException { -+ cipher.engineSetMode(mode); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineSetPadding(String padding) -+ throws NoSuchPaddingException { -+ cipher.engineSetPadding(padding); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetBlockSize() { -+ return cipher.engineGetBlockSize(); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetOutputSize(int inputLen) { -+ return cipher.engineGetOutputSize(inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineGetIV() { -+ return cipher.engineGetIV(); -+ } -+ -+ // see JCE spec -+ @Override -+ protected AlgorithmParameters engineGetParameters() { -+ return pbes2Helper.getAlgorithmParameters( -+ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ SecureRandom random) throws InvalidKeyException { -+ try { -+ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); -+ } catch (InvalidAlgorithmParameterException e) { -+ throw new InvalidKeyException("requires PBE parameters", e); -+ } -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ AlgorithmParameterSpec params, SecureRandom random) -+ throws InvalidKeyException, -+ InvalidAlgorithmParameterException { -+ -+ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, -+ opmode, key, params, random); -+ -+ Key derivedKey; -+ try { -+ derivedKey = P11SecretKeyFactory.derivePBEKey( -+ token, pbeSpec, pbeAlg); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); -+ } -+ -+ // see JCE spec -+ @Override -+ protected void engineInit(int opmode, Key key, -+ AlgorithmParameters params, SecureRandom random) -+ throws InvalidKeyException, -+ InvalidAlgorithmParameterException { -+ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), -+ random); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineUpdate(byte[] input, int inputOffset, -+ int inputLen) { -+ return cipher.engineUpdate(input, inputOffset, inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineUpdate(byte[] input, int inputOffset, -+ int inputLen, byte[] output, int outputOffset) -+ throws ShortBufferException { -+ return cipher.engineUpdate(input, inputOffset, inputLen, -+ output, outputOffset); -+ } -+ -+ // see JCE spec -+ @Override -+ protected byte[] engineDoFinal(byte[] input, int inputOffset, -+ int inputLen) -+ throws IllegalBlockSizeException, BadPaddingException { -+ return cipher.engineDoFinal(input, inputOffset, inputLen); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineDoFinal(byte[] input, int inputOffset, -+ int inputLen, byte[] output, int outputOffset) -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { -+ return cipher.engineDoFinal(input, inputOffset, inputLen, output, -+ outputOffset); -+ } -+ -+ // see JCE spec -+ @Override -+ protected int engineGetKeySize(Key key) -+ throws InvalidKeyException { -+ return cipher.engineGetKeySize(key); -+ } -+ -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -index 8d1b8ccb0ae..950ed20cf62 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.spec.*; - - import javax.crypto.*; -+import javax.crypto.interfaces.PBEKey; - import javax.crypto.spec.*; - - import static sun.security.pkcs11.TemplateManager.*; -@@ -194,6 +195,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - return p11Key; - } - -+ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) -+ throws InvalidKeySpecException { -+ token.ensureValid(); -+ if (keySpec == null) { -+ throw new InvalidKeySpecException("PBEKeySpec must not be null"); -+ } -+ Session session = null; -+ try { -+ session = token.getObjSession(); -+ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); -+ CK_MECHANISM ckMech; -+ char[] password = keySpec.getPassword(); -+ byte[] salt = keySpec.getSalt(); -+ int itCount = keySpec.getIterationCount(); -+ int keySize = keySpec.getKeyLength(); -+ if (kdfData.keyLen != -1) { -+ if (keySize == 0) { -+ keySize = kdfData.keyLen; -+ } else if (keySize != kdfData.keyLen) { -+ throw new InvalidKeySpecException( -+ "Key length is invalid for " + algo); -+ } -+ } -+ -+ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { -+ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; -+ if (P11Util.isNSS(token) || p11Ver.major < 2 || -+ p11Ver.major == 2 && p11Ver.minor < 40) { -+ // NSS keeps using the old structure beyond PKCS #11 v2.40 -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PKCS5_PBKD2_PARAMS(password, salt, -+ itCount, kdfData.prfMech)); -+ } else { -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PKCS5_PBKD2_PARAMS2(password, salt, -+ itCount, kdfData.prfMech)); -+ } -+ } else { -+ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) -+ if (P11Util.isNSS(token)) { -+ // According to PKCS #11, "password" in CK_PBE_PARAMS has -+ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded -+ // in UTF-8. However, NSS expects the password to be encoded -+ // as BMPString with a NULL terminator when C_GenerateKey -+ // is called for a PKCS #12 "General Method" derivation -+ // (see RFC 7292, Appendix B.1). -+ // -+ // The char size in Java is 2 bytes. When a char is -+ // converted to a CK_UTF8CHAR, the high-order byte is -+ // discarded (see jCharArrayToCKUTF8CharArray in -+ // p11_util.c). In order to have a BMPString passed to -+ // C_GenerateKey, we need to account for that and expand: -+ // the high and low parts of each char are split into 2 -+ // chars. As an example, this is the transformation for -+ // a NULL terminated password "a": -+ // char[] => [ 0x0061, 0x0000 ] -+ // / \ / \ -+ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] -+ // | | | | -+ // BMPString => [ 0x00, 0x61, 0x00, 0x00] -+ // -+ int inputLength = (password == null) ? 0 : password.length; -+ char[] expPassword = new char[inputLength * 2 + 2]; -+ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { -+ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); -+ expPassword[j + 1] = (char) (password[i] & 0xFF); -+ } -+ password = expPassword; -+ } -+ ckMech = new CK_MECHANISM(kdfData.kdfMech, -+ new CK_PBE_PARAMS(password, salt, itCount)); -+ } -+ -+ long keyType = getKeyType(kdfData.keyAlgo); -+ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ -+ switch (kdfData.op) { -+ case ENCRYPTION, AUTHENTICATION -> 4; -+ case GENERIC -> 5; -+ }]; -+ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); -+ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); -+ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); -+ switch (kdfData.op) { -+ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; -+ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; -+ case GENERIC -> { -+ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; -+ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; -+ } -+ } -+ CK_ATTRIBUTE[] attr = token.getAttributes( -+ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); -+ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); -+ return (P11Key)P11Key.secretKey( -+ session, keyID, kdfData.keyAlgo, keySize, attr); -+ } catch (PKCS11Exception e) { -+ throw new InvalidKeySpecException("Could not create key", e); -+ } finally { -+ token.releaseSession(session); -+ } -+ } -+ -+ static P11Key derivePBEKey(Token token, PBEKey key, String algo) -+ throws InvalidKeyException { -+ token.ensureValid(); -+ if (key == null) { -+ throw new InvalidKeyException("PBEKey must not be null"); -+ } -+ P11Key p11Key = token.secretCache.get(key); -+ if (p11Key != null) { -+ return p11Key; -+ } -+ try { -+ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), -+ key.getSalt(), key.getIterationCount()), algo); -+ } catch (InvalidKeySpecException e) { -+ throw new InvalidKeyException(e); -+ } -+ token.secretCache.put(key, p11Key); -+ return p11Key; -+ } -+ - static void fixDESParity(byte[] key, int offset) { - for (int i = 0; i < 8; i++) { - int b = key[offset] & 0xfe; -@@ -320,6 +443,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - keySpec = new SecretKeySpec(keyBytes, "DESede"); - return engineGenerateSecret(keySpec); - } -+ } else if (keySpec instanceof PBEKeySpec) { -+ return (SecretKey)derivePBEKey(token, -+ (PBEKeySpec)keySpec, algorithm); - } - throw new InvalidKeySpecException - ("Unsupported spec: " + keySpec.getClass().getName()); -@@ -373,6 +499,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { - // see JCE spec - protected SecretKey engineTranslateKey(SecretKey key) - throws InvalidKeyException { -+ if (key instanceof PBEKey) { -+ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); -+ } - return (SecretKey)convertKey(token, key, algorithm); - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -index 262cfc062ad..72b64f72c0a 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java -@@ -27,6 +27,10 @@ package sun.security.pkcs11; - - import java.math.BigInteger; - import java.security.*; -+import java.util.HashMap; -+import java.util.Map; -+ -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - - /** - * Collection of static utility methods. -@@ -40,10 +44,106 @@ public final class P11Util { - - private static volatile Provider sun, sunRsaSign, sunJce; - -+ // Used by PBE -+ static final class KDFData { -+ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} -+ public long kdfMech; -+ public long prfMech; -+ public String keyAlgo; -+ public int keyLen; -+ public Operation op; -+ KDFData(long kdfMech, long prfMech, String keyAlgo, -+ int keyLen, Operation op) { -+ this.kdfMech = kdfMech; -+ this.prfMech = prfMech; -+ this.keyAlgo = keyAlgo; -+ this.keyLen = keyLen; -+ this.op = op; -+ } -+ -+ public static void addPbkdf2Data(String algo, long kdfMech, -+ long prfMech) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, -+ "Generic", -1, Operation.GENERIC)); -+ } -+ -+ public static void addPbkdf2AesData(String algo, long kdfMech, -+ long prfMech, int keyLen) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, -+ "AES", keyLen, Operation.ENCRYPTION)); -+ } -+ -+ public static void addPkcs12KDData(String algo, long kdfMech, -+ int keyLen) { -+ kdfDataMap.put(algo, new KDFData(kdfMech, -1, -+ "Generic", keyLen, Operation.AUTHENTICATION)); -+ } -+ } -+ -+ static final Map kdfDataMap = new HashMap<>(); -+ -+ static { -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); -+ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); -+ -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); -+ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", -+ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); -+ -+ KDFData.addPkcs12KDData("HmacPBESHA1", -+ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); -+ KDFData.addPkcs12KDData("HmacPBESHA224", -+ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); -+ KDFData.addPkcs12KDData("HmacPBESHA256", -+ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); -+ KDFData.addPkcs12KDData("HmacPBESHA384", -+ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); -+ KDFData.addPkcs12KDData("HmacPBESHA512", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ KDFData.addPkcs12KDData("HmacPBESHA512/224", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ KDFData.addPkcs12KDData("HmacPBESHA512/256", -+ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); -+ } -+ - private P11Util() { - // empty - } - -+ static boolean isNSS(Token token) { -+ char[] tokenLabel = token.tokenInfo.label; -+ if (tokenLabel != null && tokenLabel.length >= 3) { -+ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' -+ && tokenLabel[2] == 'S'); -+ } -+ return false; -+ } -+ - static Provider getSunProvider() { - Provider p = sun; - if (p == null) { -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index aa35e8fa668..1855e5631bd 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -42,10 +45,12 @@ import javax.security.auth.callback.PasswordCallback; - - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.misc.InnocuousThread; - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - import static sun.security.util.SecurityConstants.PROVIDER_VER; -+import sun.security.util.SecurityProperties; - import static sun.security.util.SecurityProviderConstants.getAliases; - - import sun.security.pkcs11.Secmod.*; -@@ -62,6 +67,39 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ private static final MethodHandle fipsExportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ MethodHandle fipsExportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ fipsExportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "exportKey", -+ MethodType.methodType(void.class, SunPKCS11.class, -+ long.class, long.class, -+ long.class, long.class, Map.class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer-exporter" + -+ " initialization failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ fipsExportKey = fipsExportKeyTmp; -+ } -+ -+ private static final String FIPS_NSSDB_PATH_PROP = "fips.nssdb.path"; -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider { - return AccessController.doPrivileged(new PrivilegedExceptionAction<>() { - @Override - public SunPKCS11 run() throws Exception { -+ if (systemFipsEnabled) { -+ /* -+ * The nssSecmodDirectory attribute in the SunPKCS11 -+ * NSS configuration file takes the value of the -+ * fips.nssdb.path System property after expansion. -+ * Security properties expansion is unsupported. -+ */ -+ String nssdbPath = -+ SecurityProperties.privilegedGetOverridable( -+ FIPS_NSSDB_PATH_PROP); -+ if (System.getSecurityManager() != null) { -+ AccessController.doPrivileged( -+ (PrivilegedAction) () -> { -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, -+ nssdbPath); -+ return null; -+ }); -+ } else { -+ System.setProperty( -+ FIPS_NSSDB_PATH_PROP, nssdbPath); -+ } -+ } - return new SunPKCS11(new Config(newConfigName)); - } - }); -@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ MethodHandle fipsKeyExporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ fipsKeyExporter = MethodHandles.insertArguments( -+ fipsExportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } - p11 = tmpPKCS11; - -- CK_INFO p11Info = p11.C_GetInfo(); -+ CK_INFO p11Info = p11.getInfo(); - if (p11Info.cryptokiVersion.major < 2) { - throw new ProviderException("Only PKCS#11 v2.0 and later " - + "supported, library version is v" + p11Info.cryptokiVersion); -@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider { - final String className; - final List aliases; - final int[] mechanisms; -+ final int[] requiredMechs; - -+ // mechanisms is a list of possible mechanisms that implement the -+ // algorithm, at least one of them must be available. requiredMechs -+ // is a list of auxiliary mechanisms, all of them must be available - private Descriptor(String type, String algorithm, String className, -- List aliases, int[] mechanisms) { -+ List aliases, int[] mechanisms, int[] requiredMechs) { - this.type = type; - this.algorithm = algorithm; - this.className = className; - this.aliases = aliases; - this.mechanisms = mechanisms; -+ this.requiredMechs = requiredMechs; - } - private P11Service service(Token token, int mechanism) { - return new P11Service -@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider { - - private static void d(String type, String algorithm, String className, - int[] m) { -- register(new Descriptor(type, algorithm, className, null, m)); -+ register(new Descriptor(type, algorithm, className, null, m, null)); - } - - private static void d(String type, String algorithm, String className, - List aliases, int[] m) { -- register(new Descriptor(type, algorithm, className, aliases, m)); -+ register(new Descriptor(type, algorithm, className, aliases, m, null)); -+ } -+ -+ private static void d(String type, String algorithm, String className, -+ int[] m, int[] requiredMechs) { -+ register(new Descriptor(type, algorithm, className, null, m, -+ requiredMechs)); -+ } -+ private static void dA(String type, String algorithm, String className, -+ int[] m, int[] requiredMechs) { -+ register(new Descriptor(type, algorithm, className, -+ getAliases(algorithm), m, requiredMechs)); - } - - private static void dA(String type, String algorithm, String className, - int[] m) { - register(new Descriptor(type, algorithm, className, -- getAliases(algorithm), m)); -+ getAliases(algorithm), m, null)); - } - - private static void register(Descriptor d) { -@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider { - String P11Cipher = "sun.security.pkcs11.P11Cipher"; - String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; - String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; -+ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; - String P11Signature = "sun.security.pkcs11.P11Signature"; - String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; - -@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider { - d(MAC, "SslMacSHA1", P11Mac, - m(CKM_SSL3_SHA1_MAC)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBA HMacs -+ * -+ * KeyDerivationMech must be supported -+ * for these services to be available. -+ * -+ */ -+ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), -+ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); -+ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ } -+ - d(KPG, "RSA", P11KeyPairGenerator, - getAliases("PKCS1"), - m(CKM_RSA_PKCS_KEY_PAIR_GEN)); -@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider { - d(SKF, "ChaCha20", P11SecretKeyFactory, - m(CKM_CHACHA20_POLY1305)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBE Secret Key Factories -+ * -+ * KeyDerivationPrf must be supported for these services -+ * to be available. -+ * -+ */ -+ d(SKF, "PBEWithHmacSHA1AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBEWithHmacSHA224AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBEWithHmacSHA256AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBEWithHmacSHA384AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBEWithHmacSHA512AndAES_128", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ d(SKF, "PBEWithHmacSHA1AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBEWithHmacSHA224AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBEWithHmacSHA256AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBEWithHmacSHA384AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBEWithHmacSHA512AndAES_256", -+ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ /* -+ * PBA Secret Key Factories -+ */ -+ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, -+ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); -+ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, -+ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); -+ /* -+ * PBKDF2 Secret Key Factories -+ */ -+ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); -+ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, -+ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); -+ } -+ - // XXX attributes for Ciphers (supported modes, padding) - dA(CIP, "ARCFOUR", P11Cipher, - m(CKM_RC4)); -@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider { - d(CIP, "RSA/ECB/NoPadding", P11RSACipher, - m(CKM_RSA_X_509)); - -+ if (systemFipsEnabled) { -+ /* -+ * PBE Ciphers -+ * -+ * KeyDerivationMech and KeyDerivationPrf must be supported -+ * for these services to be available. -+ * -+ */ -+ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); -+ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); -+ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); -+ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); -+ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); -+ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); -+ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); -+ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); -+ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); -+ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC), -+ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); -+ } -+ - d(SIG, "RawDSA", P11Signature, - List.of("NONEwithDSA"), - m(CKM_DSA)); -@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider { - if (ds == null) { - continue; - } -+ descLoop: - for (Descriptor d : ds) { - Integer oldMech = supportedAlgs.get(d); - if (oldMech == null) { -+ if (d.requiredMechs != null) { -+ // Check that other mechanisms required for the -+ // service are supported before listing it as -+ // available for the first time. -+ for (int requiredMech : d.requiredMechs) { -+ if (token.getMechanismInfo( -+ requiredMech & 0xFFFFFFFFL) == null) { -+ continue descLoop; -+ } -+ } -+ } - supportedAlgs.put(d, integerMech); - continue; - } -@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider { - } - - @Override -+ @SuppressWarnings("removal") - public Object newInstance(Object param) - throws NoSuchAlgorithmException { - if (token.isValid() == false) { - throw new NoSuchAlgorithmException("Token has been removed"); - } -+ if (systemFipsEnabled && !token.fipsLoggedIn && -+ !getType().equals("KeyStore")) { -+ /* -+ * The NSS Software Token in FIPS 140-2 mode requires a -+ * user login for most operations. See sftk_fipsCheck -+ * (nss/lib/softoken/fipstokn.c). In case of a KeyStore -+ * service, let the caller perform the login with -+ * KeyStore::load. Keytool, for example, does this to pass a -+ * PIN from either the -srcstorepass or -deststorepass -+ * argument. In case of a non-KeyStore service, perform the -+ * login now with the PIN available in the fips.nssdb.pin -+ * property. -+ */ -+ try { -+ if (System.getSecurityManager() != null) { -+ try { -+ AccessController.doPrivileged( -+ (PrivilegedExceptionAction) () -> { -+ token.ensureLoggedIn(null); -+ return null; -+ }); -+ } catch (PrivilegedActionException pae) { -+ Exception e = pae.getException(); -+ if (e instanceof LoginException le) { -+ throw le; -+ } else if (e instanceof PKCS11Exception p11e) { -+ throw p11e; -+ } else { -+ throw new RuntimeException(e); -+ } -+ } -+ } else { -+ token.ensureLoggedIn(null); -+ } -+ } catch (PKCS11Exception | LoginException e) { -+ throw new ProviderException("FIPS: error during the Token" + -+ " login required for the " + getType() + -+ " service.", e); -+ } -+ } - try { - return newInstance0(param); - } catch (PKCS11Exception e) { -@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider { - } else if (algorithm.endsWith("GCM/NoPadding") || - algorithm.startsWith("ChaCha20-Poly1305")) { - return new P11AEADCipher(token, algorithm, mechanism); -+ } else if (algorithm.startsWith("PBE")) { -+ return new P11PBECipher(token, algorithm, mechanism); - } else { - return new P11Cipher(token, algorithm, mechanism); - } -@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider { - try { - session = token.getOpSession(); - p11.C_Logout(session.id()); -+ if (systemFipsEnabled) { -+ token.fipsLoggedIn = false; -+ } - if (debug != null) { - debug.println("logout succeeded"); - } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 9858a5faedf..e63585486d9 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -@@ -33,6 +33,7 @@ import java.lang.ref.*; - import java.security.*; - import javax.security.auth.login.LoginException; - -+import jdk.internal.access.SharedSecrets; - import sun.security.jca.JCAUtil; - - import sun.security.pkcs11.wrapper.*; -@@ -48,6 +49,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - class Token implements Serializable { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ - // need to be serializable to allow SecureRandom to be serialized - private static final long serialVersionUID = 2541527649100571747L; - -@@ -114,6 +118,10 @@ class Token implements Serializable { - // flag indicating whether we are logged in - private volatile boolean loggedIn; - -+ // Flag indicating the login status for the NSS Software Token in FIPS mode. -+ // This Token is never asynchronously removed. Used from SunPKCS11. -+ volatile boolean fipsLoggedIn; -+ - // time we last checked login status - private long lastLoginCheck; - -@@ -232,7 +240,12 @@ class Token implements Serializable { - // call provider.login() if not - void ensureLoggedIn(Session session) throws PKCS11Exception, LoginException { - if (isLoggedIn(session) == false) { -- provider.login(null, null); -+ if (systemFipsEnabled) { -+ provider.login(null, new FIPSTokenLoginHandler()); -+ fipsLoggedIn = true; -+ } else { -+ provider.login(null, null); -+ } - } - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -index 88ff8a71fc3..47a2f97eddf 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java -@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { - } - - /** -- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. -+ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. - * -- * @return the string representation of CK_PKCS5_PBKD2_PARAMS -+ * @return the string representation of CK_ECDH1_DERIVE_PARAMS - */ - public String toString() { - StringBuilder sb = new StringBuilder(); -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -index 0c9ebb289c1..b4b2448464d 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java -@@ -160,6 +160,18 @@ public class CK_MECHANISM { - init(mechanism, params); - } - -+ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { -+ init(mechanism, params); -+ } -+ -+ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { -+ init(mechanism, params); -+ } -+ -+ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { -+ init(mechanism, params); -+ } -+ - // For PSS. the parameter may be set multiple times, use the - // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) - // methods instead of creating yet another constructor -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -index e8b048869c4..a25fa1c39e5 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java -@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; - - - /** -- * class CK_PBE_PARAMS provides all of the necessary information required byte -+ * class CK_PBE_PARAMS provides all the necessary information required by - * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism.

