diff --git a/NEWS b/NEWS index 8a9b0d0..3aa09d6 100644 --- a/NEWS +++ b/NEWS @@ -3,187 +3,13 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 19.0.2 (2023-01-17): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-19.0.2.html - -* CVEs - - CVE-2023-21835 - - CVE-2023-21843 -* Security fixes - - JDK-8286070: Improve UTF8 representation - - JDK-8286496: Improve Thread labels - - JDK-8287411: Enhance DTLS performance - - JDK-8288516: Enhance font creation - - JDK-8293554: Enhanced DH Key Exchanges - - JDK-8293598: Enhance InetAddress address handling - - JDK-8293717: Objective view of ObjectView - - JDK-8293734: Improve BMP image handling - - JDK-8293742: Better Banking of Sounds - - JDK-8295687: Better BMP bounds -* Other changes - - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails - - JDK-8029633: Raw inner class constructor ref should not perform diamond inference - - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout - - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" - - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails - - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" - - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work - - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache - - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 - - JDK-8287217: C2: PhaseCCP: remove not visited nodes, prevent type inconsistency - - JDK-8288132: Update test artifacts in QuoVadis CA interop tests - - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable - - JDK-8288992: AArch64: CMN should be handled the same way as CMP - - JDK-8290164: compiler/runtime/TestConstantsInError.java fails on riscv - - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 - - JDK-8290496: riscv: Fix build warnings-as-errors with GCC 11 - - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure - - JDK-8290694: Update the release date after forking Oct CPU22_10 - - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" - - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize - - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses - - JDK-8290900: Build failure with Clang 14+ due to function warning attribute - - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes" - - JDK-8290974: Bump version numbers for January 2023 CPU - - JDK-8291508: Fix some tests with "requires vm.jvmti & vm.continuations" - - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 - - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr - - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region - - JDK-8292158: AES-CTR cipher state corruption with AVX-512 - - JDK-8292159: TYPE_USE annotations on generic type arguments of record components discarded - - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out - - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library - - JDK-8292756: java.lang.AssertionError at at jdk.compiler/com.sun.tools.javac.code.Scope$ScopeImpl.leave(Scope.java:386) - - JDK-8292780: misc tests failed "assert(false) failed: graph should be schedulable" - - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform - - JDK-8292969: Bad Thread Utilization in ForkJoinPool - - JDK-8293044: C1: Missing access check on non-accessible class - - JDK-8293100: RISC-V: Need to save and restore callee-saved FloatRegisters in StubGenerator::generate_call_stub - - JDK-8293348: A false cyclic inheritance error reported - - JDK-8293578: Duplicate ldc generated by javac - - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present - - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent - - JDK-8293834: Update CLDR data following tzdata 2022c update - - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop - - JDK-8294307: ISO 4217 Amendment 173 Update - - JDK-8294357: (tz) Update Timezone Data to 2022d - - JDK-8294517: Update jdk19u fix version to 19.0.2 - - JDK-8294538: missing is_unloading() check in SharedRuntime::fixup_callers_callsite() - - JDK-8294602: Change milestone to fcs for releases: jdk-11.0.18, jdk-17.0.6, jdk-19.0.2 - - JDK-8294755: Update milestone to ea for 19.0.2 - - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator - - JDK-8295173: (tz) Update Timezone Data to 2022e - - JDK-8295264: Fix PaX check on RISC-V - - JDK-8295268: Optimized builds are broken due to incorrect assert_is_rfp shortcuts - - JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD file - - JDK-8295469: S390X: Optimized builds are broken - - JDK-8295554: Move the "sizecalc.h" to the correct location - - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - - JDK-8295926: RISC-V: C1: Fix LIRGenerator::do_LibmIntrinsic - - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - - JDK-8296108: (tz) Update Timezone Data to 2022f - - JDK-8296448: RISC-V: Fix temp usages of heapbase register killed by MacroAssembler::en/decode_klass_not_null - - JDK-8296463: Memory leak in JVM_StartThread with the integration of Virtual threads - - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation - - JDK-8296602: RISC-V: improve performance of copy_memory stub - - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - - JDK-8296715: CLDR v42 update for tzdata 2022f - - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect - - JDK-8296771: RISC-V: C2: assert(false) failed: bad AD file - - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds - - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 - - JDK-8296970: Remove sysThreadAvailableStackWithSlack from hotspot-symbols - - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used - - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again - - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java - - JDK-8297309: Memory leak in ShenandoahFullGC - - JDK-8297451: ProcessHandleImpl should assert privilege when modifying reaper thread - - JDK-8297476: Increase InlineSmallCode default from 1000 to 2500 for RISC-V - -Notes on individual issues: -=========================== - -client-libs/javax.imageio: - -JDK-8295687: Better BMP bounds -============================== -Loading a linked ICC profile within a BMP image is now disabled by -default. To re-enable it, set the new system property -`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property -replaces the old property, -`sun.imageio.plugins.bmp.disableLinkedProfiles`. - -client-libs/javax.sound: - -JDK-8293742: Better Banking of Sounds -===================================== -Previously, the SoundbankReader implementation, -`com.sun.media.sound.JARSoundbankReader`, would download a JAR -soundbank from a URL. This behaviour is now disabled by default. To -re-enable it, set the new system property `jdk.sound.jarsoundbank` to -`true`. - -security-libs/javax.net.ssl: - -JDK-8287411: Enhance DTLS performance -===================================== -The JDK now exchanges DTLS cookies for all handshakes, new and -resumed. The previous behaviour can be re-enabled by setting the new -system property `jdk.tls.enableDtlsResumeCookie` to `false`. - -New in release OpenJDK 19.0.1 (2022-10-18): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-19.0.1.html - -* Security fixes - - JDK-8282252: Improve BigInteger/Decimal validation - - JDK-8285662: Better permission resolution - - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions - - JDK-8286511: Improve macro allocation - - JDK-8286519: Better memory handling - - JDK-8286526, CVE-2022-21619: Improve NTLM support - - JDK-8286910, CVE-2022-21624: Improve JNDI lookups - - JDK-8286918, CVE-2022-21628: Better HttpServer service - - JDK-8287446: Enhance icon presentations - - JDK-8288508: Enhance ECDSA usage - - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage - - JDK-8289853: Update HarfBuzz to 4.4.1 - - JDK-8290334: Update FreeType to 2.12.1 -* Other changes - - JDK-8028265: Add legacy tz tests to OpenJDK - - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch - - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run - - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests - - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier - - JDK-8288499: Restore cancel-in-progress in GHA - - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - - JDK-8288653: Bump version numbers for 19.0.1 - - JDK-8290000: Bump macOS GitHub actions to macOS 11 - - JDK-8290695: Change milestone to fcs for releases: jdk-11.0.17, jdk-17.0.5, jdk-19.0.1 - - JDK-8291640: java/beans/XMLDecoder/8028054/Task.java should use the 3-arg Class.forName - - JDK-8291897: TerminatingThreadLocal(s) not registered from virtual thread(s) - - JDK-8292051: jdk/internal/misc/TerminatingThreadLocal/TestTerminatingThreadLocal.java failed "AssertionError: Expected terminated values: [666] but got: []" - - JDK-8292240: CarrierThread.blocking not reset when spare not activated - - JDK-8292487: Back out the fix for JDK-8281962 from jdk19u - - JDK-8292579: (tz) Update Timezone Data to 2022c - - JDK-8292654: G1 remembered set memory footprint regression after JDK-8286115 - - JDK-8293180: JQuery UI license file not updated - -New in release OpenJDK 19.0.0 (2022-09-20): +New in release OpenJDK 20.0.0 (2023-03-21): =========================================== Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 19. +to earlier releases following their first appearance in OpenJDK 20. -The full list of changes in 19u can be found at: -- * https://builds.shipilev.net/backports-monitor/release-notes-19.txt +The full list of changes in 20u can be found at: +- * https://builds.shipilev.net/backports-monitor/release-notes-20.txt NEW FEATURES ============ @@ -196,6 +22,7 @@ Pattern Matching for switch https://openjdk.org/jeps/406 https://openjdk.org/jeps/420 https://openjdk.org/jeps/427 +https://openjdk.org/jeps/433 Enhance the Java programming language with pattern matching for `switch` expressions and statements, along with extensions to the @@ -204,13 +31,15 @@ expression to be tested against a number of patterns, each with a specific action, so that complex data-oriented queries can be expressed concisely and safely. -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 17 (JEP 406) and saw a second preview in OpenJDK 18 (JEP 420). -It reaches its third preview (JEP 427) in OpenJDK 19. +This is a preview feature (http://openjdk.java.net/jeps/12) introduced +in OpenJDK 17 (JEP 406), which saw a second preview in OpenJDK 18 (JEP +420) and a third in OpenJDK 19 (JEP 427). It reaches its fourth +preview (JEP 427) in OpenJDK 20. Record Patterns =============== https://openjdk.org/jeps/405 +https://openjdk.org/jeps/432 Enhance the Java programming language with record patterns to deconstruct record values. Record patterns and type patterns can be @@ -218,17 +47,30 @@ nested to enable a powerful, declarative, and composable form of data navigation and processing. This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 19 (JEP 405) +in OpenJDK 19 (JEP 405). It reaches its second preview (JEP 432) in +OpenJDK 20. Library Features ================ +Scoped Values +============= +https://openjdk.org/jeps/429 + +Introduce scoped values, which enable the sharing of immutable data +within and across threads. They are preferred to thread-local +variables, especially when using large numbers of virtual threads. + +This is an incubation feature (https://openjdk.java.net/jeps/11) +introduced in OpenJDK 20 (JEP 429). + Vector API ========== https://openjdk.org/jeps/338 https://openjdk.org/jeps/414 https://openjdk.org/jeps/417 