diff --git a/NEWS b/NEWS deleted file mode 100644 index 8a9b0d0..0000000 --- a/NEWS +++ /dev/null @@ -1,300 +0,0 @@ -Key: - -JDK-X - https://bugs.openjdk.java.net/browse/JDK-X -CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY - -New in release OpenJDK 19.0.2 (2023-01-17): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-19.0.2.html - -* CVEs - - CVE-2023-21835 - - CVE-2023-21843 -* Security fixes - - JDK-8286070: Improve UTF8 representation - - JDK-8286496: Improve Thread labels - - JDK-8287411: Enhance DTLS performance - - JDK-8288516: Enhance font creation - - JDK-8293554: Enhanced DH Key Exchanges - - JDK-8293598: Enhance InetAddress address handling - - JDK-8293717: Objective view of ObjectView - - JDK-8293734: Improve BMP image handling - - JDK-8293742: Better Banking of Sounds - - JDK-8295687: Better BMP bounds -* Other changes - - JDK-8022403: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails - - JDK-8029633: Raw inner class constructor ref should not perform diamond inference - - JDK-8178698: javax/sound/midi/Sequencer/MetaCallback.java failed with timeout - - JDK-8277970: Test jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java fails with "tag mismatch" - - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails - - JDK-8285604: closed sun/java2d/GdiRendering/ClipShapeRendering.java failed with "Incorrect color ffeeeeee instead of ff0000ff in pixel (100, 100)" - - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work - - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache - - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 - - JDK-8287217: C2: PhaseCCP: remove not visited nodes, prevent type inconsistency - - JDK-8288132: Update test artifacts in QuoVadis CA interop tests - - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable - - JDK-8288992: AArch64: CMN should be handled the same way as CMP - - JDK-8290164: compiler/runtime/TestConstantsInError.java fails on riscv - - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 - - JDK-8290496: riscv: Fix build warnings-as-errors with GCC 11 - - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure - - JDK-8290694: Update the release date after forking Oct CPU22_10 - - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" - - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize - - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses - - JDK-8290900: Build failure with Clang 14+ due to function warning attribute - - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes" - - JDK-8290974: Bump version numbers for January 2023 CPU - - JDK-8291508: Fix some tests with "requires vm.jvmti & vm.continuations" - - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 - - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr - - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region - - JDK-8292158: AES-CTR cipher state corruption with AVX-512 - - JDK-8292159: TYPE_USE annotations on generic type arguments of record components discarded - - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out - - JDK-8292695: SIGQUIT and jcmd attaching mechanism does not work with signal chaining library - - JDK-8292756: java.lang.AssertionError at at jdk.compiler/com.sun.tools.javac.code.Scope$ScopeImpl.leave(Scope.java:386) - - JDK-8292780: misc tests failed "assert(false) failed: graph should be schedulable" - - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform - - JDK-8292969: Bad Thread Utilization in ForkJoinPool - - JDK-8293044: C1: Missing access check on non-accessible class - - JDK-8293100: RISC-V: Need to save and restore callee-saved FloatRegisters in StubGenerator::generate_call_stub - - JDK-8293348: A false cyclic inheritance error reported - - JDK-8293578: Duplicate ldc generated by javac - - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present - - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent - - JDK-8293834: Update CLDR data following tzdata 2022c update - - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop - - JDK-8294307: ISO 4217 Amendment 173 Update - - JDK-8294357: (tz) Update Timezone Data to 2022d - - JDK-8294517: Update jdk19u fix version to 19.0.2 - - JDK-8294538: missing is_unloading() check in SharedRuntime::fixup_callers_callsite() - - JDK-8294602: Change milestone to fcs for releases: jdk-11.0.18, jdk-17.0.6, jdk-19.0.2 - - JDK-8294755: Update milestone to ea for 19.0.2 - - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator - - JDK-8295173: (tz) Update Timezone Data to 2022e - - JDK-8295264: Fix PaX check on RISC-V - - JDK-8295268: Optimized builds are broken due to incorrect assert_is_rfp shortcuts - - JDK-8295414: [Aarch64] C2: assert(false) failed: bad AD file - - JDK-8295469: S390X: Optimized builds are broken - - JDK-8295554: Move the "sizecalc.h" to the correct location - - JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error - - JDK-8295926: RISC-V: C1: Fix LIRGenerator::do_LibmIntrinsic - - JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM - - JDK-8296108: (tz) Update Timezone Data to 2022f - - JDK-8296448: RISC-V: Fix temp usages of heapbase register killed by MacroAssembler::en/decode_klass_not_null - - JDK-8296463: Memory leak in JVM_StartThread with the integration of Virtual threads - - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation - - JDK-8296602: RISC-V: improve performance of copy_memory stub - - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - - JDK-8296715: CLDR v42 update for tzdata 2022f - - JDK-8296733: JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect - - JDK-8296771: RISC-V: C2: assert(false) failed: bad AD file - - JDK-8296945: PublicMethodsTest is slow due to dependency verification with debug builds - - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 - - JDK-8296970: Remove sysThreadAvailableStackWithSlack from hotspot-symbols - - JDK-8297147: UnexpectedSourceImageSize test times out on slow machines when fastdebug is used - - JDK-8297153: sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java fails again - - JDK-8297241: Update sun/java2d/DirectX/OnScreenRenderingResizeTest/OnScreenRenderingResizeTest.java - - JDK-8297309: Memory leak in ShenandoahFullGC - - JDK-8297451: ProcessHandleImpl should assert privilege when modifying reaper thread - - JDK-8297476: Increase InlineSmallCode default from 1000 to 2500 for RISC-V - -Notes on individual issues: -=========================== - -client-libs/javax.imageio: - -JDK-8295687: Better BMP bounds -============================== -Loading a linked ICC profile within a BMP image is now disabled by -default. To re-enable it, set the new system property -`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property -replaces the old property, -`sun.imageio.plugins.bmp.disableLinkedProfiles`. - -client-libs/javax.sound: - -JDK-8293742: Better Banking of Sounds -===================================== -Previously, the SoundbankReader implementation, -`com.sun.media.sound.JARSoundbankReader`, would download a JAR -soundbank from a URL. This behaviour is now disabled by default. To -re-enable it, set the new system property `jdk.sound.jarsoundbank` to -`true`. - -security-libs/javax.net.ssl: - -JDK-8287411: Enhance DTLS performance -===================================== -The JDK now exchanges DTLS cookies for all handshakes, new and -resumed. The previous behaviour can be re-enabled by setting the new -system property `jdk.tls.enableDtlsResumeCookie` to `false`. - -New in release OpenJDK 19.0.1 (2022-10-18): -=========================================== -Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-19.0.1.html - -* Security fixes - - JDK-8282252: Improve BigInteger/Decimal validation - - JDK-8285662: Better permission resolution - - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions - - JDK-8286511: Improve macro allocation - - JDK-8286519: Better memory handling - - JDK-8286526, CVE-2022-21619: Improve NTLM support - - JDK-8286910, CVE-2022-21624: Improve JNDI lookups - - JDK-8286918, CVE-2022-21628: Better HttpServer service - - JDK-8287446: Enhance icon presentations - - JDK-8288508: Enhance ECDSA usage - - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage - - JDK-8289853: Update HarfBuzz to 4.4.1 - - JDK-8290334: Update FreeType to 2.12.1 -* Other changes - - JDK-8028265: Add legacy tz tests to OpenJDK - - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch - - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run - - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests - - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier - - JDK-8288499: Restore cancel-in-progress in GHA - - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - - JDK-8288653: Bump version numbers for 19.0.1 - - JDK-8290000: Bump macOS GitHub actions to macOS 11 - - JDK-8290695: Change milestone to fcs for releases: jdk-11.0.17, jdk-17.0.5, jdk-19.0.1 - - JDK-8291640: java/beans/XMLDecoder/8028054/Task.java should use the 3-arg Class.forName - - JDK-8291897: TerminatingThreadLocal(s) not registered from virtual thread(s) - - JDK-8292051: jdk/internal/misc/TerminatingThreadLocal/TestTerminatingThreadLocal.java failed "AssertionError: Expected terminated values: [666] but got: []" - - JDK-8292240: CarrierThread.blocking not reset when spare not activated - - JDK-8292487: Back out the fix for JDK-8281962 from jdk19u - - JDK-8292579: (tz) Update Timezone Data to 2022c - - JDK-8292654: G1 remembered set memory footprint regression after JDK-8286115 - - JDK-8293180: JQuery UI license file not updated - -New in release OpenJDK 19.0.0 (2022-09-20): -=========================================== -Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 19. - -The full list of changes in 19u can be found at: -- * https://builds.shipilev.net/backports-monitor/release-notes-19.txt - -NEW FEATURES -============ - -Language Features -================= - -Pattern Matching for switch -=========================== -https://openjdk.org/jeps/406 -https://openjdk.org/jeps/420 -https://openjdk.org/jeps/427 - -Enhance the Java programming language with pattern matching for -`switch` expressions and statements, along with extensions to the -language of patterns. Extending pattern matching to `switch` allows an -expression to be tested against a number of patterns, each with a -specific action, so that complex data-oriented queries can be -expressed concisely and safely. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 17 (JEP 406) and saw a second preview in OpenJDK 18 (JEP 420). -It reaches its third preview (JEP 427) in OpenJDK 19. - -Record Patterns -=============== -https://openjdk.org/jeps/405 - -Enhance the Java programming language with record patterns to -deconstruct record values. Record patterns and type patterns can be -nested to enable a powerful, declarative, and composable form of data -navigation and processing. - -This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 19 (JEP 405) - -Library Features -================ - -Vector API -========== -https://openjdk.org/jeps/338 -https://openjdk.org/jeps/414 -https://openjdk.org/jeps/417 -https://openjdk.org/jeps/426 - -Introduce an API to express vector computations that reliably compile -at runtime to optimal vector hardware instructions on supported CPU -architectures and thus achieve superior performance to equivalent -scalar computations. - -This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16 (JEP 338). A second round of incubation took -place in OpenJDK 17 (JEP 414), OpenJDK 18 (JEP 417) saw a third and -OpenJDK 19 sees its fourth (JEP 426). - -Foreign Function & Memory API -============================= -https://openjdk.org/jeps/412 -https://openjdk.org/jeps/419 -https://openjdk.org/jeps/424 - -Introduce an API by which Java programs can interoperate with code and -data outside of the Java runtime. By efficiently invoking foreign -functions (i.e., code outside the JVM), and by safely accessing -foreign memory (i.e., memory not managed by the JVM), the API enables -Java programs to call native libraries and process native data without -the brittleness and danger of JNI. - -This API is now a preview feature (http://openjdk.java.net/jeps/12). -It was first introduced in incubation -(https://openjdk.java.net/jeps/11) in OpenJDK 17 (JEP 412), and is an -evolution of the Foreign Memory Access API (OpenJDK 14 through 16) and -Foreign Linker API (OpenJDK 16) (see release notes for -java-17-openjdk). OpenJDK 18 saw a second round of incubation (JEP -419) before its inclusion as a preview in OpenJDK 19 (JEP 424). - -Virtual Threads -=============== -https://openjdk.org/jeps/425 - -Introduce virtual threads to the Java Platform. Virtual threads are -lightweight threads that dramatically reduce the effort of writing, -maintaining, and observing