- * PKCS#11 structure: - * 

-  * typedef struct CK_PBE_PARAMS {
-- *   CK_CHAR_PTR pInitVector;
-- *   CK_CHAR_PTR pPassword;
-+ *   CK_BYTE_PTR pInitVector;
-+ *   CK_UTF8CHAR_PTR pPassword;
-  *   CK_ULONG ulPasswordLen;
-- *   CK_CHAR_PTR pSalt;
-+ *   CK_BYTE_PTR pSalt;
-  *   CK_ULONG ulSaltLen;
-  *   CK_ULONG ulIteration;
-  * } CK_PBE_PARAMS;
-@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS {
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pInitVector;
-+     *   CK_BYTE_PTR pInitVector;
-      * 

-      */
--    public char[] pInitVector;
-+    public byte[] pInitVector;
- 
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pPassword;
-+     *   CK_UTF8CHAR_PTR pPassword;
-      *   CK_ULONG ulPasswordLen;
-      * 

-      */
-@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS {
-     /**
-      * PKCS#11:
-      * 
--     *   CK_CHAR_PTR pSalt
-+     *   CK_BYTE_PTR pSalt
-      *   CK_ULONG ulSaltLen;
-      * 

-      */
--    public char[] pSalt;
-+    public byte[] pSalt;
- 
-     /**
-      * PKCS#11:
-@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS {
-      */
-     public long ulIteration;
- 
-+    public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) {
-+         this.pPassword = pPassword;
-+         this.pSalt = pSalt;
-+         this.ulIteration = ulIteration;
-+     }
-+
-     /**
-      * Returns the string representation of CK_PBE_PARAMS.
-      *
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-index fb90bfced27..a01beb0753a 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
-@@ -47,7 +47,7 @@
- 
- package sun.security.pkcs11.wrapper;
- 
--
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- 
- /**
-  * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2
-@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper;
-  * PKCS#11 structure:
-  * 
-  * typedef struct CK_PKCS5_PBKD2_PARAMS {
-- *   CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource;
-+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-  *   CK_VOID_PTR pSaltSourceData;
-  *   CK_ULONG ulSaltSourceDataLen;
-  *   CK_ULONG iterations;
-  *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-  *   CK_VOID_PTR pPrfData;
-  *   CK_ULONG ulPrfDataLen;
-+ *   CK_UTF8CHAR_PTR pPassword;
-+ *   CK_ULONG_PTR ulPasswordLen;
-  * } CK_PKCS5_PBKD2_PARAMS;
-  * 

-  *
-@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS {
-      */
-     public byte[] pPrfData;
- 
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_UTF8CHAR_PTR pPassword
-+     *   CK_ULONG_PTR ulPasswordLen;
-+     * 

-+     */
-+    public char[] pPassword;
-+
-+    public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt,
-+            long iterations, long prf) {
-+        this.pPassword = pPassword;
-+        this.pSaltSourceData = pSalt;
-+        this.iterations = iterations;
-+        this.prf = prf;
-+        this.saltSource = CKZ_SALT_SPECIFIED;
-+    }
-+
-     /**
-      * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-      *
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
-new file mode 100644
-index 00000000000..935db656639
---- /dev/null
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java
-@@ -0,0 +1,156 @@
-+/*
-+ * Copyright (c) 2022, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11.wrapper;
-+
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+
-+/**
-+ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2
-+ * mechanism.

-+ * PKCS#11 structure:
-+ * 
-+ * typedef struct CK_PKCS5_PBKD2_PARAMS2 {
-+ *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-+ *   CK_VOID_PTR pSaltSourceData;
-+ *   CK_ULONG ulSaltSourceDataLen;
-+ *   CK_ULONG iterations;
-+ *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+ *   CK_VOID_PTR pPrfData;
-+ *   CK_ULONG ulPrfDataLen;
-+ *   CK_UTF8CHAR_PTR pPassword;
-+ *   CK_ULONG ulPasswordLen;
-+ * } CK_PKCS5_PBKD2_PARAMS2;
-+ * 

-+ *
-+ */
-+public class CK_PKCS5_PBKD2_PARAMS2 {
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
-+     * 

-+     */
-+    public long saltSource;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_VOID_PTR pSaltSourceData;
-+     *   CK_ULONG ulSaltSourceDataLen;
-+     * 

-+     */
-+    public byte[] pSaltSourceData;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_ULONG iterations;
-+     * 

-+     */
-+    public long iterations;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+     * 

-+     */
-+    public long prf;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_VOID_PTR pPrfData;
-+     *   CK_ULONG ulPrfDataLen;
-+     * 

-+     */
-+    public byte[] pPrfData;
-+
-+    /**
-+     * PKCS#11:
-+     * 
-+     *   CK_UTF8CHAR_PTR pPassword
-+     *   CK_ULONG ulPasswordLen;
-+     * 