https://openjdk.org/jeps/426 +https://openjdk.org/jeps/438 Introduce an API to express vector computations that reliably compile at runtime to optimal vector hardware instructions on supported CPU @@ -237,14 +79,15 @@ scalar computations. This is an incubation feature (https://openjdk.java.net/jeps/11) introduced in OpenJDK 16 (JEP 338). A second round of incubation took -place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third and -OpenJDK 19 sees its fourth (JEP 426). +place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third, +OpenJDK 19 a fourth (JEP 426) and OpenJDK 20 (JEP 438) sees its fifth. Foreign Function & Memory API ============================= https://openjdk.org/jeps/412 https://openjdk.org/jeps/419 https://openjdk.org/jeps/424 +https://openjdk.org/jeps/434 Introduce an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign @@ -259,22 +102,26 @@ It was first introduced in incubation evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK 16) (see release notes for java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP -419) before its inclusion as a preview in OpenJDK 19 (JEP 424). +419) before its inclusion as a preview in OpenJDK 19 (JEP 424). It +reaches a second preview in OpenJDK 20 (JEP 434). Virtual Threads =============== https://openjdk.org/jeps/425 +https://openjdk.org/jeps/436 Introduce virtual threads to the Java Platform. Virtual threads are lightweight threads that dramatically reduce the effort of writing, maintaining, and observing high-throughput concurrent applications. This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 19 (JEP 425) +in OpenJDK 19 (JEP 425) and reaching its second preview in OpenJDK 20 +(JEP 436). Structured Concurrency ====================== https://openjdk.org/jeps/428 +https://openjdk.org/jeps/437 Simplify multithreaded programming by introducing an API for structured concurrency. Structured concurrency treats multiple tasks @@ -283,18 +130,5 @@ streamlining error handling and cancellation, improving reliability, and enhancing observability. This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 19 (JEP 428). - -Ports -===== - -Linux/RISC-V Port -================= -https://openjdk.org/jeps/422 - -RISC-V is a free and open-source RISC instruction set architecture -(ISA) designed originally at the University of California, Berkeley, -and now developed collaboratively under the sponsorship of RISC-V -International. It is already supported by a wide range of language -toolchains. With the increasing availability of RISC-V hardware, a -port of the JDK would be valuable. +introduced in OpenJDK 19 (JEP 428). A second round of incubation takes +place in OpenJDK 20 (JEP 437). diff --git a/TestTranslations.java b/TestTranslations.java index d87647a..f6a4fe2 100644 --- a/TestTranslations.java +++ b/TestTranslations.java @@ -52,7 +52,7 @@ public class TestTranslations { map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST", "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT", "heure des Rocheuses", "UTC\u221207:00", "MT"}); - map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST", + map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST", "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT", "Rocky-Mountain-Zeit", "GMT-07:00", "MT"}); CIUDAD_JUAREZ = Collections.unmodifiableMap(map); diff --git a/fips-19u-d95bb40c7c8.patch b/fips-20u-fd3de3d95b5.patch similarity index 91% rename from fips-19u-d95bb40c7c8.patch rename to fips-20u-fd3de3d95b5.patch index 838f115..c36a5b6 100644 --- a/fips-19u-d95bb40c7c8.patch +++ b/fips-20u-fd3de3d95b5.patch @@ -109,10 +109,10 @@ index 7a1d8d80bb2..1807cb71073 100644 BASIC_JDKLIB_LIBS="" if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index 8908a5deb3c..2fce35f5b2d 100644 +index 9448cb9b7e8..8d3d931e951 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -854,6 +854,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -859,6 +859,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # @@ -124,10 +124,10 @@ index 8908a5deb3c..2fce35f5b2d 100644 LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 0d5a6c9846c..5ca12054351 100644 +index 3b782577258..f515b0ba241 100644 --- a/make/modules/java.base/Lib.gmk +++ b/make/modules/java.base/Lib.gmk -@@ -164,6 +164,31 @@ ifeq ($(call isTargetOsType, unix), true) +@@ -163,6 +163,29 @@ ifeq ($(call isTargetOsType, unix), true) endif endif @@ -142,255 +142,23 @@ index 0d5a6c9846c..5ca12054351 100644 + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) + -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif ++TARGETS += $(BUILD_LIBSYSTEMCONF) + ################################################################################ # Create the symbols file for static builds. -diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index 38836d2701e..324620a8e9b 100644 +index 38836d2701e..d967010b848 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -31,6 +31,7 @@ import java.security.SecureRandom; @@ -1006,89 +774,10 @@ index 38836d2701e..324620a8e9b 100644 /* * Algorithm Parameter engines -@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { - psA("AlgorithmParameters", "ChaCha20-Poly1305", - "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); +@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- /* -- * Key factories -- */ -- psA("KeyFactory", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyFactory", -- null); -- -- /* -- * Secret-key factories -- */ -- ps("SecretKeyFactory", "DES", -- "com.sun.crypto.provider.DESKeyFactory"); -- -- psA("SecretKeyFactory", "DESede", -- "com.sun.crypto.provider.DESedeKeyFactory", null); -- -- psA("SecretKeyFactory", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -- null); -- -- /* -- * Internal in-house