-+     */
-+    public char[] pPassword;
-+
-+    public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt,
-+            long iterations, long prf) {
-+        this.pPassword = pPassword;
-+        this.pSaltSourceData = pSalt;
-+        this.iterations = iterations;
-+        this.prf = prf;
-+        this.saltSource = CKZ_SALT_SPECIFIED;
-+    }
-+
-+    /**
-+     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2.
-+     *
-+     * @return the string representation of CK_PKCS5_PBKD2_PARAMS2
-+     */
-+    public String toString() {
-+        StringBuilder sb = new StringBuilder();
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("saltSource: ");
-+        sb.append(saltSource);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("pSaltSourceData: ");
-+        sb.append(Functions.toHexString(pSaltSourceData));
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("ulSaltSourceDataLen: ");
-+        sb.append(pSaltSourceData.length);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("iterations: ");
-+        sb.append(iterations);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("prf: ");
-+        sb.append(prf);
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("pPrfData: ");
-+        sb.append(Functions.toHexString(pPrfData));
-+        sb.append(Constants.NEWLINE);
-+
-+        sb.append(Constants.INDENT);
-+        sb.append("ulPrfDataLen: ");
-+        sb.append(pPrfData.length);
-+
-+        return sb.toString();
-+    }
-+
-+}
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-index 1f9c4d39f57..5e3c1b9d29f 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java
-@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS {
-     public byte[] pPublicData;
- 
-     /**
--     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-+     * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS.
-      *
--     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
-+     * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS
-      */
-     public String toString() {
-         StringBuilder sb = new StringBuilder();
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 5c0aacd1a67..5fbf8addcba 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
- 
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
- 
- import java.security.AccessController;
-@@ -113,6 +116,8 @@ public class PKCS11 {
- 
-     private long pNativeData;
- 
-+    private CK_INFO pInfo;
-+
-     /**
-      * This method does the initialization of the native library. It is called
-      * exactly once for this class.
-@@ -145,23 +150,49 @@ public class PKCS11 {
-      * @postconditions
-      */
-     PKCS11(String pkcs11ModulePath, String functionListName)
--            throws IOException {
-+            throws IOException, PKCS11Exception {
-         connect(pkcs11ModulePath, functionListName);
-         this.pkcs11ModulePath = pkcs11ModulePath;
-+        pInfo = C_GetInfo();
-+    }
-+
-+    /*
-+     * Compatibility wrapper to allow this method to work as before
-+     * when FIPS mode support is not active.
-+     */
-+    public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+           String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+           boolean omitInitialize) throws IOException, PKCS11Exception {
-+        return getInstance(pkcs11ModulePath, functionList,
-+                           pInitArgs, omitInitialize, null, null);
-     }
- 
-     public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-             String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
--            boolean omitInitialize) throws IOException, PKCS11Exception {
-+            boolean omitInitialize, MethodHandle fipsKeyImporter,
-+            MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
-         // we may only call C_Initialize once per native .so/.dll
-         // so keep a cache using the (non-canonicalized!) path
-         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
-         if (pkcs11 == null) {
-+            boolean nssFipsMode = fipsKeyImporter != null &&
-+                    fipsKeyExporter != null;
-             if ((pInitArgs != null)
-                     && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
--                pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+                if (nssFipsMode) {
-+                    pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+                            fipsKeyImporter, fipsKeyExporter);
-+                } else {
-+                    pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+                }
-             } else {
--                pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+                if (nssFipsMode) {
-+                    pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+                            functionList, fipsKeyImporter, fipsKeyExporter);
-+                } else {
-+                    pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+                }
-             }
-             if (omitInitialize == false) {
-                 try {
-@@ -179,6 +210,14 @@ public class PKCS11 {
-         return pkcs11;
-     }
- 
-+    /**
-+     * Returns the CK_INFO structure fetched at initialization with
-+     * C_GetInfo. This structure represent Cryptoki library information.
-+     */
-+    public CK_INFO getInfo() {
-+        return pInfo;
-+    }
-+
-     /**
-      * Connects this object to the specified PKCS#11 library. This method is for
-      * internal use only.
-@@ -1625,7 +1664,7 @@ public class PKCS11 {
- static class SynchronizedPKCS11 extends PKCS11 {
- 
-     SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
--            throws IOException {
-+            throws IOException, PKCS11Exception {
-         super(pkcs11ModulePath, functionListName);
-     }
- 
-@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
-         super.C_GenerateRandom(hSession, randomData);
-     }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+    private MethodHandle fipsKeyImporter;
-+    private MethodHandle fipsKeyExporter;
-+    private MethodHandle hC_GetAttributeValue;
-+    FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
-+        super(pkcs11ModulePath, functionListName);
-+        this.fipsKeyImporter = fipsKeyImporter;
-+        this.fipsKeyExporter = fipsKeyExporter;
-+        try {
-+            hC_GetAttributeValue = MethodHandles.insertArguments(
-+                    MethodHandles.lookup().findSpecial(PKCS11.class,
-+                            "C_GetAttributeValue", MethodType.methodType(
-+                                    void.class, long.class, long.class,
-+                                    CK_ATTRIBUTE[].class),
-+                            FIPSPKCS11.class), 0, this);
-+        } catch (Throwable t) {
-+            throw new RuntimeException(
-+                    "sun.security.pkcs11.wrapper.PKCS11" +
-+                    "::C_GetAttributeValue method not found.", t);
-+        }
-+    }
-+
-+    public long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        // Creating sensitive key objects from plain key material in a
-+        // FIPS-configured NSS Software Token is not allowed. We apply
-+        // a key-unwrapping scheme to achieve so.
-+        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+            try {
-+                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+                        .longValue();
-+            } catch (Throwable t) {
-+                if (t instanceof PKCS11Exception) {
-+                    throw (PKCS11Exception)t;
-+                }
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+                        t.getMessage());
-+            }
-+        }
-+        return super.C_CreateObject(hSession, pTemplate);
-+    }
-+
-+    public void C_GetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
-+                fipsKeyExporter, hSession, hObject, pTemplate);
-+    }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+    private MethodHandle fipsKeyImporter;
-+    private MethodHandle fipsKeyExporter;
-+    private MethodHandle hC_GetAttributeValue;
-+    SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+            MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
-+                    throws IOException, PKCS11Exception {
-+        super(pkcs11ModulePath, functionListName);
-+        this.fipsKeyImporter = fipsKeyImporter;
-+        this.fipsKeyExporter = fipsKeyExporter;
-+        try {
-+            hC_GetAttributeValue = MethodHandles.insertArguments(
-+                    MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
-+                            "C_GetAttributeValue", MethodType.methodType(
-+                                    void.class, long.class, long.class,
-+                                    CK_ATTRIBUTE[].class),
-+                            SynchronizedFIPSPKCS11.class), 0, this);
-+        } catch (Throwable t) {
-+            throw new RuntimeException(
-+                    "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
-+                    "::C_GetAttributeValue method not found.", t);
-+        }
-+    }
-+
-+    public synchronized long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        // See FIPSPKCS11::C_CreateObject.
-+        if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+            try {
-+                return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+                        .longValue();
-+            } catch (Throwable t) {
-+                if (t instanceof PKCS11Exception) {
-+                    throw (PKCS11Exception)t;
-+                }
-+                throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+                        t.getMessage());
-+            }
-+        }
-+        return super.C_CreateObject(hSession, pTemplate);
-+    }
-+
-+    public synchronized void C_GetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
-+                fipsKeyExporter, hSession, hObject, pTemplate);
-+    }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+    static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+        for (CK_ATTRIBUTE attr : pTemplate) {
-+            if (attr.type == CKA_CLASS &&
-+                    (attr.getLong() == CKO_PRIVATE_KEY ||
-+                    attr.getLong() == CKO_SECRET_KEY)) {
-+                return true;
-+            }
-+        }
-+        return false;
-+    }
-+    static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
-+            MethodHandle fipsKeyExporter, long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+        Map sensitiveAttrs = new HashMap<>();
-+        List nonSensitiveAttrs = new LinkedList<>();
-+        FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
-+                sensitiveAttrs, nonSensitiveAttrs);
-+        try {
-+            if (sensitiveAttrs.size() > 0) {
-+                long keyClass = -1L;
-+                long keyType = -1L;
-+                try {
-+                    // Secret and private keys have both class and type
-+                    // attributes, so we can query them at once.
-+                    CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
-+                            new CK_ATTRIBUTE(CKA_CLASS),
-+                            new CK_ATTRIBUTE(CKA_KEY_TYPE),
-+                    };
-+                    hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
-+                    keyClass = queryAttrs[0].getLong();
-+                    keyType = queryAttrs[1].getLong();
-+                } catch (PKCS11Exception e) {
-+                    // If the query fails, the object is neither a secret nor a
-+                    // private key. As this case won't be handled with the FIPS
-+                    // Key Exporter, we keep keyClass initialized to -1L.
-+                }
-+                if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
-+                    fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
-+                            sensitiveAttrs);
-+                    if (nonSensitiveAttrs.size() > 0) {
-+                        CK_ATTRIBUTE[] pNonSensitiveAttrs =
-+                                new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
-+                        int i = 0;
-+                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
-+                            pNonSensitiveAttrs[i++] = nonSensAttr;
-+                        }
-+                        hC_GetAttributeValue.invoke(hSession, hObject,
-+                                pNonSensitiveAttrs);
-+                        // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
-+                        // update the reference on the previous CK_ATTRIBUTEs
-+                        i = 0;
-+                        for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
-+                            nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
-+                        }
-+                    }
-+                    return;
-+                }
-+            }
-+            hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
-+        } catch (Throwable t) {
-+            if (t instanceof PKCS11Exception) {
-+                throw (PKCS11Exception)t;
-+            }
-+            throw new PKCS11Exception(CKR_GENERAL_ERROR,
-+                    t.getMessage());
-+        }
-+    }
-+    private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
-+            Map sensitiveAttrs,
-+            List nonSensitiveAttrs) {
-+        for (CK_ATTRIBUTE attr : pTemplate) {
-+            long type = attr.type;
-+            // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
-+            if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
-+                    type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
-+                    type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
-+                    type == CKA_COEFFICIENT) {
-+                sensitiveAttrs.put(type, attr);
-+            } else {
-+                nonSensitiveAttrs.add(attr);
-+            }
-+        }
-+    }
-+}
- }
-diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-index 0d65ee26805..38fd4aff1f3 100644
---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
-@@ -1104,17 +1104,6 @@ public interface PKCS11Constants {
-     public static final long  CKD_BLAKE2B_384_KDF      = 0x00000019L;
-     public static final long  CKD_BLAKE2B_512_KDF      = 0x0000001aL;
- 
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
--    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
--
--    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
--
-     public static final long  CK_OTP_VALUE            = 0x00000000L;
-     public static final long  CK_OTP_PIN              = 0x00000001L;
-     public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
-@@ -1150,12 +1139,23 @@ public interface PKCS11Constants {
-     public static final long  CKF_HKDF_SALT_KEY    = 0x00000004L;
-     */
- 
-+    // PBKDF2 support, used in P11Util
-+    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
-+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
-+
-     // private NSS attribute (for DSA and DH private keys)
-     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
- 
-     // base number of NSS private attributes
-     public static final long  CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/
--                                                      = 0xCE534350L;
-+    /*          now known as CKM_NSS ^        */      = 0xCE534350L;
- 
-     // object type for NSS trust
-     public static final long  CKO_NETSCAPE_TRUST      = 0xCE534353L;
-@@ -1180,4 +1180,14 @@ public interface PKCS11Constants {
-                                                              = 0xCE534355L;
-     public static final long  CKT_NETSCAPE_VALID             = 0xCE53435AL;
-     public static final long  CKT_NETSCAPE_VALID_DELEGATOR   = 0xCE53435BL;
-+
-+    // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 29) */ = 0xCE53436DL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 30) */ = 0xCE53436EL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 31) */ = 0xCE53436FL;
-+    public static final long  CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN
-+                                        /* (CKM_NSS + 32) */ = 0xCE534370L;
- }
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-index d941b574cc7..e2de13648be 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
-@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
-         case CKM_PBE_SHA1_DES3_EDE_CBC:
-         case CKM_PBE_SHA1_DES2_EDE_CBC:
-         case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-+        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
-             ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
-             break;
-         case CKM_PKCS5_PBKD2:
-@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
-     // retrieve java values
-     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-     if (jPbeParamsClass == NULL) { return NULL; }
--    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
-+    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
-     if (fieldID == NULL) { return NULL; }
-     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
--    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
-+    fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
-@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
- 
-     // populate using java values
-     ckParamPtr->ulIteration = jLongToCKULong(jIteration);
--    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
-+    jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
-+    jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
-+    jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
-@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
-     }
- }
- 
-+#define PBKD2_PARAM_SET(member, value)                              \
-+    do {                                                            \
-+        if(ckParamPtr->version == PARAMS) {                         \
-+            ckParamPtr->params.v1.member = value;                   \
-+        } else {                                                    \
-+            ckParamPtr->params.v2.member = value;                   \
-+        }                                                           \
-+    } while(0)
-+
-+#define PBKD2_PARAM_ADDR(member)                                    \
-+    (                                                               \
-+        (ckParamPtr->version == PARAMS) ?                           \
-+        (void*) &ckParamPtr->params.v1.member :                     \
-+        (void*) &ckParamPtr->params.v2.member                       \
-+    )
-+
- /*
-- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
-+ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS
-+ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2
-  * pointer
-  *
-- * @param env - used to call JNI funktions to get the Java classes and objects
-- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
-+ * @param env - used to call JNI functions to get the Java classes and objects
-+ * @param jParam - the Java object to convert
-  * @param pLength - length of the allocated memory of the returned pointer
-- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure
-+ * @return pointer to the new structure
-  */
--CK_PKCS5_PBKD2_PARAMS_PTR
-+CK_VOID_PTR
- jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
- {
--    CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr;
-+    VersionedPbkd2ParamsPtr ckParamPtr;
-+    ParamVersion paramVersion;
-+    CK_ULONG_PTR pUlPasswordLen;
-     jclass jPkcs5Pbkd2ParamsClass;
-     jfieldID fieldID;
-     jlong jSaltSource, jIteration, jPrf;
--    jobject jSaltSourceData, jPrfData;
-+    jobject jSaltSourceData, jPrfData, jPassword;
- 
-     if (pLength != NULL) {
-         *pLength = 0L;
-     }
- 
-     // retrieve java values
--    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
--    if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; }
-+    if ((jPkcs5Pbkd2ParamsClass =
-+            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL
-+            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+        paramVersion = PARAMS;
-+    } else if ((jPkcs5Pbkd2ParamsClass =
-+            (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL
-+            && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+        paramVersion = PARAMS2;
-+    } else {
-+        return NULL;
-+    }
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
-     if (fieldID == NULL) { return NULL; }
-     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
-@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
-     if (fieldID == NULL) { return NULL; }
-     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
-+    fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C");
-+    if (fieldID == NULL) { return NULL; }
-+    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
- 
--    // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer
--    ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS));
-+    // allocate memory for VersionedPbkd2Params and store the structure version
-+    ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params));
-     if (ckParamPtr == NULL) {
-         throwOutOfMemoryError(env, 0);
-         return NULL;
-     }
-+    ckParamPtr->version = paramVersion;
- 
-     // populate using java values
--    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
--    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *)
--            &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
-+    PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource));
-+    jByteArrayToCKByteArray(env, jSaltSourceData,
-+            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData),
-+            PBKD2_PARAM_ADDR(ulSaltSourceDataLen));
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
--    ckParamPtr->iterations = jLongToCKULong(jIteration);
--    ckParamPtr->prf = jLongToCKULong(jPrf);
--    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *)
--            &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
-+    PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration));
-+    PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf));
-+    jByteArrayToCKByteArray(env, jPrfData,
-+            (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData),
-+            PBKD2_PARAM_ADDR(ulPrfDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        goto cleanup;
-+    }
-+    if (ckParamPtr->version == PARAMS) {
-+        pUlPasswordLen = calloc(1, sizeof(CK_ULONG));
-+        if (pUlPasswordLen == NULL) {
-+            throwOutOfMemoryError(env, 0);
-+            goto cleanup;
-+        }
-+        ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen;
-+    } else {
-+        pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen;
-+    }
-+    jCharArrayToCKUTF8CharArray(env, jPassword,
-+            (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword),
-+            pUlPasswordLen);
-     if ((*env)->ExceptionCheck(env)) {
-         goto cleanup;
-     }
- 
-     if (pLength != NULL) {
--        *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
-+        *pLength = (ckParamPtr->version == PARAMS ?
-+            sizeof(ckParamPtr->params.v1) :
-+            sizeof(ckParamPtr->params.v2));
-     }
-+    // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR
-     return ckParamPtr;
- cleanup:
--    free(ckParamPtr->pSaltSourceData);
--    free(ckParamPtr->pPrfData);
-+    FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr);
-     free(ckParamPtr);
-     return NULL;
- 
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-index 520bd52a2cd..aa76945283d 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
-@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
-                  case CKM_CAMELLIA_CTR:
-                      // params do not contain pointers
-                      break;
-+                 case CKM_PKCS5_PBKD2:
-+                     // get the versioned structure from behind memory
-+                     TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ?
-+                             "[ CK_PKCS5_PBKD2_PARAMS ]\n" :
-+                             "[ CK_PKCS5_PBKD2_PARAMS2 ]\n");
-+                     FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp);
-+                     break;
-+                 case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-+                 case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+                 case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector);
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pPassword);
-+                     free(((CK_PBE_PARAMS_PTR)tmp)->pSalt);
-+                     break;
-                  default:
-                      // currently unsupported mechs by SunPKCS11 provider
-                      // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE,
-                      // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*,
--                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2,
-+                     // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP,
-                      // PBE mechs, WTLS mechs, CMS mechs,
-                      // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
-                      // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
-@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
-     jboolean* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
-     jbyte* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
-     jlong* jTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
-     if (jTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
-     jchar* jpTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
-     if (jpTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
-     jchar* jTemp;
-     CK_ULONG i;
- 
--    if(jArray == NULL) {
-+    *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray);
-+    if(*ckpLength == 0L) {
-         *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
-         return;
-     }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
-     if (jTemp == NULL) {
-         throwOutOfMemoryError(env, 0);
-diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-index eb6d01b9e47..450e4d27d62 100644
---- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h
-@@ -68,6 +68,7 @@
- /* extra PKCS#11 constants not in the standard include files */
- 
- #define CKA_NETSCAPE_BASE                       (0x80000000 + 0x4E534350)
-+/*             ^ now known as CKM_NSS   (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */
- #define CKA_NETSCAPE_TRUST_BASE                 (CKA_NETSCAPE_BASE + 0x2000)
- #define CKA_NETSCAPE_TRUST_SERVER_AUTH          (CKA_NETSCAPE_TRUST_BASE + 8)
- #define CKA_NETSCAPE_TRUST_CLIENT_AUTH          (CKA_NETSCAPE_TRUST_BASE + 9)
-@@ -76,6 +77,12 @@
- #define CKA_NETSCAPE_DB                         0xD5A0DB00
- #define CKM_NSS_TLS_PRF_GENERAL                 0x80000373
- 
-+/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */
-+#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 29)
-+#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 30)
-+#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 31)
-+#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN  (CKA_NETSCAPE_BASE + 32)
-+
- /*
- 
-  Define the PKCS#11 functions to include and exclude. Reduces the size
-@@ -265,6 +272,7 @@ void printDebug(const char *format, ...);
- #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS"
- #define PBE_INIT_VECTOR_SIZE 8
- #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS"
-+#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2"
- #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS"
- 
- #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS"
-@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM
- CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env,
-     jobject jParam, CK_ULONG* pLength);
- CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
--CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
-+CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam);
-@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env,
- CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength);
- 
-+/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */
-+typedef enum {PARAMS=0, PARAMS2} ParamVersion;
-+
-+typedef struct {
-+    union {
-+        CK_PKCS5_PBKD2_PARAMS v1;
-+        CK_PKCS5_PBKD2_PARAMS2 v2;
-+    } params;
-+    ParamVersion version;
-+} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr;
-+
-+#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr)                  \
-+    do {                                                            \
-+        if ((verParamsPtr)->version == PARAMS) {                    \
-+            free((verParamsPtr)->params.v1.pSaltSourceData);        \
-+            free((verParamsPtr)->params.v1.pPrfData);               \
-+            free((verParamsPtr)->params.v1.pPassword);              \
-+            free((verParamsPtr)->params.v1.ulPasswordLen);          \
-+        } else {                                                    \
-+            free((verParamsPtr)->params.v2.pSaltSourceData);        \
-+            free((verParamsPtr)->params.v2.pPrfData);               \
-+            free((verParamsPtr)->params.v2.pPassword);              \
-+        }                                                           \
-+    } while(0)
-+
- /* functions to copy the returned values inside CK-mechanism back to Java object */
- 
- void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism);
-diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-index 8c9e4f9dbe6..883dc04758e 100644
---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -38,6 +38,7 @@ import java.util.HashMap;
- import java.util.Iterator;
- import java.util.List;
- 
-+import jdk.internal.access.SharedSecrets;
- import sun.security.ec.ed.EdDSAAlgorithmParameters;
- import sun.security.ec.ed.EdDSAKeyFactory;
- import sun.security.ec.ed.EdDSAKeyPairGenerator;
-@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
- 
-     private static final long serialVersionUID = -2279741672933606418L;
- 
-+    private static final boolean systemFipsEnabled =
-+            SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+            .isSystemFipsEnabled();
-+
-     private static class ProviderServiceA extends ProviderService {
-         ProviderServiceA(Provider p, String type, String algo, String cn,
-             HashMap attrs) {
-@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
- 
-         putXDHEntries();
-         putEdDSAEntries();
--
--        /*
--         * Signature engines
--         */
--        putService(new ProviderService(this, "Signature",
--            "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
--            null, ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
--            ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
--            ATTRS));
--
--        putService(new ProviderService(this, "Signature",
--             "NONEwithECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$RawinP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA1withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA224withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA256withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA384withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA512withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
--
--        putService(new ProviderService(this, "Signature",
--             "SHA3-224withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--             "SHA3-256withECDSAinP1363Format",
--             "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA3-384withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
--        putService(new ProviderService(this, "Signature",
--            "SHA3-512withECDSAinP1363Format",
--            "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
--
--        /*
--         *  Key Pair Generator engine
--         */
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "EC", "sun.security.ec.ECKeyPairGenerator",
--            List.of("EllipticCurve"), ATTRS));
--
--        /*
--         * Key Agreement engine
--         */
--        putService(new ProviderService(this, "KeyAgreement",
--            "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-+        if (!systemFipsEnabled) {
-+            /*
-+             * Signature engines
-+             */
-+            putService(new ProviderService(this, "Signature",
-+                "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
-+                null, ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
-+                ATTRS));
-+
-+            putService(new ProviderService(this, "Signature",
-+                 "NONEwithECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$RawinP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA1withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA224withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA256withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA384withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA512withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
-+
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA3-224withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                 "SHA3-256withECDSAinP1363Format",
-+                 "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA3-384withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
-+            putService(new ProviderService(this, "Signature",
-+                "SHA3-512withECDSAinP1363Format",
-+                "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
-+
-+            /*
-+             *  Key Pair Generator engine
-+             */
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "EC", "sun.security.ec.ECKeyPairGenerator",
-+                List.of("EllipticCurve"), ATTRS));
-+
-+            /*
-+             * Key Agreement engine
-+             */
-+            putService(new ProviderService(this, "KeyAgreement",
-+                "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-+        }
-     }
- 
-     private void putXDHEntries() {
-@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
-             "X448", "sun.security.ec.XDHKeyFactory.X448",
-             ATTRS));
- 
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
--            ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
--            ATTRS));
--
--        putService(new ProviderService(this, "KeyAgreement",
--            "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
--        putService(new ProviderServiceA(this, "KeyAgreement",
--            "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
--            ATTRS));
--        putService(new ProviderServiceA(this, "KeyAgreement",
--            "X448", "sun.security.ec.XDHKeyAgreement.X448",
--            ATTRS));
-+        if (!systemFipsEnabled) {
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
-+                ATTRS));
-+
-+            putService(new ProviderService(this, "KeyAgreement",
-+                "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
-+            putService(new ProviderServiceA(this, "KeyAgreement",
-+                "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "KeyAgreement",
-+                "X448", "sun.security.ec.XDHKeyAgreement.X448",
-+                ATTRS));
-+        }
-     }
- 
-     private void putEdDSAEntries() {
-@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
-         putService(new ProviderServiceA(this, "KeyFactory",
-             "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
- 
--        putService(new ProviderService(this, "KeyPairGenerator",
--            "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
--            ATTRS));
--        putService(new ProviderServiceA(this, "KeyPairGenerator",
--            "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
--            ATTRS));
--
--        putService(new ProviderService(this, "Signature",
--            "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
--        putService(new ProviderServiceA(this, "Signature",
--            "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
-+        if (!systemFipsEnabled) {
-+            putService(new ProviderService(this, "KeyPairGenerator",
-+                "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
-+                ATTRS));
-+            putService(new ProviderServiceA(this, "KeyPairGenerator",
-+                "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
-+                ATTRS));
-+
-+            putService(new ProviderService(this, "Signature",
-+                "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
-+            putService(new ProviderServiceA(this, "Signature",
-+                "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
-+        }
- 
-     }
- }
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
index d3fda7c..9e83141 100644
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@@ -21,10 +21,6 @@
 %bcond_without release
 # Enable static library builds by default.
 %bcond_without staticlibs
-# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
-%bcond_without fresh_libjvm
-# Build with system libraries
-%bcond_with system_libs
 