crypto algorithm used for -- * the JCEKS keystore type. Since this was developed -- * internally, there isn't an OID corresponding to this -- * algorithm. -- */ -- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -- null); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- - // PBKDF2 - psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", - "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", @@ -1202,85 +891,6 @@ index 38836d2701e..324620a8e9b 100644 - "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", - List.of("SunTls12RsaPremasterSecret"), null); + if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ psA("KeyFactory", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyFactory", -+ null); -+ -+ /* -+ * Secret-key factories -+ */ -+ ps("SecretKeyFactory", "DES", -+ "com.sun.crypto.provider.DESKeyFactory"); -+ -+ psA("SecretKeyFactory", "DESede", -+ "com.sun.crypto.provider.DESedeKeyFactory", null); -+ -+ psA("SecretKeyFactory", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -+ null); -+ -+ /* -+ * Internal in-house crypto algorithm used for -+ * the JCEKS keystore type. Since this was developed -+ * internally, there isn't an OID corresponding to this -+ * algorithm. -+ */ -+ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -+ null); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -+ + // PBKDF2 + psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", @@ -1398,27 +1008,18 @@ index 38836d2701e..324620a8e9b 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index 7218f536804..7be83f5eeaa 100644 +index 257dc172ee2..35cea6c54e7 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - +@@ -34,6 +34,7 @@ import java.net.URL; + import jdk.internal.access.JavaSecurityPropertiesAccess; import jdk.internal.event.EventHelper; import jdk.internal.event.SecurityPropertyModificationEvent; +import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ +@@ -58,6 +59,11 @@ import sun.security.jca.*; public final class Security { @@ -1430,7 +1031,7 @@ index 7218f536804..7be83f5eeaa 100644 /* Are we debugging? -- for developers */ private static final Debug sdebug = Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { +@@ -75,6 +81,19 @@ public final class Security { } static { @@ -1450,26 +1051,19 @@ index 7218f536804..7be83f5eeaa 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -84,6 +106,7 @@ public final class Security { +@@ -96,6 +115,7 @@ public final class Security { + private static void initialize() { props = new Properties(); - boolean loadedProps = false; boolean overrideAll = false; + boolean systemSecPropsEnabled = false; // first load the system properties file // to determine the value of security.overridePropertiesFile -@@ -98,6 +121,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -192,6 +216,61 @@ public final class Security { +@@ -116,6 +136,61 @@ public final class Security { } + loadProps(null, extraPropFile, overrideAll); } - ++ + boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); + boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); + if (sdebug != null) { @@ -1489,9 +1083,7 @@ index 7218f536804..7be83f5eeaa 100644 + } + } + -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { ++ if (systemSecPropsEnabled) { + boolean shouldEnable; + String sysProp = System.getProperty("com.redhat.fips"); + if (sysProp == null) { @@ -1525,15 +1117,25 @@ index 7218f536804..7be83f5eeaa 100644 + "system security properties being enabled."); + } + } ++ + initialSecurityProperties = (Properties) props.clone(); + if (sdebug != null) { + for (String key : props.stringPropertyNames()) { +@@ -126,7 +201,7 @@ public final class Security { + } - /* +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 00000000000..98ffced455b +index 00000000000..9d26a54f5d4 --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,249 @@ +@@ -0,0 +1,232 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * @@ -1614,26 +1216,9 @@ index 00000000000..98ffced455b + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); + } + + /* @@ -1688,7 +1273,7 @@ index 00000000000..98ffced455b + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } @@ -1821,10 +1406,10 @@ index 00000000000..3f3caac64dc + boolean isPlainKeySupportEnabled(); +} diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index 08e1133ffae..7d6e6b3cbc6 100644 +index cf76aa9ff94..9ecb14db126 100644 --- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -42,6 +42,7 @@ import java.io.PrintStream; +@@ -43,6 +43,7 @@ import java.io.PrintStream; import java.io.PrintWriter; import java.io.RandomAccessFile; import java.security.ProtectionDomain; @@ -1832,7 +1417,7 @@ index 08e1133ffae..7d6e6b3cbc6 100644 import java.security.Signature; /** A repository of "shared secrets", which are a mechanism for -@@ -87,6 +88,7 @@ public class SharedSecrets { +@@ -89,6 +90,7 @@ public class SharedSecrets { private static JavaSecuritySpecAccess javaSecuritySpecAccess; private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; @@ -1840,7 +1425,7 @@ index 08e1133ffae..7d6e6b3cbc6 100644 public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { javaUtilCollectionAccess = juca; -@@ -498,4 +500,15 @@ public class SharedSecrets { +@@ -521,4 +523,15 @@ public class SharedSecrets { MethodHandles.lookup().ensureInitialized(c); } catch (IllegalAccessException e) {} } @@ -1857,31 +1442,30 @@ index 08e1133ffae..7d6e6b3cbc6 100644 + } } diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index e280defabe0..724dcf76edd 100644 +index d985dec174f..a5b9cbf7fbc 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java -@@ -155,6 +155,8 @@ module java.base { +@@ -163,6 +163,7 @@ module java.base { java.naming, java.rmi, jdk.charsets, -+ jdk.crypto.cryptoki, + jdk.crypto.ec, jdk.jartool, jdk.jlink, - jdk.net; + jdk.jfr, diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 46d3ee8bb06..53bc4851d23 100644 +index 0d4ae1019e1..e839866a28c 100644 --- a/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.LinkedHashSet; +import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.action.GetBooleanAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + +@@ -91,6 +92,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; public final class SunEntries { @@ -1892,7 +1476,7 @@ index 46d3ee8bb06..53bc4851d23 100644 // the default algo used by SecureRandom class for new SecureRandom() calls public static final String DEF_SECURE_RANDOM_ALGO; -@@ -94,99 +99,101 @@ public final class SunEntries { +@@ -102,99 +107,101 @@ public final class SunEntries { // common attribute map HashMap attrs = new HashMap<>(3); @@ -2085,7 +1669,7 @@ index 46d3ee8bb06..53bc4851d23 100644 /* * Algorithm Parameter Generator engines -@@ -201,42 +208,44 @@ public final class SunEntries { +@@ -209,42 +216,44 @@ public final class SunEntries { addWithAlias(p, "AlgorithmParameters", "DSA", "sun.security.provider.DSAParameters", attrs); @@ -2166,7 +1750,7 @@ index 46d3ee8bb06..53bc4851d23 100644 /* * Certificates diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..225517ac69b 100644 +index 539ef1e8ee8..7662684797e 100644 --- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java @@ -27,6 +27,7 @@ package sun.security.rsa; @@ -2284,7 +1868,7 @@ index ca79f25cc44..225517ac69b 100644 "sun.security.rsa.PSSParameters", null); } diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index a7fc33d9ffb..cec40ba7b21 100644 +index a9f97c76cb9..3571778367f 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java @@ -32,6 +32,7 @@ import java.security.cert.*; @@ -2295,7 +1879,7 @@ index a7fc33d9ffb..cec40ba7b21 100644 import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; -@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { +@@ -530,22 +531,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { private static final List serverDefaultCipherSuites; static { @@ -2352,7 +1936,7 @@ index a7fc33d9ffb..cec40ba7b21 100644 supportedCipherSuites = getApplicableSupportedCipherSuites( supportedProtocols); -@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { +@@ -836,12 +855,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { ProtocolVersion[] candidates; if (refactored.isEmpty()) { // Client and server use the same default protocols. @@ -2412,10 +1996,10 @@ index 894e26dfad8..8b16378b96b 100644 "sun.security.ssl.SSLContextImpl$TLSContext", List.of("SSL"), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index f913c981ddc..fd1d0a9e478 100644 +index 8156eea7e11..6a7f6eeafcc 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security -@@ -79,6 +79,16 @@ security.provider.tbd=Apple +@@ -85,6 +85,16 @@ security.provider.tbd=Apple #endif security.provider.tbd=SunPKCS11 @@ -2432,7 +2016,7 @@ index f913c981ddc..fd1d0a9e478 100644 # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. -@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false +@@ -295,6 +305,11 @@ policy.ignoreIdentityScope=false # keystore.type=pkcs12 @@ -2444,7 +2028,7 @@ index f913c981ddc..fd1d0a9e478 100644 # # Controls compatibility mode for JKS and PKCS12 keystore types. # -@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ +@@ -332,6 +347,13 @@ package.definition=sun.misc.,\ # security.overridePropertiesFile=true @@ -2459,10 +2043,10 @@ index f913c981ddc..fd1d0a9e478 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index 20f53b1cd4c..6db2393efb8 100644 +index 2a01c06250a..aea4620b1ab 100644 --- a/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy -@@ -123,6 +123,7 @@ grant codeBase "jrt:/jdk.charsets" { +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.charsets" { grant codeBase "jrt:/jdk.crypto.ec" { permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; @@ -2470,20 +2054,254 @@ index 20f53b1cd4c..6db2393efb8 100644 permission java.lang.RuntimePermission "loadLibrary.sunec"; permission java.security.SecurityPermission "putProviderProperty.SunEC"; permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -132,6 +133,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 -index 00000000000..187be7295f3 +index 00000000000..52a403107c3 --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,490 @@ +@@ -0,0 +1,461 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -2524,7 +2342,6 @@ index 00000000000..187be7295f3 +import javax.crypto.Cipher; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import sun.security.jca.JCAUtil; @@ -2680,34 +2497,6 @@ index 00000000000..187be7295f3 + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } + } else { + if (debug != null) { + debug.println("Unrecognized private key type."); @@ -2975,7 +2764,7 @@ index 00000000000..187be7295f3 + } +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index cae28a06d7b..1c5bd3d15ac 100644 +index af6fbeba48a..a20278cb683 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -2987,29 +2776,30 @@ index cae28a06d7b..1c5bd3d15ac 100644 import sun.security.rsa.RSAUtil.KeyType; import sun.security.rsa.RSAPublicKeyImpl; import sun.security.rsa.RSAPrivateCrtKeyImpl; -@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; - */ - abstract class P11Key implements Key, Length { +@@ -72,6 +74,9 @@ abstract class P11Key implements Key, Length { + @Serial + private static final long serialVersionUID = -2575874101938349339L; + private static final boolean plainKeySupportEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + - private static final long serialVersionUID = -2575874101938349339L; - private static final String PUBLIC = "public"; -@@ -396,8 +401,9 @@ abstract class P11Key implements Key, Length { + private static final String PRIVATE = "private"; + private static final String SECRET = "secret"; +@@ -391,8 +396,10 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); - boolean keySensitive = (attrs[0].getBoolean() || - attrs[1].getBoolean() || !attrs[2].getBoolean()); -+ boolean keySensitive = (!plainKeySupportEnabled && ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ boolean keySensitive = (!exportable && + (attrs[0].getBoolean() || + attrs[1].getBoolean() || !attrs[2].getBoolean())); - switch (algorithm) { - case "RSA": -@@ -452,7 +458,8 @@ abstract class P11Key implements Key, Length { + return switch (algorithm) { + case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, +@@ -444,7 +451,8 @@ abstract class P11Key implements Key, Length { public String getFormat() { token.ensureValid(); @@ -3019,13 +2809,13 @@ index cae28a06d7b..1c5bd3d15ac 100644 return null; } else { return "RAW"; -@@ -1574,4 +1581,3 @@ final class SessionKeyRef extends PhantomReference { +@@ -1575,4 +1583,3 @@ final class SessionKeyRef extends PhantomReference { this.clear(); } } - diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 0f65a8b3221..0a406e1a2c8 100644 +index 04a1a70ed23..a5c9b5fddf4 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -3046,9 +2836,9 @@ index 0f65a8b3221..0a406e1a2c8 100644 import jdk.internal.misc.InnocuousThread; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; -@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; - */ - public final class SunPKCS11 extends AuthProvider { +@@ -65,6 +69,37 @@ public final class SunPKCS11 extends AuthProvider { + @Serial + private static final long serialVersionUID = -1354835039035306505L; + private static final boolean systemFipsEnabled = SharedSecrets + .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); @@ -3081,10 +2871,10 @@ index 0f65a8b3221..0a406e1a2c8 100644 + fipsExportKey = fipsExportKeyTmp; + } + - private static final long serialVersionUID = -1354835039035306505L; - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -326,9 +361,19 @@ public final class SunPKCS11 extends AuthProvider { + // the PKCS11 object through which we make the native calls + @SuppressWarnings("serial") // Type of field is not Serializable; +@@ -325,9 +360,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -3106,7 +2896,7 @@ index 0f65a8b3221..0a406e1a2c8 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -343,8 +388,9 @@ public final class SunPKCS11 extends AuthProvider { +@@ -342,8 +387,9 @@ public final class SunPKCS11 extends AuthProvider { } else { initArgs.flags = 0; } @@ -3118,7 +2908,7 @@ index 0f65a8b3221..0a406e1a2c8 100644 } p11 = tmpPKCS11; -@@ -384,6 +430,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -383,6 +429,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } @@ -3400,11 +3190,11 @@ index 4b06daaf264..55e14945469 100644 +} } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -index 8a560a2c48d..7d68520375b 100644 +index 920422376f8..6aa308fa5f8 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -@@ -190,6 +190,14 @@ public class PKCS11Exception extends Exception { - return "0x" + Functions.toFullHexString((int)errorCode); +@@ -215,6 +215,14 @@ public class PKCS11Exception extends Exception { + return res; } + /** @@ -3419,18 +3209,18 @@ index 8a560a2c48d..7d68520375b 100644 * Constructor taking the error code (the CKR_* constants in PKCS#11) and * extra info for error message. diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 200ed63634f..fa258d736d0 100644 +index 3cfb74c8115..0e333d8ba74 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -38,6 +38,7 @@ import java.util.HashMap; - import java.util.Iterator; +@@ -34,6 +34,7 @@ import java.security.ProviderException; + import java.util.HashMap; import java.util.List; +import jdk.internal.access.SharedSecrets; - import sun.security.ec.ed.EdDSAAlgorithmParameters; import sun.security.ec.ed.EdDSAKeyFactory; import sun.security.ec.ed.EdDSAKeyPairGenerator; -@@ -56,6 +57,10 @@ public final class SunEC extends Provider { + import sun.security.ec.ed.EdDSASignature; +@@ -50,6 +51,10 @@ public final class SunEC extends Provider { private static final long serialVersionUID = -2279741672933606418L; @@ -3441,7 +3231,7 @@ index 200ed63634f..fa258d736d0 100644 private static class ProviderServiceA extends ProviderService { ProviderServiceA(Provider p, String type, String algo, String cn, HashMap attrs) { -@@ -249,83 +254,85 @@ public final class SunEC extends Provider { +@@ -243,83 +248,85 @@ public final class SunEC extends Provider { putXDHEntries(); putEdDSAEntries(); @@ -3604,7 +3394,7 @@ index 200ed63634f..fa258d736d0 100644 } private void putXDHEntries() { -@@ -342,23 +349,25 @@ public final class SunEC extends Provider { +@@ -336,23 +343,25 @@ public final class SunEC extends Provider { "X448", "sun.security.ec.XDHKeyFactory.X448", ATTRS)); @@ -3647,7 +3437,7 @@ index 200ed63634f..fa258d736d0 100644 } private void putEdDSAEntries() { -@@ -373,21 +382,23 @@ public final class SunEC extends Provider { +@@ -367,21 +376,23 @@ public final class SunEC extends Provider { putService(new ProviderServiceA(this, "KeyFactory", "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index eb95814..2524d63 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -17,7 +17,7 @@ # PROJECT_NAME=release # OPENJDK_URL=http://icedtea.classpath.org/hg/ # TO_COMPRESS="*/tapset" -# +# # They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set) # This script creates a single source tarball out of the repository @@ -36,12 +36,9 @@ fi set -e OPENJDK_URL_DEFAULT=https://github.com -PROJECT_NAME_DEFAULT=openjdk -REPO_NAME_DEFAULT=jdk20u -VERSION_DEFAULT=jdk-20+36 COMPRESSION_DEFAULT=xz # Corresponding IcedTea version -ICEDTEA_VERSION=13.0 +ICEDTEA_VERSION=15.0 if [ "x$1" = "xhelp" ] ; then echo -e "Behaviour may be specified by setting the following variables:\n" @@ -53,35 +50,54 @@ if [ "x$1" = "xhelp" ] ; then echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)" + echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" exit 1; fi if [ "x$VERSION" = "x" ] ; then - VERSION="$VERSION_DEFAULT" + echo "No VERSION specified" + exit 2 fi echo "Version: ${VERSION}" +NUM_VER=${VERSION##jdk-} +RELEASE_VER=${NUM_VER%%+*} +BUILD_VER=${NUM_VER##*+} +MAJOR_VER=${RELEASE_VER%%.