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@@ -34,31 +30,14 @@
 %global include_staticlibs 0
 %endif
 
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-%if %{with fresh_libjvm}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
-%if %{with system_libs}
-%global system_libs 1
-%global link_type system
+#placeholder - used in regexes, otherwise for no use in portables
 %global freetype_lib %{nil}
-%else
-%global system_libs 0
-%global link_type bundled
-%global freetype_lib |libfreetype[.]so.*
-%endif
 
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
 %global _find_debuginfo_opts -g
 
-# With LTO flags enabled, debuginfo checks fail for some reason. Disable
-# LTO for a passing build. This really needs to be looked at.
-%define _lto_cflags %{nil}
 
 # note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
 # also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
@@ -128,8 +107,6 @@
 %global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
 # Set of architectures which use the Zero assembler port (!jit_arches)
 %global zero_arches ppc s390
-# Set of architectures which run a full bootstrap cycle
-%global bootstrap_arches %{jit_arches}
 # Set of architectures which support SystemTap tapsets
 %global systemtap_arches %{jit_arches}
 # Set of architectures with a Ahead-Of-Time (AOT) compiler
@@ -202,16 +179,6 @@
 %global staticlibs_loop %{nil}
 %endif
 
-%if 0%{?flatpak}
-%global bootstrap_build false
-%else
-%ifarch %{bootstrap_arches}
-%global bootstrap_build true
-%else
-%global bootstrap_build false
-%endif
-%endif
-
 %if %{include_staticlibs}
 # Extra target for producing the static-libraries. Separate from
 # other targets since this target is configured to use in-tree
@@ -225,27 +192,6 @@
 # RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
 %global debug_symbols internal
 
-# unlike portables,the rpms have to use static_libs_target very dynamically
-%global bootstrap_targets images
-%global release_targets images docs-zip
-# No docs nor bootcycle for debug builds
-%global debug_targets images
-# Target to use to just build HotSpot
-%global hotspot_target hotspot
-
-# JDK to use for bootstrapping
-%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
-
-
-# Filter out flags from the optflags macro that cause problems with the OpenJDK build
-# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
-# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
-# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
-# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
-%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
-%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
-%global ourldflags %{__global_ldflags}
-
 # With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
 # the initialization must be here. Later the pkg-config have buggy behavior
 # looks like openjdk RPM specific bug
@@ -323,10 +269,7 @@
 %global interimver 0
 %global updatever 6
 %global patchver 0
-# buildjdkver is usually same as %%{featurever},
-# but in time of bootstrap of next jdk, it is featurever-1,
-# and this it is better to change it here, on single place
-%global buildjdkver %{featurever}
+
 # We don't add any LTS designator for STS packages (Fedora and EPEL).
 # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
 %if 0%{?rhel} && !0%{?epel}
@@ -360,8 +303,6 @@
 
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
-# Define current Git revision for the FIPS support patches
-%global fipsver 257d544b594
 
 # Standard JPackage naming and versioning defines
 %global origin          openjdk
@@ -369,7 +310,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        10
-%global rpmrelease      1
+%global rpmrelease      2
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@@ -420,8 +361,7 @@
 %global static_libs_root        lib/static
 %global static_libs_arch_dir    %{static_libs_root}/linux-%{archinstall}
 %global static_libs_install_dir %{static_libs_arch_dir}/glibc
-# output dir stub
-%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@@ -869,9 +809,6 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
-%if ! %{system_libs}
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
-%endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -909,7 +846,7 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
 %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+#%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* #TODO, resolve alt-java man page
 %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
 %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
@@ -1083,7 +1020,6 @@ exit 0
 %define files_demo() %{expand:
 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
 %{_jvmdir}/%{sdkdir -- %{?1}}/demo
-%{_jvmdir}/%{sdkdir -- %{?1}}/sample
 }
 
 %define files_src() %{expand:
@@ -1283,6 +1219,8 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
 # Prevent brp-java-repack-jars from being run
 %global __jar_repack 0
 
+%global portable_name %{name}-portable
+
 Name:    java-17-%{origin}
 Version: %{newjavaver}.%{buildver}
 Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
@@ -1320,10 +1258,6 @@ Group:   Development/Languages
 License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
 URL:      http://openjdk.java.net/
 
-
-# The source tarball, generated using generate_source_tarball.sh
-Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
-
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
@@ -1332,15 +1266,6 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
 # Desktop files. Adapted from IcedTea
 Source9: jconsole.desktop.in
 
-# Release notes
-Source10: NEWS
-
-# nss configuration file
-Source11: nss.cfg.in
-
-# Removed libraries that we link instead
-Source12: remove-intree-libraries.sh
-
 # Ensure we aren't using the limited crypto policy
 Source13: TestCryptoLevel.java
 
@@ -1356,122 +1281,47 @@ Source16: CheckVendor.java
 # Ensure translations are available for new timezones
 Source18: TestTranslations.java
 
-############################################
-#
-# RPM/distribution specific patches
-#
-############################################
+%if %{include_normal_build}
+BuildRequires: %{portable_name}
+BuildRequires: %{portable_name}-devel
+%if %{include_staticlibs}
+BuildRequires: %{portable_name}-static-libs
+%endif
+%endif
+%if %{include_fastdebug_build}
+BuildRequires: %{portable_name}-fastdebug
+BuildRequires: %{portable_name}-devel-fastdebug
+%if %{include_staticlibs}
+BuildRequires: %{portable_name}-static-libs-fastdebug
+%endif
+%endif
+%if %{include_debug_build}
+BuildRequires: %{portable_name}-slowdebug
+BuildRequires: %{portable_name}-devel-slowdebug
+%if %{include_staticlibs}
+BuildRequires: %{portable_name}-static-libs-slowdebug
+%endif
+%endif 
 
-# NSS via SunPKCS11 Provider (disabled comment
-# due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
-Patch600: rh1750419-redhat_alt_java.patch
 
-# Ignore AWTError when assistive technologies are loaded
-Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-# Restrict access to java-atk-wrapper classes
-Patch2:    rh1648644-java_access_bridge_privileged_security.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
-# Crypto policy and FIPS support patches
-# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
-# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
-# Diff is limited to src and make subdirectories to exclude .github changes
-# Fixes currently included:
-# PR3183, RH1340845: Follow system wide crypto policy
-# PR3695: Allow use of system crypto policy to be disabled by the user
-# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-# RH1929465: Improve system FIPS detection
-# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
-# RH1996182: Login to the NSS software token in FIPS mode
-# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-# RH2021263: Resolve outstanding FIPS issues
-# RH2052819: Fix FIPS reliance on crypto policies
-# RH2052829: Detect NSS at Runtime for FIPS detection
-# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-# RH2023467: Enable FIPS keys export
-# RH2094027: SunEC runtime permission for FIPS
-# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-# RH2090378: Revert to disabling system security properties and FIPS mode support together
-# RH2104724: Avoid import/export of DH private keys
-# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-# Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
-# RH2020290: Support TLS 1.3 in FIPS mode
-# Add nss.fips.cfg support to OpenJDK tree
-# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-# Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
-Patch1001: fips-17u-%{fipsver}.patch
-
-#############################################
-#
-# OpenJDK patches in need of upstreaming
-#
-#############################################
-
-#############################################
-#
-# OpenJDK patches targetted for 17.0.6
-#
-#############################################
-
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: alsa-lib-devel
-BuildRequires: binutils
-BuildRequires: cups-devel
 BuildRequires: desktop-file-utils
 # elfutils only are OK for build without AOT
 BuildRequires: elfutils-devel
-BuildRequires: fontconfig-devel
-BuildRequires: gcc-c++
 BuildRequires: gdb
-BuildRequires: libxslt
-BuildRequires: libX11-devel
-BuildRequires: libXi-devel
-BuildRequires: libXinerama-devel
-BuildRequires: libXrandr-devel
-BuildRequires: libXrender-devel
-BuildRequires: libXt-devel
-BuildRequires: libXtst-devel
 # Requirement for setting up nss.cfg and nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
 BuildRequires: crypto-policies
 BuildRequires: pkgconfig
-BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
 BuildRequires: javapackages-filesystem
-BuildRequires: java-%{buildjdkver}-openjdk-devel
-# Zero-assembler build requirement
-%ifarch %{zero_arches}
-BuildRequires: libffi-devel
-%endif
 # 2022g required as of JDK-8297804
 BuildRequires: tzdata-java >= 2022g
-# Earlier versions have a bug in tree vectorization on PPC
-BuildRequires: gcc >= 4.8.3-8
 
 %if %{with_systemtap}
 BuildRequires: systemtap-sdt-devel
 %endif
-BuildRequires: make
 
-%if %{system_libs}
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
-%else
 # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
 Provides: bundled(freetype) = 2.12.1
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
@@ -1486,7 +1336,6 @@ Provides: bundled(libjpeg) = 6b
 Provides: bundled(libpng) = 1.6.37
 # We link statically against libstdc++ to increase portability
 BuildRequires: libstdc++-static
-%endif
 
 # this is always built, also during debug-only build
 # when it is built in debug-only this package is just placeholder
@@ -1796,16 +1645,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
 %endif
 
 %prep
-
 echo "Preparing %{oj_vendor_version}"
 
-# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
-%if 0%{?stapinstall:1}
-  echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
-%else
-  %{error:Unrecognised architecture %{_target_cpu}}
-%endif
-
 if [ %{include_normal_build} -eq 0 -o  %{include_normal_build} -eq 1 ] ; then
   echo "include_normal_build is %{include_normal_build}"
 else
@@ -1828,54 +1669,33 @@ if [ %{include_debug_build} -eq 0 -a  %{include_normal_build} -eq 0 -a  %{includ
   echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
   exit 14
 fi
-%setup -q -c -n %{uniquesuffix ""} -T -a 0
 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084
 prioritylength=`expr length %{priority}`
 if [ $prioritylength -ne 8 ] ; then
  echo "priority must be 8 digits in total, violated"
  exit 14
 fi
-
-# OpenJDK patches
-
-%if %{system_libs}
-# Remove libraries that are linked by both static and dynamic builds
-sh %{SOURCE12} %{top_level_dir_name}
+%if %{include_normal_build}
+tar -xf %{_jvmdir}/%{compatiblename}*portable.jdk.*tar.xz 
+#tar -xf %{_jvmdir}/%{compatiblename}*portable.jre.*tar.xz 
+%if %{include_staticlibs}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.static-libs.*tar.xz 
 %endif
-
-# Patch the JDK
-pushd %{top_level_dir_name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
-# Add crypto policy and FIPS support
-%patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-popd # openjdk
-
-%patch600
-
-# The OpenJDK version file includes the current
-# upstream version information. For some reason,
-# configure does not automatically use the
-# default pre-version supplied there (despite
-# what the file claims), so we pass it manually
-# to configure
-VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
-if [ -f ${VERSION_FILE} ] ; then
-    UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
-else
-    echo "Could not find OpenJDK version file.";
-    exit 16
-fi
-if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
-    echo "WARNING: Designator mismatch";
-    echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
-    echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    exit 17
-fi
+%endif
+%if %{include_fastdebug_build}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.jdk.*tar.xz 
+ #tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.jre.*tar.xz 
+%if %{include_staticlibs}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.static-libs.*tar.xz 
+%endif
+%endif
+%if %{include_debug_build}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.jdk.*tar.xz 
+ #tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.jre.*tar.xz 
+%if %{include_staticlibs}
+ tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.static-libs.*tar.xz 
+%endif
+%endif 
 
 # Extract systemtap tapsets
 %if %{with_systemtap}
@@ -1923,126 +1743,8 @@ for file in %{SOURCE9}; do
 done
 done
 
-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-
 %build
-
-# How many CPU's do we have?
-export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
-export NUM_PROC=${NUM_PROC:-1}
-%if 0%{?_smp_ncpus_max}
-# Honor %%_smp_ncpus_max
-[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
-%endif
-
-%ifarch s390x sparc64 alpha %{power64} %{aarch64}
-export ARCH_DATA_MODEL=64
-%endif
-%ifarch alpha
-export CFLAGS="$CFLAGS -mieee"
-%endif
-
-# We use ourcppflags because the OpenJDK build seems to
-# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
-# Explicitly set the C++ standard as the default has changed on GCC >= 6
-EXTRA_CFLAGS="%ourcppflags"
-EXTRA_CPP_FLAGS="%ourcppflags"
-
-%ifarch %{power64} ppc
-# fix rpmlint warnings
-EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
-%endif
-%ifarch %{ix86}
-# Align stack boundary on x86_32
-EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
-EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
-%endif
-export EXTRA_CFLAGS EXTRA_CPP_FLAGS
-
-function buildjdk() {
-    local outputdir=${1}
-    local buildjdk=${2}
-    local maketargets="${3}"
-    local debuglevel=${4}
-    local link_opt=${5}
-
-    local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
-    local top_dir_abs_build_path=$(pwd)/${outputdir}
-
-    # This must be set using the global, so that the
-    # static libraries still use a dynamic stdc++lib
-    if [ "x%{link_type}" = "xbundled" ] ; then
-        libc_link_opt="static";
-    else
-        libc_link_opt="dynamic";
-    fi
-
-    echo "Using output directory: ${outputdir}";
-    echo "Checking build JDK ${buildjdk} is operational..."
-    ${buildjdk}/bin/java -version
-    echo "Using make targets: ${maketargets}"
-    echo "Using debuglevel: ${debuglevel}"
-    echo "Using link_opt: ${link_opt}"
-    echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
-
-    mkdir -p ${outputdir}
-    pushd ${outputdir}
-
-    # Note: zlib and freetype use %{link_type}
-    # rather than ${link_opt} as the system versions
-    # are always used in a system_libs build, even
-    # for the static library build
-    bash ${top_dir_abs_src_path}/configure \
-%ifarch %{zero_arches}
-    --with-jvm-variants=zero \
-%endif
-%ifarch %{ppc64le}
-    --with-jobs=1 \
-%endif
-    --with-version-build=%{buildver} \
-    --with-version-pre="%{ea_designator}" \
-    --with-version-opt=%{lts_designator} \
-    --with-vendor-version-string="%{oj_vendor_version}" \
-    --with-vendor-name="%{oj_vendor}" \
-    --with-vendor-url="%{oj_vendor_url}" \
-    --with-vendor-bug-url="%{oj_vendor_bug_url}" \
-    --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
-    --with-boot-jdk=${buildjdk} \
-    --with-debug-level=${debuglevel} \
-    --with-native-debug-symbols="%{debug_symbols}" \
-    --disable-sysconf-nss \
-    --enable-unlimited-crypto \
-    --with-zlib=%{link_type} \
-    --with-freetype=%{link_type} \
-    --with-libjpeg=${link_opt} \
-    --with-giflib=${link_opt} \
-    --with-libpng=${link_opt} \
-    --with-lcms=${link_opt} \
-    --with-harfbuzz=${link_opt} \
-    --with-stdc++lib=${libc_link_opt} \
-    --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
-    --with-extra-cflags="$EXTRA_CFLAGS" \
-    --with-extra-ldflags="%{ourldflags}" \
-    --with-num-cores="$NUM_PROC" \
-    --with-source-date="${SOURCE_DATE_EPOCH}" \
-    --disable-javac-server \
-%ifarch %{zgc_arches}
-    --with-jvm-features=zgc \
-%endif
-    --disable-warnings-as-errors
-
-    cat spec.gmk
-
-    make \
-      LOG=trace \
-      WARNINGS_ARE_ERRORS="-Wno-error" \
-      CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
-      $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
-
-    popd
-}
-
+%install
 function installjdk() {
     local imagepath=${1}
 
@@ -2057,9 +1759,6 @@ function installjdk() {
         find ${imagepath} -iname '*.so' -exec chmod +x {} \;
         find ${imagepath}/bin/ -exec chmod +x {} \;
 
-        # Install nss.cfg right away as we will be using the JRE above
-        install -m 644 nss.cfg ${imagepath}/conf/security/
-
         # Turn on system security properties
         sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
             ${imagepath}/conf/security/java.security
@@ -2073,12 +1772,8 @@ function installjdk() {
         # Install cacerts symlink needed by some apps which hard-code the path
         ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
 
-        # Create fake alt-java as a placeholder for future alt-java
-        pushd ${imagepath}
         # add alt-java man page
-        echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-        cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-        popd
+		#  alt-java man and bianry are here from portables. Or not?
     fi
 }
 