*} +echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}" -if [ "x$REPO_NAME" = "x" ] ; then - REPO_NAME="$REPO_NAME_DEFAULT" +if [ "x$BOOT_JDK" = "x" ] ; then + echo "No boot JDK specified". + BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk; + echo -n "Checking for ${BOOT_JDK}..."; + if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + echo "Boot JDK found at ${BOOT_JDK}"; + else + echo "Not found"; + PREV_VER=$((${MAJOR_VER} - 1)); + BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk; + echo -n "Checking for ${BOOT_JDK}..."; + if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + echo "Boot JDK found at ${BOOT_JDK}"; + else + echo "Not found"; + exit 4; + fi + fi +else + echo "Boot JDK: ${BOOT_JDK}"; fi -echo "Repo name: ${VERSION}" - -if [ "x$PROJECT_NAME" = "x" ] ; then - PROJECT_NAME="$PROJECT_NAME_DEFAULT" -fi -echo "Version: ${PROJECT_NAME}" - + # REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then if [ "x$PROJECT_NAME" = "x" ] ; then echo "No PROJECT_NAME specified" - exit -1 + exit 1 fi echo "Project name: ${PROJECT_NAME}" if [ "x$REPO_NAME" = "x" ] ; then echo "No REPO_NAME specified" - exit -3 + exit 3 fi echo "Repository name: ${REPO_NAME}" fi @@ -110,7 +126,7 @@ fi; if [ "x$TO_COMPRESS" = "x" ] ; then TO_COMPRESS="openjdk" - echo "No to be compressed targets specified, ; default to ${TO_COMPRESS}" + echo "No targets to be compressed specified, ; default to ${TO_COMPRESS}" fi; if [ -d ${FILE_NAME_ROOT} ] ; then @@ -125,31 +141,31 @@ else popd fi pushd "${FILE_NAME_ROOT}" - if [ -d openjdk/src ]; then + if [ -d openjdk/src ]; then pushd openjdk echo "Removing EC source code we don't build" CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl - rm -vf ${CRYPTO_PATH}/ec2.h - rm -vf ${CRYPTO_PATH}/ec2_163.c - rm -vf ${CRYPTO_PATH}/ec2_193.c - rm -vf ${CRYPTO_PATH}/ec2_233.c - rm -vf ${CRYPTO_PATH}/ec2_aff.c - rm -vf ${CRYPTO_PATH}/ec2_mont.c - rm -vf ${CRYPTO_PATH}/ecp_192.c - rm -vf ${CRYPTO_PATH}/ecp_224.c + rm -vf ${CRYPTO_PATH}/ec2.h + rm -vf ${CRYPTO_PATH}/ec2_163.c + rm -vf ${CRYPTO_PATH}/ec2_193.c + rm -vf ${CRYPTO_PATH}/ec2_233.c + rm -vf ${CRYPTO_PATH}/ec2_aff.c + rm -vf ${CRYPTO_PATH}/ec2_mont.c + rm -vf ${CRYPTO_PATH}/ecp_192.c + rm -vf ${CRYPTO_PATH}/ecp_224.c echo "Syncing EC list with NSS" if [ "x$PR3823" = "x" ] ; then # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch # Do not push it or publish it - echo "PR3823 not found. Downloading..." - wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch - echo "Applying ${PWD}/pr3823.patch" - patch -Np1 < pr3823.patch - rm pr3823.patch - else - echo "Applying ${PR3823}" - patch -Np1 < $PR3823 + echo "PR3823 not found. Downloading..." + wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch + echo "Applying ${PWD}/pr3823.patch" + patch -Np1 < pr3823.patch + rm pr3823.patch + else + echo "Applying ${PR3823}" + patch -Np1 < $PR3823 fi; find . -name '*.orig' -exec rm -vf '{}' ';' popd @@ -158,11 +174,29 @@ pushd "${FILE_NAME_ROOT}" # Generate .src-rev so build has knowledge of the revision the tarball was created from mkdir build pushd build - sh ${PWD}/../openjdk/configure + sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK} make store-source-revision popd rm -rf build + # Remove commit checks + echo "Removing $(find openjdk -name '.jcheck' -print)" + find openjdk -name '.jcheck' -print0 | xargs -0 rm -r + + # Remove history and GHA + echo "find openjdk -name '.hgtags'" + find openjdk -name '.hgtags' -exec rm -v '{}' '+' + echo "find openjdk -name '.hgignore'" + find openjdk -name '.hgignore' -exec rm -v '{}' '+' + echo "find openjdk -name '.gitattributes'" + find openjdk -name '.gitattributes' -exec rm -v '{}' '+' + echo "find openjdk -name '.gitignore'" + find openjdk -name '.gitignore' -exec rm -v '{}' '+' + echo "find openjdk -name '.git'" + find openjdk -name '.git' -exec rm -rv '{}' '+' + echo "find openjdk -name '.github'" + find openjdk -name '.github' -exec rm -rv '{}' '+' + echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then SWITCH=cJf diff --git a/java-latest-openjdk-portable.spec b/java-latest-openjdk-portable.spec index 305fc28..1729f35 100644 --- a/java-latest-openjdk-portable.spec +++ b/java-latest-openjdk-portable.spec @@ -30,7 +30,7 @@ # Enable static library builds by default. %bcond_without staticlibs # Build a fresh libjvm.so for use in a copy of the bootstrap JDK -%bcond_with fresh_libjvm +%bcond_without fresh_libjvm # Build with system libraries %bcond_with system_libs @@ -51,13 +51,6 @@ %global include_staticlibs 0 %endif -# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so -%if %{with fresh_libjvm} -%global build_hotspot_first 1 -%else -%global build_hotspot_first 0 -%endif - %if %{with system_libs} %global system_libs 1 %global link_type system @@ -255,10 +248,6 @@ # Target to use to just build HotSpot %global hotspot_target hotspot -# JDK to use for bootstrapping -%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk - - # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 # We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) @@ -349,7 +338,7 @@ # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver 19 +%global buildjdkver %{featurever} # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -359,6 +348,16 @@ %global lts_designator "" %global lts_designator_zip "" %endif +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +# This will only work where the bootstrap JDK is the same major version +# as the JDK being built +%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif # Define vendor information used by OpenJDK %global oj_vendor Red Hat, Inc. @@ -384,7 +383,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver d95bb40c7c8 +%global fipsver fd3de3d95b5 # Standard JPackage naming and versioning defines %global origin openjdk @@ -392,7 +391,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 36 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -663,8 +662,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips-19u tree at https://github.com/rh-openjdk/jdk/tree/fips-19u -# as follows: git diff %%{vcstag} src make > fips-19u-$(git show -s --format=%h HEAD).patch +# Patch is generated from the fips-20u tree at https://github.com/rh-openjdk/jdk/tree/fips-20u +# as follows: git diff %%{vcstag} src make > fips-20u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy @@ -685,7 +684,10 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2094027: SunEC runtime permission for FIPS # RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage # RH2090378: Revert to disabling system security properties and FIPS mode support together -Patch1001: fips-19u-%{fipsver}.patch +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms +Patch1001: fips-20u-%{fipsver}.patch ############################################# # @@ -935,6 +937,12 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 fi + +%if %{with fresh_libjvm} && ! %{build_hotspot_first} +echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch" +echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}" +%endif + %setup -q -c -n %{uniquesuffix ""} -T -a 0 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` @@ -952,17 +960,17 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} -%patch 1 -p1 -%patch 2 -p1 -%patch 3 -p1 -%patch 6 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch6 -p1 # Add crypto policy and FIPS support -#%%patch 1001 -p1 - todo, adapt fips patch for jdk20 +%patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security -%patch 1000 -p1 +%patch1000 -p1 popd # openjdk -%patch 600 +%patch600 # The OpenJDK version file includes the current # upstream version information. For some reason, @@ -1132,6 +1140,7 @@ function buildjdk() { --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=%{link_type} \ --with-freetype=%{link_type} \ @@ -1505,8 +1514,8 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendo # tzdb.dat used by this test is not where the test expects it, so this is # disabled for flatpak builds) $JAVA_HOME/bin/javac -d . %{SOURCE18} -#$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE -#$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE +$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR %endif %if %{include_staticlibs} @@ -1596,19 +1605,36 @@ done %endif %changelog -* Tue Mar 28 2023 Jiri Vanel - 1:20.0.0.0.36-1.rolling -- moved to jdk20 +* Mon Apr 10 2023 Andrew Hughes - 1:20.0.0.0.36-2.rolling +- Complete update to OpenJDK 20 +- Update NEWS +- Update system crypto policy & FIPS patch from new fips-20u tree +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms +- Update generate_tarball.sh ICEDTEA_VERSION and add support for passing a boot JDK to the configure run +- Revert changes to generate_tarball.sh which break error handling +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Revert changes to patch macro which break on older versions of rpm (4.16) +- Revert changes to configure run +- Revert RH1648429 patch changes +- Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit) +- Re-enable disabled translation test +- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built + +* Tue Mar 28 2023 Jiri Vanek - 1:20.0.0.0.36-1.rolling +- moved to jdk20 - remvoed already upstreamed patches patch2006,2007,2008,2009 - commented out not yet adapted patch1001 - fips support - removed --disable-sysconf-nss due to missing patch 1001 from configure -- todo return both patch1001 and disable-sysconf-nss! -- adapted rh1750419-redhat_alt_java.patch and rh1750419-redhat_alt_java.patch patches +- adapted rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch and rh1750419-redhat_alt_java.patch patches - inverted fresh_libjvm behavior to be disabled by default. fails: -- See: https://koji.fedoraproject.org/koji/taskinfo?taskID=99242677 - commented out tzdata tests - moved from deprecated patchN to patch N - * Tue Feb 07 2023 Jiri Vanel - 1:19.0.2.0.7-2.rolling - added png icons from x11 source package, so they can be reused by rpms diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch index 5ec459a..c178077 100644 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -9,4 +9,4 @@ index 68a9c1a2d08..7aa25eb2cb7 100644 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # - # A list of preferred providers for specific algorithms. These providers will + # Security providers used when FIPS mode support is active diff --git a/sources b/sources index 6d2e0b9..c0324c9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openjdk-jdk20u-jdk-20+36.tar.xz) = 08f7918c4d0c1fb3b0036c48dfb7c61e4ed4d3344dfc44ae8ed5eaebe8e85ee1b7d234560654c457148738fc93dc417dafcecd80c97e749d2d8253cfb5ecfe1e +SHA512 (openjdk-jdk20u-jdk-20+36.tar.xz) = 4d7560d9e452879632d7c2dc8d4df3faeafe875e95abd47fafcb8dbe469a567359fd13e6cabd59dc72323125ab9672090f0d04d17d859943c7967ed35f3d7f68