@@ -2158,94 +1853,49 @@ EOF
     fi
 }
 
-%if %{build_hotspot_first}
-  # Build a fresh libjvm.so first and use it to bootstrap
-  cp -LR --preserve=mode,timestamps %{bootjdk} newboot
-  systemjdk=$(pwd)/newboot
-  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
-  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
-%else
-  systemjdk=%{bootjdk}
-%endif
-
 for suffix in %{build_loop} ; do
 
   if [ "x$suffix" = "x" ] ; then
-      debugbuild=release
+      debugbuild=""
   else
-      # change --something to something
-      debugbuild=`echo $suffix  | sed "s/-//g"`
+      # change - something to .something
+      debugbuild=`echo $suffix  | sed "s/-/./g"`
   fi
-
-
-  for loop in %{main_suffix} %{staticlibs_loop} ; do
-
-    builddir=%{buildoutputdir -- ${suffix}${loop}}
-    bootbuilddir=boot${builddir}
-
-    if test "x${loop}" = "x%{main_suffix}" ; then
-      link_opt="%{link_type}"
-%if %{system_libs}
-      # Copy the source tree so we can remove all in-tree libraries
-      cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
-      # Remove all libraries that are linked
-      sh %{SOURCE12} %{top_level_dir_name} full
-%endif
-      # Debug builds don't need same targets as release for
-      # build speed-up. We also avoid bootstrapping these
-      # slower builds.
-      if echo $debugbuild | grep -q "debug" ; then
-        maketargets="%{debug_targets}"
-        run_bootstrap=false
-      else
-        maketargets="%{release_targets}"
-        run_bootstrap=%{bootstrap_build}
-      fi
-      if ${run_bootstrap} ; then
-        buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
-        buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
-        rm -rf ${bootbuilddir}
-      else
-        buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
-      fi
-%if %{system_libs}
-      # Restore original source tree we modified by removing full in-tree sources
-      rm -rf %{top_level_dir_name}
-      mv %{top_level_dir_name_backup} %{top_level_dir_name}
-%endif
-    else
-      # Use bundled libraries for building statically
-      link_opt="bundled"
-      # Static library cycle only builds the static libraries
-      maketargets="%{static_libs_target}"
-      # Always just do the one build for the static libraries
-      buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
-    fi
-
-  done # end of main / staticlibs loop
-
-  # Final setup on the main image
-  top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
-  installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
-  # Check debug symbols were built into the dynamic libraries
-  debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
-
-  # Print release information
-  cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
-
+  # Final setup on the untarred images
+  # TODO revisit. jre may be complety useless to unpack and process,
+  # as all the files are taken from JDK tarball ans put to packages manually.
+  # jre tarball may be usefull for  checking integrity of jre and jre headless subpackages
+   #for jdkjre in jdk jre ; do
+   for jdkjre in jdk ; do
+     buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.${jdkjre}*`
+     top_dir_abs_main_build_path=$(pwd)/${buildoutputdir}
+     installjdk ${top_dir_abs_main_build_path}
+     # Check debug symbols were built into the dynamic libraries
+     if [ $jdkjre == jdk ] ; then
+       #jdk only?
+       debugcheckjdk ${top_dir_abs_main_build_path} 
+     fi
+     # Print release information
+     cat ${top_dir_abs_main_build_path}/release
+   done 
 # build cycles
 done # end of release / debug cycle loop
 
-%install
 STRIP_KEEP_SYMTAB=libjvm*
 
 for suffix in %{build_loop} ; do
-
-top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
-%if %{include_staticlibs}
-top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
-%endif
-jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
+  if [ "x$suffix" = "x" ] ; then
+      debugbuild=""
+  else
+      # change -something to .something
+      debugbuild=`echo $suffix  | sed "s/-/./g"`
+  fi
+  buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.jdk*`
+  top_dir_abs_main_build_path=$(pwd)/${buildoutputdir} 
+  %if %{include_staticlibs}
+     top_dir_abs_staticlibs_build_path=`ls -d $top_dir_abs_main_build_path/lib/static/*/glibc/`
+  %endif
+  jdk_image=${top_dir_abs_main_build_path}
 
 # Install the jdk
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
@@ -2257,7 +1907,7 @@ pushd ${jdk_image}
   # Install systemtap support files
   install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
   # note, that uniquesuffix  is in BUILD dir in this case
-  cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+  cp -a $RPM_BUILD_DIR/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
   pushd  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
    tapsetFiles=`ls *.stp`
   popd
@@ -2280,8 +1930,7 @@ pushd ${jdk_image}
     # Convert man pages to UTF8 encoding
     iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp
     mv -f $manpage.tmp $manpage
-    install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \
-      $manpage .1)-%{uniquesuffix -- $suffix}.1
+    install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename $manpage .1)-%{uniquesuffix -- $suffix}.1
   done
   # Remove man pages from jdk image
   rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
@@ -2291,29 +1940,34 @@ popd
 # Install static libs artefacts
 %if %{include_staticlibs}
 mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
-cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
-  $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
+cp -a ${top_dir_abs_staticlibs_build_path}/*.a $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
 %endif
 
 if ! echo $suffix | grep -q "debug" ; then
   # Install Javadoc documentation
   install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
-  cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
-  built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
-  cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \
-     $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/
+  install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+  built_doc_archive=javadocs.zip
+  cp -a ${top_dir_abs_main_build_path}/${built_doc_archive} \
+     $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}
+  pushd $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+    unzip ${top_dir_abs_main_build_path}/${built_doc_archive} 
+  popd
 fi
 
 # Install release notes
 commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
 install -d -m 755 ${commondocdir}
-cp -a %{SOURCE10} ${commondocdir}
+cp -a ${top_dir_abs_main_build_path}/NEWS ${commondocdir}
 
 # Install icons and menu entries
 for s in 16 24 32 48 ; do
+  # TODO!! publish in portables!
+  mkdir -p ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/ #remove this line to once published
+  echo "PALCEHOLDER TODO REMOVE.ME" > ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png
   install -D -p -m 644 \
-    %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
-    $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
+    ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
+     $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
 done
 
 # Install desktop files
@@ -2327,10 +1981,6 @@ done
 # See https://bugzilla.redhat.com/show_bug.cgi?id=741821
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs
 
-# copy samples next to demos; samples are mostly js files
-cp -r %{top_level_dir_name}/src/sample  $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/
-
-
 # moving config files to /etc
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
 mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
@@ -2344,11 +1994,18 @@ pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
 popd
 # end moving files to /etc
 
+#TODO this is done also i portables and in install jdk. But hard to say where the operation will hapen at the end
 # stabilize permissions
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
 
+#TODO conslut this clean up
+rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/NEWS #is in commondocdir. Ok ot go, or also pack
+if [ "x$suffix" = "x" ] ; then
+  rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/javadocs.zip #is in subpackages, 1 renamed, 2nd unpacked
+fi
+rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/libfreetype.so #bug in portables? bug in rpms?
 # end, dual install
 done
 
@@ -2395,15 +2052,17 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
 
 # Check correct vendor values have been set
 $JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
+#TODO skipped vendor check. It now points to PORTABLE version of jdk.
+#$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
 
 %if ! 0%{?flatpak}
 # Check translations are available for new timezones (during flatpak builds, the
 # tzdb.dat used by this test is not where the test expects it, so this is
 # disabled for flatpak builds)
 $JAVA_HOME/bin/javac -d . %{SOURCE18}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
-$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
+#TODO doublecheck tzdata handling
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE || echo "TZDATA no longer can be synced with system, because we repack"
+$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR || echo "TZDATA no longer can be synced with system, because we repack"
 %endif
 
 %if %{include_staticlibs}
@@ -2673,6 +2332,15 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Thu Jan 26 2023 Jiri Vanek  - 1:19.0.2.0.7-2.rolling
+- repacked portables
+- todo icons
+- disabled tzdata tests - todo, resolve
+- left some duplicated "final tunings"
+- todo, lost alt java manpage.. probably already in portables
+- TODO conslut this clean up - javdoc, freetype and NEWS
+- todo, debuginfo
+
 * Thu Jan 26 2023 Andrew Hughes  - 1:17.0.6.0.10-1
 - Update to jdk-17.0.6.0+10
 - Update release notes to 17.0.6.0+10
diff --git a/nss.cfg.in b/nss.cfg.in
deleted file mode 100644
index 377a39c..0000000
--- a/nss.cfg.in
+++ /dev/null
@@ -1,5 +0,0 @@
-name = NSS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssDbMode = noDb
-attributes = compatibility
-handleStartupErrors = ignoreMultipleInitialisation
diff --git a/openjdk_news.sh b/openjdk_news.sh
deleted file mode 100755
index 560b356..0000000
--- a/openjdk_news.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2022 Red Hat, Inc.
-# Written by Andrew John Hughes , 2012-2022
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see .
-
-OLD_RELEASE=$1
-NEW_RELEASE=$2
-SUBDIR=$3
-REPO=$4
-SCRIPT_DIR=$(dirname ${0})
-
-if test "x${SUBDIR}" = "x"; then
-    echo "No subdirectory specified; using .";
-    SUBDIR=".";
-fi
-
-if test "x$REPO" = "x"; then
-    echo "No repository specified; using ${PWD}"
-    REPO=${PWD}
-fi
-
-if test x${TMPDIR} = x; then
-    TMPDIR=/tmp;
-fi
-
-echo "Repository: ${REPO}"
-
-if [ -e ${REPO}/.git ] ; then
-    TYPE=git;
-elif [ -e ${REPO}/.hg ] ; then
-    TYPE=hg;
-else
-    echo "No Mercurial or Git repository detected.";
-    exit 1;
-fi
-
-if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
-    echo "ERROR: Need to specify old and new release";
-    exit 2;
-fi
-
-echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
-rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
-for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
-do
-    if test "x$TYPE" = "xhg"; then
-	hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
-	    egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])#  - JDK-\1#'| \
-	    sed 's#^[o:| ]*summary:\W*#  - #' >> ${TMPDIR}/fixes2;
-	hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
-	    egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})#  - JDK-\1#' >> ${TMPDIR}/fixes3;
-    else
-	git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
-	    sed -r 's#^([0-9])#  - JDK-\1#' >> ${TMPDIR}/fixes2;
-	touch ${TMPDIR}/fixes3 ; # unused
-    fi
-done
-
-sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
-rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
-
-echo "In ${TMPDIR}/fixes:"
-cat ${TMPDIR}/fixes
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
deleted file mode 100644
index 25c2fc8..0000000
--- a/remove-intree-libraries.sh
+++ /dev/null
@@ -1,164 +0,0 @@
-#!/bin/sh
-
-# Arguments:  
-TREE=${1}
-TYPE=${2}
-
-ZIP_SRC=src/java.base/share/native/libzip/zlib/
-FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
-JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
-GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
-PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
-LCMS_SRC=src/java.desktop/share/native/liblcms/
-
-if test "x${TREE}" = "x"; then
-    echo "$0  (MINIMAL|FULL)";
-    exit 1;
-fi
-
-if test "x${TYPE}" = "x"; then
-    TYPE=minimal;
-fi
-
-if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
-    echo "Type must be minimal or full";
-    exit 2;
-fi
-
-echo "Removing in-tree libraries from ${TREE}"
-echo "Cleansing operation: ${TYPE}";
-
-cd ${TREE}
-
-echo "Removing built-in libs (they will be linked)"
-
-# On full runs, allow for zlib & freetype having already been deleted by minimal
-echo "Removing zlib"
-if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
-	echo "${ZIP_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi	
-rm -rvf ${ZIP_SRC}
-echo "Removing freetype"
-if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
-	echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi
-rm -rvf ${FREETYPE_SRC}
-
-# Minimal is limited to just zlib and freetype so finish here
-if test "x${TYPE}" = "xminimal"; then
-    echo "Finished.";
-    exit 0;
-fi
-
-echo "Removing libjpeg"
-if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
-	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
-	exit 1
-fi	
-
-rm -vf ${JPEG_SRC}/jcomapi.c
-rm -vf ${JPEG_SRC}/jdapimin.c
-rm -vf ${JPEG_SRC}/jdapistd.c
-rm -vf ${JPEG_SRC}/jdcoefct.c
-rm -vf ${JPEG_SRC}/jdcolor.c
-rm -vf ${JPEG_SRC}/jdct.h
-rm -vf ${JPEG_SRC}/jddctmgr.c
-rm -vf ${JPEG_SRC}/jdhuff.c
-rm -vf ${JPEG_SRC}/jdhuff.h
-rm -vf ${JPEG_SRC}/jdinput.c
-rm -vf ${JPEG_SRC}/jdmainct.c
-rm -vf ${JPEG_SRC}/jdmarker.c
-rm -vf ${JPEG_SRC}/jdmaster.c
-rm -vf ${JPEG_SRC}/jdmerge.c
-rm -vf ${JPEG_SRC}/jdphuff.c
-rm -vf ${JPEG_SRC}/jdpostct.c
-rm -vf ${JPEG_SRC}/jdsample.c
-rm -vf ${JPEG_SRC}/jerror.c
-rm -vf ${JPEG_SRC}/jerror.h
-rm -vf ${JPEG_SRC}/jidctflt.c
-rm -vf ${JPEG_SRC}/jidctfst.c
-rm -vf ${JPEG_SRC}/jidctint.c
-rm -vf ${JPEG_SRC}/jidctred.c
-rm -vf ${JPEG_SRC}/jinclude.h
-rm -vf ${JPEG_SRC}/jmemmgr.c
-rm -vf ${JPEG_SRC}/jmemsys.h
-rm -vf ${JPEG_SRC}/jmemnobs.c
-rm -vf ${JPEG_SRC}/jmorecfg.h
-rm -vf ${JPEG_SRC}/jpegint.h
-rm -vf ${JPEG_SRC}/jpeglib.h
-rm -vf ${JPEG_SRC}/jquant1.c
-rm -vf ${JPEG_SRC}/jquant2.c
-rm -vf ${JPEG_SRC}/jutils.c
-rm -vf ${JPEG_SRC}/jcapimin.c
-rm -vf ${JPEG_SRC}/jcapistd.c
-rm -vf ${JPEG_SRC}/jccoefct.c
-rm -vf ${JPEG_SRC}/jccolor.c
-rm -vf ${JPEG_SRC}/jcdctmgr.c
-rm -vf ${JPEG_SRC}/jchuff.c
-rm -vf ${JPEG_SRC}/jchuff.h
-rm -vf ${JPEG_SRC}/jcinit.c
-rm -vf ${JPEG_SRC}/jconfig.h
-rm -vf ${JPEG_SRC}/jcmainct.c
-rm -vf ${JPEG_SRC}/jcmarker.c
-rm -vf ${JPEG_SRC}/jcmaster.c
-rm -vf ${JPEG_SRC}/jcparam.c
-rm -vf ${JPEG_SRC}/jcphuff.c
-rm -vf ${JPEG_SRC}/jcprepct.c
-rm -vf ${JPEG_SRC}/jcsample.c
-rm -vf ${JPEG_SRC}/jctrans.c
-rm -vf ${JPEG_SRC}/jdtrans.c
-rm -vf ${JPEG_SRC}/jfdctflt.c
-rm -vf ${JPEG_SRC}/jfdctfst.c
-rm -vf ${JPEG_SRC}/jfdctint.c
-rm -vf ${JPEG_SRC}/jversion.h
-rm -vf ${JPEG_SRC}/README
-
-echo "Removing giflib"
-if [ ! -d ${GIF_SRC} ]; then
-	echo "${GIF_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi	
-rm -rvf ${GIF_SRC}
-
-echo "Removing libpng"
-if [ ! -d ${PNG_SRC} ]; then
-	echo "${PNG_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi	
-rm -rvf ${PNG_SRC}
-
-echo "Removing lcms"
-if [ ! -d ${LCMS_SRC} ]; then
-	echo "${LCMS_SRC} does not exist. Refusing to proceed."
-	exit 1
-fi
-rm -vf ${LCMS_SRC}/cmscam02.c
-rm -vf ${LCMS_SRC}/cmscgats.c
-rm -vf ${LCMS_SRC}/cmscnvrt.c
-rm -vf ${LCMS_SRC}/cmserr.c
-rm -vf ${LCMS_SRC}/cmsgamma.c
-rm -vf ${LCMS_SRC}/cmsgmt.c
-rm -vf ${LCMS_SRC}/cmshalf.c
-rm -vf ${LCMS_SRC}/cmsintrp.c
-rm -vf ${LCMS_SRC}/cmsio0.c
-rm -vf ${LCMS_SRC}/cmsio1.c
-rm -vf ${LCMS_SRC}/cmslut.c
-rm -vf ${LCMS_SRC}/cmsmd5.c
-rm -vf ${LCMS_SRC}/cmsmtrx.c
-rm -vf ${LCMS_SRC}/cmsnamed.c
-rm -vf ${LCMS_SRC}/cmsopt.c
-rm -vf ${LCMS_SRC}/cmspack.c
-rm -vf ${LCMS_SRC}/cmspcs.c
-rm -vf ${LCMS_SRC}/cmsplugin.c
-rm -vf ${LCMS_SRC}/cmsps2.c
-rm -vf ${LCMS_SRC}/cmssamp.c
-rm -vf ${LCMS_SRC}/cmssm.c
-rm -vf ${LCMS_SRC}/cmstypes.c
-rm -vf ${LCMS_SRC}/cmsvirt.c
-rm -vf ${LCMS_SRC}/cmswtpnt.c
-rm -vf ${LCMS_SRC}/cmsxform.c
-rm -vf ${LCMS_SRC}/lcms2.h
-rm -vf ${LCMS_SRC}/lcms2_internal.h
-rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
deleted file mode 100644
index 3042186..0000000
--- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
---- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
-+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
-@@ -595,7 +595,11 @@
-                 toolkit = new HeadlessToolkit(toolkit);
-             }
-             if (!GraphicsEnvironment.isHeadless()) {
--                loadAssistiveTechnologies();
-+                try {
-+                    loadAssistiveTechnologies();
-+                } catch (AWTError error) {
-+                    // ignore silently
-+                }
-             }
-         }
-         return toolkit;
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
deleted file mode 100644
index 6d2342a..0000000
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index adfaf57d29e..abf89bbf327 100644
---- a/src/java.base/share/conf/security/java.security
-+++ b/src/java.base/share/conf/security/java.security
-@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
- security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
- # Security providers used when FIPS mode support is active
diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch
deleted file mode 100644
index 53026ad..0000000
--- a/rh1648644-java_access_bridge_privileged_security.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openjdk/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -304,6 +304,8 @@
- #
- package.access=sun.misc.,\
-                sun.reflect.,\
-+               org.GNOME.Accessibility.,\
-+               org.GNOME.Bonobo.,\
- 
- #
- # List of comma-separated packages that start with or equal this string
-@@ -316,6 +318,8 @@
- #
- package.definition=sun.misc.,\
-                    sun.reflect.,\
-+                   org.GNOME.Accessibility.,\
-+                   org.GNOME.Bonobo.,\
- 
- #
- # Determines whether this properties file can be appended to
diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
deleted file mode 100644
index 5e2b254..0000000
--- a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:12.038189968 +0100
-+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:11.913188505 +0100
-@@ -48,8 +48,8 @@
- 
-     private final static String PROP_NAME = "sun.security.smartcardio.library";
- 
--    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
--    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
-+    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
-+    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
-     private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
- 
-     PlatformPCSC() {
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch
deleted file mode 100644
index 88f5e5a..0000000
--- a/rh1750419-redhat_alt_java.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
-index 700ddefda49..2882de68eb2 100644
---- openjdk.orig/make/modules/java.base/Launcher.gmk
-+++ openjdk/make/modules/java.base/Launcher.gmk
-@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
-     OPTIMIZATION := HIGH, \
- ))
- 
-+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
-+$(eval $(call SetupBuildLauncher, alt-java, \
-+    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
-+    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
-+    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
-+    OPTIMIZATION := HIGH, \
-+))
-+
- ifeq ($(call isTargetOs, windows), true)
-   $(eval $(call SetupBuildLauncher, javaw, \
-       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
-diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
-new file mode 100644
-index 00000000000..697df2898ac
---- /dev/null
-+++ openjdk/src/java.base/share/native/launcher/alt_main.h
-@@ -0,0 +1,73 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#ifdef REDHAT_ALT_JAVA
-+
-+#include 
-+
-+
-+/* Per task speculation control */
-+#ifndef PR_GET_SPECULATION_CTRL
-+# define PR_GET_SPECULATION_CTRL    52
-+#endif
-+#ifndef PR_SET_SPECULATION_CTRL
-+# define PR_SET_SPECULATION_CTRL    53
-+#endif
-+/* Speculation control variants */
-+#ifndef PR_SPEC_STORE_BYPASS
-+# define PR_SPEC_STORE_BYPASS          0
-+#endif
-+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
-+
-+#ifndef PR_SPEC_NOT_AFFECTED
-+# define PR_SPEC_NOT_AFFECTED          0
-+#endif
-+#ifndef PR_SPEC_PRCTL
-+# define PR_SPEC_PRCTL                 (1UL << 0)
-+#endif
-+#ifndef PR_SPEC_ENABLE
-+# define PR_SPEC_ENABLE                (1UL << 1)
-+#endif
-+#ifndef PR_SPEC_DISABLE
-+# define PR_SPEC_DISABLE               (1UL << 2)
-+#endif
-+#ifndef PR_SPEC_FORCE_DISABLE
-+# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
-+#endif
-+#ifndef PR_SPEC_DISABLE_NOEXEC
-+# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
-+#endif
-+
-+static void set_speculation() __attribute__((constructor));
-+static void set_speculation() {
-+  if ( prctl(PR_SET_SPECULATION_CTRL,
-+             PR_SPEC_STORE_BYPASS,
-+             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
-+    return;
-+  }
-+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
-+}
-+
-+#endif // REDHAT_ALT_JAVA
-diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
-index b734fe2ba78..79dc8307650 100644
---- openjdk.orig/src/java.base/share/native/launcher/main.c
-+++ openjdk/src/java.base/share/native/launcher/main.c
-@@ -34,6 +34,14 @@
- #include "jli_util.h"
- #include "jni.h"
- 
-+#ifdef REDHAT_ALT_JAVA
-+#if defined(__linux__) && defined(__x86_64__)
-+#include "alt_main.h"
-+#else
-+#warning alt-java requested but SSB mitigation not available on this platform.
-+#endif
-+#endif
-+
- #ifdef _MSC_VER
- #if _MSC_VER > 1400 && _MSC_VER < 1600
- 
diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
deleted file mode 100644
index 1b706a1..0000000
--- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Remove uses of FAR in jpeg code
-
-Upstream libjpeg-trubo removed the (empty) FAR macro:
-http://sourceforge.net/p/libjpeg-turbo/code/1312/
-
-Adjust our code to not use the undefined FAR macro anymore.
-
-diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-@@ -1385,7 +1385,7 @@
-     /* and fill it in */
-     dst_ptr = icc_data;
-     for (seq_no = first; seq_no < last; seq_no++) {
--        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-+        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-         unsigned int length =
-             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
- 
diff --git a/sources b/sources
index bf52ee4..3bbbb1b 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.6+10.tar.xz) = 2878aae52e2f49146b9631e3b0379370dce1a0a620dc5c5b763d1432b82e705e3aa33a83008391b4845bf0cb493b08179e7ac3419f597fb80fd65df393e12cf1