high-throughput concurrent applications. - -This is a preview feature (http://openjdk.java.net/jeps/12) introduced -in OpenJDK 19 (JEP 425) - -Structured Concurrency -====================== -https://openjdk.org/jeps/428 - -Simplify multithreaded programming by introducing an API for -structured concurrency. Structured concurrency treats multiple tasks -running in different threads as a single unit of work, thereby -streamlining error handling and cancellation, improving reliability, -and enhancing observability. - -This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 19 (JEP 428). - -Ports -===== - -Linux/RISC-V Port -================= -https://openjdk.org/jeps/422 - -RISC-V is a free and open-source RISC instruction set architecture -(ISA) designed originally at the University of California, Berkeley, -and now developed collaboratively under the sponsorship of RISC-V -International. It is already supported by a wide range of language -toolchains. With the increasing availability of RISC-V hardware, a -port of the JDK would be valuable. diff --git a/fips-19u-d95bb40c7c8.patch b/fips-19u-d95bb40c7c8.patch deleted file mode 100644 index 838f115..0000000 --- a/fips-19u-d95bb40c7c8.patch +++ /dev/null @@ -1,3688 +0,0 @@ -diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 -new file mode 100644 -index 00000000000..b2b1c1787da ---- /dev/null -+++ b/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,84 @@ -+# -+# Copyright (c) 2021, Red Hat, Inc. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. Oracle designates this -+# particular file as subject to the "Classpath" exception as provided -+# by Oracle in the LICENSE file that accompanied this code. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index 7a1d8d80bb2..1807cb71073 100644 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -35,6 +35,7 @@ m4_include([lib-std.m4]) - m4_include([lib-x11.m4]) - - m4_include([lib-tests.m4]) -+m4_include([lib-sysconf.m4]) - - ################################################################################ - # Determine which libraries are needed for this configuration -@@ -107,6 +108,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_X11 - - LIB_TESTS_SETUP_GTEST -+ LIB_SETUP_SYSCONF_LIBS - - BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index 8908a5deb3c..2fce35f5b2d 100644 ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -854,6 +854,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 0d5a6c9846c..5ca12054351 100644 ---- a/make/modules/java.base/Lib.gmk -+++ b/make/modules/java.base/Lib.gmk -@@ -164,6 +164,31 @@ ifeq ($(call isTargetOsType, unix), true) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) -+ -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} -diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index 38836d2701e..324620a8e9b 100644 ---- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -+++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -@@ -31,6 +31,7 @@ import java.security.SecureRandom; - import java.security.PrivilegedAction; - import java.util.HashMap; - import java.util.List; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.util.SecurityProviderConstants.*; - -@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; - - public final class SunJCE extends Provider { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - @java.io.Serial - private static final long serialVersionUID = 6812507587804302833L; - -@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { - void putEntries() { - // reuse attribute map and reset before each reuse - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -- + "|OAEPWITHMD5ANDMGF1PADDING" -- + "|OAEPWITHSHA1ANDMGF1PADDING" -- + "|OAEPWITHSHA-1ANDMGF1PADDING" -- + "|OAEPWITHSHA-224ANDMGF1PADDING" -- + "|OAEPWITHSHA-256ANDMGF1PADDING" -- + "|OAEPWITHSHA-384ANDMGF1PADDING" -- + "|OAEPWITHSHA-512ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -- ps("Cipher", "RSA", -- "com.sun.crypto.provider.RSACipher", null, attrs); -- -- // common block cipher modes, pads -- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -- final String BLOCK_MODES128 = BLOCK_MODES + -- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DES", -- "com.sun.crypto.provider.DESCipher", null, attrs); -- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -- attrs); -- ps("Cipher", "Blowfish", -- "com.sun.crypto.provider.BlowfishCipher", null, attrs); -- -- ps("Cipher", "RC2", -- "com.sun.crypto.provider.RC2Cipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES128); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES", -- "com.sun.crypto.provider.AESCipher$General", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -- attrs); -- ps("Cipher", "AES/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_128/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_128/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_128/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_128/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_192/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_192/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_192/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_192/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_256/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_256/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_256/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_256/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "GCM"); -- attrs.put("SupportedKeyFormats", "RAW"); -- -- ps("Cipher", "AES/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -- attrs); -- psA("Cipher", "AES_128/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES128", -- attrs); -- psA("Cipher", "AES_192/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES192", -- attrs); -- psA("Cipher", "AES_256/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES256", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "CBC"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DESedeWrap", -- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "ARCFOUR", -- "com.sun.crypto.provider.ARCFOURCipher", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "ChaCha20", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -- null, attrs); -- psA("Cipher", "ChaCha20-Poly1305", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -- attrs); -- -- // PBES1 -- psA("Cipher", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -- null); -- ps("Cipher", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -- psA("Cipher", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -- null); -- psA("Cipher", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -- null); -- -- psA("Cipher", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -- null); -- -- // PBES2 -- ps("Cipher", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -- -- /* -- * Key(pair) Generator engines -- */ -- ps("KeyGenerator", "DES", -- "com.sun.crypto.provider.DESKeyGenerator"); -- psA("KeyGenerator", "DESede", -- "com.sun.crypto.provider.DESedeKeyGenerator", -- null); -- ps("KeyGenerator", "Blowfish", -- "com.sun.crypto.provider.BlowfishKeyGenerator"); -- psA("KeyGenerator", "AES", -- "com.sun.crypto.provider.AESKeyGenerator", -- null); -- ps("KeyGenerator", "RC2", -- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -- psA("KeyGenerator", "ARCFOUR", -- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -- null); -- ps("KeyGenerator", "ChaCha20", -- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -- ps("KeyGenerator", "HmacMD5", -- "com.sun.crypto.provider.HmacMD5KeyGenerator"); -- -- psA("KeyGenerator", "HmacSHA1", -- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -- psA("KeyGenerator", "HmacSHA224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -- null); -- psA("KeyGenerator", "HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -- null); -- psA("KeyGenerator", "HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -- null); -- psA("KeyGenerator", "HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -- null); -- psA("KeyGenerator", "HmacSHA512/224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -- null); -- psA("KeyGenerator", "HmacSHA512/256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -- null); -- -- psA("KeyGenerator", "HmacSHA3-224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -- null); -- psA("KeyGenerator", "HmacSHA3-256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -- null); -- psA("KeyGenerator", "HmacSHA3-384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -- null); -- psA("KeyGenerator", "HmacSHA3-512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -- null); -- -- psA("KeyPairGenerator", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyPairGenerator", -- null); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -+ + "|OAEPWITHMD5ANDMGF1PADDING" -+ + "|OAEPWITHSHA1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-256ANDMGF1PADDING" -+ + "|OAEPWITHSHA-384ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ ps("Cipher", "RSA", -+ "com.sun.crypto.provider.RSACipher", null, attrs); -+ -+ // common block cipher modes, pads -+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -+ final String BLOCK_MODES128 = BLOCK_MODES + -+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DES", -+ "com.sun.crypto.provider.DESCipher", null, attrs); -+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -+ attrs); -+ ps("Cipher", "Blowfish", -+ "com.sun.crypto.provider.BlowfishCipher", null, attrs); -+ -+ ps("Cipher", "RC2", -+ "com.sun.crypto.provider.RC2Cipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES128); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES", -+ "com.sun.crypto.provider.AESCipher$General", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_128/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_128/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_128/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_192/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_192/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_192/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_256/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_256/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_256/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "GCM"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ -+ ps("Cipher", "AES/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -+ attrs); -+ psA("Cipher", "AES_128/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES128", -+ attrs); -+ psA("Cipher", "AES_192/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES192", -+ attrs); -+ psA("Cipher", "AES_256/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES256", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "CBC"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DESedeWrap", -+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "ARCFOUR", -+ "com.sun.crypto.provider.ARCFOURCipher", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "ChaCha20", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -+ null, attrs); -+ psA("Cipher", "ChaCha20-Poly1305", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -+ attrs); -+ -+ // PBES1 -+ psA("Cipher", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -+ null); -+ ps("Cipher", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -+ psA("Cipher", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("Cipher", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -+ null); -+ -+ // PBES2 -+ ps("Cipher", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -+ -+ /* -+ * Key(pair) Generator engines -+ */ -+ ps("KeyGenerator", "DES", -+ "com.sun.crypto.provider.DESKeyGenerator"); -+ psA("KeyGenerator", "DESede", -+ "com.sun.crypto.provider.DESedeKeyGenerator", -+ null); -+ ps("KeyGenerator", "Blowfish", -+ "com.sun.crypto.provider.BlowfishKeyGenerator"); -+ psA("KeyGenerator", "AES", -+ "com.sun.crypto.provider.AESKeyGenerator", -+ null); -+ ps("KeyGenerator", "RC2", -+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -+ psA("KeyGenerator", "ARCFOUR", -+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -+ null); -+ ps("KeyGenerator", "ChaCha20", -+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -+ ps("KeyGenerator", "HmacMD5", -+ "com.sun.crypto.provider.HmacMD5KeyGenerator"); -+ -+ psA("KeyGenerator", "HmacSHA1", -+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -+ psA("KeyGenerator", "HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -+ null); -+ psA("KeyGenerator", "HmacSHA256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -+ null); -+ psA("KeyGenerator", "HmacSHA384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -+ null); -+ psA("KeyGenerator", "HmacSHA512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -+ null); -+ psA("KeyGenerator", "HmacSHA512/224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -+ null); -+ psA("KeyGenerator", "HmacSHA512/256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -+ null); -+ -+ psA("KeyGenerator", "HmacSHA3-224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -+ null); -+ psA("KeyGenerator", "HmacSHA3-256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -+ null); -+ psA("KeyGenerator", "HmacSHA3-384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -+ null); -+ psA("KeyGenerator", "HmacSHA3-512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -+ null); -+ -+ psA("KeyPairGenerator", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyPairGenerator", -+ null); -+ } - - /* - * Algorithm parameter generation engines -@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { - "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", - null); - -- /* -- * Key Agreement engines -- */ -- attrs.clear(); -- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -- "|javax.crypto.interfaces.DHPrivateKey"); -- psA("KeyAgreement", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyAgreement", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key Agreement engines -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + -+ "|javax.crypto.interfaces.DHPrivateKey"); -+ psA("KeyAgreement", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyAgreement", -+ attrs); -+ } - - /* - * Algorithm Parameter engines -@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { - psA("AlgorithmParameters", "ChaCha20-Poly1305", - "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); - -- /* -- * Key factories -- */ -- psA("KeyFactory", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyFactory", -- null); -- -- /* -- * Secret-key factories -- */ -- ps("SecretKeyFactory", "DES", -- "com.sun.crypto.provider.DESKeyFactory"); -- -- psA("SecretKeyFactory", "DESede", -- "com.sun.crypto.provider.DESedeKeyFactory", null); -- -- psA("SecretKeyFactory", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -- null); -- -- /* -- * Internal in-house crypto algorithm used for -- * the JCEKS keystore type. Since this was developed -- * internally, there isn't an OID corresponding to this -- * algorithm. -- */ -- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -- null); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- -- // PBKDF2 -- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -- null); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -- -- /* -- * MAC -- */ -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -- attrs); -- psA("Mac", "HmacSHA224", -- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -- psA("Mac", "HmacSHA256", -- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -- psA("Mac", "HmacSHA384", -- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -- psA("Mac", "HmacSHA512", -- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -- psA("Mac", "HmacSHA512/224", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -- psA("Mac", "HmacSHA512/256", -- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -- psA("Mac", "HmacSHA3-224", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -- psA("Mac", "HmacSHA3-256", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -- psA("Mac", "HmacSHA3-384", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -- psA("Mac", "HmacSHA3-512", -- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -- -- ps("Mac", "HmacPBESHA1", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -- null, attrs); -- ps("Mac", "HmacPBESHA224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -- null, attrs); -- ps("Mac", "HmacPBESHA256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -- null, attrs); -- ps("Mac", "HmacPBESHA384", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -- null, attrs); -- ps("Mac", "HmacPBESHA512", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -- null, attrs); -- ps("Mac", "HmacPBESHA512/224", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -- null, attrs); -- ps("Mac", "HmacPBESHA512/256", -- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -- null, attrs); -- -- -- // PBMAC1 -- ps("Mac", "PBEWithHmacSHA1", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -- ps("Mac", "PBEWithHmacSHA224", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -- ps("Mac", "PBEWithHmacSHA256", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -- ps("Mac", "PBEWithHmacSHA384", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -- ps("Mac", "PBEWithHmacSHA512", -- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -- ps("Mac", "SslMacMD5", -- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -- ps("Mac", "SslMacSHA1", -- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -- -- /* -- * KeyStore -- */ -- ps("KeyStore", "JCEKS", -- "com.sun.crypto.provider.JceKeyStore"); -- -- /* -- * SSL/TLS mechanisms -- * -- * These are strictly internal implementations and may -- * be changed at any time. These names were chosen -- * because PKCS11/SunPKCS11 does not yet have TLS1.2 -- * mechanisms, and it will cause calls to come here. -- */ -- ps("KeyGenerator", "SunTlsPrf", -- "com.sun.crypto.provider.TlsPrfGenerator$V10"); -- ps("KeyGenerator", "SunTls12Prf", -- "com.sun.crypto.provider.TlsPrfGenerator$V12"); -- -- ps("KeyGenerator", "SunTlsMasterSecret", -- "com.sun.crypto.provider.TlsMasterSecretGenerator", -- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -- null); -- -- ps("KeyGenerator", "SunTlsKeyMaterial", -- "com.sun.crypto.provider.TlsKeyMaterialGenerator", -- List.of("SunTls12KeyMaterial"), null); -- -- ps("KeyGenerator", "SunTlsRsaPremasterSecret", -- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -- List.of("SunTls12RsaPremasterSecret"), null); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ psA("KeyFactory", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyFactory", -+ null); -+ -+ /* -+ * Secret-key factories -+ */ -+ ps("SecretKeyFactory", "DES", -+ "com.sun.crypto.provider.DESKeyFactory"); -+ -+ psA("SecretKeyFactory", "DESede", -+ "com.sun.crypto.provider.DESedeKeyFactory", null); -+ -+ psA("SecretKeyFactory", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -+ null); -+ -+ /* -+ * Internal in-house crypto algorithm used for -+ * the JCEKS keystore type. Since this was developed -+ * internally, there isn't an OID corresponding to this -+ * algorithm. -+ */ -+ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -+ null); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -+ -+ // PBKDF2 -+ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", -+ null); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); -+ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", -+ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); -+ -+ /* -+ * MAC -+ */ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); -+ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", -+ attrs); -+ psA("Mac", "HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); -+ psA("Mac", "HmacSHA256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); -+ psA("Mac", "HmacSHA384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); -+ psA("Mac", "HmacSHA512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); -+ psA("Mac", "HmacSHA512/224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); -+ psA("Mac", "HmacSHA512/256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); -+ psA("Mac", "HmacSHA3-224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); -+ psA("Mac", "HmacSHA3-256", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); -+ psA("Mac", "HmacSHA3-384", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); -+ psA("Mac", "HmacSHA3-512", -+ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); -+ -+ ps("Mac", "HmacPBESHA1", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", -+ null, attrs); -+ ps("Mac", "HmacPBESHA224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", -+ null, attrs); -+ ps("Mac", "HmacPBESHA384", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/224", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", -+ null, attrs); -+ ps("Mac", "HmacPBESHA512/256", -+ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", -+ null, attrs); -+ -+ -+ // PBMAC1 -+ ps("Mac", "PBEWithHmacSHA1", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); -+ ps("Mac", "PBEWithHmacSHA224", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); -+ ps("Mac", "PBEWithHmacSHA256", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); -+ ps("Mac", "PBEWithHmacSHA384", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); -+ ps("Mac", "PBEWithHmacSHA512", -+ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); -+ ps("Mac", "SslMacMD5", -+ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); -+ ps("Mac", "SslMacSHA1", -+ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); -+ -+ /* -+ * KeyStore -+ */ -+ ps("KeyStore", "JCEKS", -+ "com.sun.crypto.provider.JceKeyStore"); -+ -+ /* -+ * SSL/TLS mechanisms -+ * -+ * These are strictly internal implementations and may -+ * be changed at any time. These names were chosen -+ * because PKCS11/SunPKCS11 does not yet have TLS1.2 -+ * mechanisms, and it will cause calls to come here. -+ */ -+ ps("KeyGenerator", "SunTlsPrf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V10"); -+ ps("KeyGenerator", "SunTls12Prf", -+ "com.sun.crypto.provider.TlsPrfGenerator$V12"); -+ -+ ps("KeyGenerator", "SunTlsMasterSecret", -+ "com.sun.crypto.provider.TlsMasterSecretGenerator", -+ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), -+ null); -+ -+ ps("KeyGenerator", "SunTlsKeyMaterial", -+ "com.sun.crypto.provider.TlsKeyMaterialGenerator", -+ List.of("SunTls12KeyMaterial"), null); -+ -+ ps("KeyGenerator", "SunTlsRsaPremasterSecret", -+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -+ List.of("SunTls12RsaPremasterSecret"), null); -+ } - } - - // Return the instance of this class or create one if needed. -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index 7218f536804..7be83f5eeaa 100644 ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -84,6 +106,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -98,6 +121,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -192,6 +216,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..98ffced455b ---- /dev/null -+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,249 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws Exception { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..3f3caac64dc ---- /dev/null -+++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index 08e1133ffae..7d6e6b3cbc6 100644 ---- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -42,6 +42,7 @@ import java.io.PrintStream; - import java.io.PrintWriter; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -87,6 +88,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -498,4 +500,15 @@ public class SharedSecrets { - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index e280defabe0..724dcf76edd 100644 ---- a/src/java.base/share/classes/module-info.java -+++ b/src/java.base/share/classes/module-info.java -@@ -155,6 +155,8 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.cryptoki, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.net; -diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 46d3ee8bb06..53bc4851d23 100644 ---- a/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetBooleanAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -94,99 +99,101 @@ public final class SunEntries { - // common attribute map - HashMap attrs = new HashMap<>(3); - -- /* -- * SecureRandom engines -- */ -- attrs.put("ThreadSafe", "true"); -- if (NativePRNG.isAvailable()) { -- add(p, "SecureRandom", "NativePRNG", -- "sun.security.provider.NativePRNG", attrs); -- } -- if (NativePRNG.Blocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGBlocking", -- "sun.security.provider.NativePRNG$Blocking", attrs); -- } -- if (NativePRNG.NonBlocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGNonBlocking", -- "sun.security.provider.NativePRNG$NonBlocking", attrs); -- } -- attrs.put("ImplementedIn", "Software"); -- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -- add(p, "SecureRandom", "SHA1PRNG", -- "sun.security.provider.SecureRandom", attrs); -- -- /* -- * Signature engines -- */ -- attrs.clear(); -- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -- "|java.security.interfaces.DSAPrivateKey"; -- attrs.put("SupportedKeyClasses", dsaKeyClasses); -- attrs.put("ImplementedIn", "Software"); -- -- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -- -- addWithAlias(p, "Signature", "SHA1withDSA", -- "sun.security.provider.DSA$SHA1withDSA", attrs); -- addWithAlias(p, "Signature", "NONEwithDSA", -- "sun.security.provider.DSA$RawDSA", attrs); -- -- // for DSA signatures with 224/256-bit digests -- attrs.put("KeySize", "2048"); -- -- addWithAlias(p, "Signature", "SHA224withDSA", -- "sun.security.provider.DSA$SHA224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA256withDSA", -- "sun.security.provider.DSA$SHA256withDSA", attrs); -- -- addWithAlias(p, "Signature", "SHA3-224withDSA", -- "sun.security.provider.DSA$SHA3_224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-256withDSA", -- "sun.security.provider.DSA$SHA3_256withDSA", attrs); -- -- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -- -- addWithAlias(p, "Signature", "SHA384withDSA", -- "sun.security.provider.DSA$SHA384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA512withDSA", -- "sun.security.provider.DSA$SHA512withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-384withDSA", -- "sun.security.provider.DSA$SHA3_384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-512withDSA", -- "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); - -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only - -- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ } - - /* - * Algorithm Parameter Generator engines -@@ -201,42 +208,44 @@ public final class SunEntries { - addWithAlias(p, "AlgorithmParameters", "DSA", - "sun.security.provider.DSAParameters", attrs); - -- /* -- * Key factories -- */ -- addWithAlias(p, "KeyFactory", "DSA", -- "sun.security.provider.DSAKeyFactory", attrs); -- -- /* -- * Digest engines -- */ -- addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", -- attrs); -- addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", -- attrs); -- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -- attrs); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); - -- addWithAlias(p, "MessageDigest", "SHA-224", -- "sun.security.provider.SHA2$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-256", -- "sun.security.provider.SHA2$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA-384", -- "sun.security.provider.SHA5$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512", -- "sun.security.provider.SHA5$SHA512", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/224", -- "sun.security.provider.SHA5$SHA512_224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/256", -- "sun.security.provider.SHA5$SHA512_256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-224", -- "sun.security.provider.SHA3$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-256", -- "sun.security.provider.SHA3$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-384", -- "sun.security.provider.SHA3$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-512", -- "sun.security.provider.SHA3$SHA512", attrs); -+ /* -+ * Digest engines -+ */ -+ addWithAlias(p, "MessageDigest", "MD2", "sun.security.provider.MD2", -+ attrs); -+ addWithAlias(p, "MessageDigest", "MD5", "sun.security.provider.MD5", -+ attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..225517ac69b 100644 ---- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -@@ -27,6 +27,7 @@ package sun.security.rsa; - - import java.util.*; - import java.security.Provider; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityProviderConstants.getAliases; - - /** -@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - */ - public final class SunRsaSignEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private void add(Provider p, String type, String algo, String cn, - List aliases, HashMap attrs) { - services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { - // start populating content using the specified provider - // common attribute map - HashMap attrs = new HashMap<>(3); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ } - - add(p, "KeyFactory", "RSA", - "sun.security.rsa.RSAKeyFactory$Legacy", - getAliases("PKCS1"), null); -- add(p, "KeyPairGenerator", "RSA", -- "sun.security.rsa.RSAKeyPairGenerator$Legacy", -- getAliases("PKCS1"), null); -- addA(p, "Signature", "MD2withRSA", -- "sun.security.rsa.RSASignature$MD2withRSA", attrs); -- addA(p, "Signature", "MD5withRSA", -- "sun.security.rsa.RSASignature$MD5withRSA", attrs); -- addA(p, "Signature", "SHA1withRSA", -- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -- addA(p, "Signature", "SHA224withRSA", -- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -- addA(p, "Signature", "SHA256withRSA", -- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -- addA(p, "Signature", "SHA384withRSA", -- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -- addA(p, "Signature", "SHA512withRSA", -- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -- addA(p, "Signature", "SHA512/224withRSA", -- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -- addA(p, "Signature", "SHA512/256withRSA", -- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -- addA(p, "Signature", "SHA3-224withRSA", -- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -- addA(p, "Signature", "SHA3-256withRSA", -- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -- addA(p, "Signature", "SHA3-384withRSA", -- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -- addA(p, "Signature", "SHA3-512withRSA", -- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ -+ if (!systemFipsEnabled) { -+ add(p, "KeyPairGenerator", "RSA", -+ "sun.security.rsa.RSAKeyPairGenerator$Legacy", -+ getAliases("PKCS1"), null); -+ addA(p, "Signature", "MD2withRSA", -+ "sun.security.rsa.RSASignature$MD2withRSA", attrs); -+ addA(p, "Signature", "MD5withRSA", -+ "sun.security.rsa.RSASignature$MD5withRSA", attrs); -+ addA(p, "Signature", "SHA1withRSA", -+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -+ addA(p, "Signature", "SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -+ addA(p, "Signature", "SHA256withRSA", -+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -+ addA(p, "Signature", "SHA384withRSA", -+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -+ addA(p, "Signature", "SHA512withRSA", -+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -+ addA(p, "Signature", "SHA512/224withRSA", -+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -+ addA(p, "Signature", "SHA512/256withRSA", -+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-224withRSA", -+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -+ addA(p, "Signature", "SHA3-256withRSA", -+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-384withRSA", -+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -+ addA(p, "Signature", "SHA3-512withRSA", -+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ } - - addA(p, "KeyFactory", "RSASSA-PSS", - "sun.security.rsa.RSAKeyFactory$PSS", attrs); -- addA(p, "KeyPairGenerator", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -- addA(p, "Signature", "RSASSA-PSS", -- "sun.security.rsa.RSAPSSSignature", attrs); -+ -+ if (!systemFipsEnabled) { -+ addA(p, "KeyPairGenerator", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -+ addA(p, "Signature", "RSASSA-PSS", -+ "sun.security.rsa.RSAPSSSignature", attrs); -+ } -+ - addA(p, "AlgorithmParameters", "RSASSA-PSS", - "sun.security.rsa.PSSParameters", null); - } -diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index a7fc33d9ffb..cec40ba7b21 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -32,6 +32,7 @@ import java.security.cert.*; - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { - private static final List serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index 894e26dfad8..8b16378b96b 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); -diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index f913c981ddc..fd1d0a9e478 100644 ---- a/src/java.base/share/conf/security/java.security -+++ b/src/java.base/share/conf/security/java.security -@@ -79,6 +79,16 @@ security.provider.tbd=Apple - #endif - security.provider.tbd=SunPKCS11 - -+# -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=SunJSSE -+fips.provider.5=SunJCE -+fips.provider.6=SunRsaSign -+ - # - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. -@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false - # - keystore.type=pkcs12 - -+# -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ - # - # Controls compatibility mode for JKS and PKCS12 keystore types. - # -@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index 20f53b1cd4c..6db2393efb8 100644 ---- a/src/java.base/share/lib/security/default.policy -+++ b/src/java.base/share/lib/security/default.policy -@@ -123,6 +123,7 @@ grant codeBase "jrt:/jdk.charsets" { - grant codeBase "jrt:/jdk.crypto.ec" { - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "loadLibrary.sunec"; - permission java.security.SecurityPermission "putProviderProperty.SunEC"; - permission java.security.SecurityPermission "clearProviderProperties.SunEC"; -@@ -132,6 +133,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..187be7295f3 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,490 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.security.interfaces.RSAPrivateCrtKey; -+import java.security.interfaces.RSAPrivateKey; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.SecretKeyFactory; -+import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAPrivateCrtKeyImpl; -+import sun.security.rsa.RSAUtil; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static volatile P11Key importerKey = null; -+ private static SecretKeySpec exporterKey = null; -+ private static volatile P11Key exporterKeyP11 = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ // Do not take the exporterKeyLock with the importerKeyLock held. -+ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); -+ private static volatile CK_MECHANISM importerKeyMechanism = null; -+ private static volatile CK_MECHANISM exporterKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ private static Cipher exporterCipher = null; -+ -+ private static volatile Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static volatile KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key importer"); -+ } -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ importerKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, -+ long keyClass, long keyType, Map sensitiveAttrs) -+ throws PKCS11Exception { -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be exported in" + -+ " system FIPS mode."); -+ } -+ if (exporterKeyP11 == null) { -+ try { -+ exporterKeyLock.lock(); -+ if (exporterKeyP11 == null) { -+ if (exporterKeyMechanism == null) { -+ // Exporter Key creation has not been tried yet. Try it. -+ createExporterKey(token); -+ } -+ if (exporterKeyP11 == null || exporterCipher == null) { -+ if (debug != null) { -+ debug.println("Exporter Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ if (debug != null) { -+ debug.println("Exporter Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ } -+ long exporterKeyID = exporterKeyP11.getKeyID(); -+ try { -+ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, -+ exporterKeyMechanism, exporterKeyID, hObject); -+ byte[] plainExportedKey = null; -+ exporterKeyLock.lock(); -+ try { -+ // No need to reset the cipher object because no multi-part -+ // operations are performed. -+ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); -+ } finally { -+ exporterKeyLock.unlock(); -+ } -+ if (keyClass == CKO_PRIVATE_KEY) { -+ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); -+ } else if (keyClass == CKO_SECRET_KEY) { -+ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " fips key exporter"); -+ } -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } finally { -+ exporterKeyP11.releaseKeyID(); -+ } -+ } -+ -+ private static void exportPrivateKey( -+ Map sensitiveAttrs, long keyType, -+ byte[] plainExportedKey) throws Throwable { -+ if (keyType == CKK_RSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, -+ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); -+ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( -+ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey -+ ); -+ CK_ATTRIBUTE attr; -+ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { -+ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); -+ } -+ if (rsaPKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { -+ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); -+ } -+ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { -+ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); -+ } -+ } else { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", -+ CKA_PRIVATE_EXPONENT); -+ } -+ } else if (keyType == CKK_DSA) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ new sun.security.provider.DSAPrivateKey(plainExportedKey) -+ .getX().toByteArray(); -+ } else if (keyType == CKK_EC) { -+ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); -+ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' -+ // size is greater than 0 and no invalid attributes exist -+ sensitiveAttrs.get(CKA_VALUE).pValue = -+ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) -+ .getS().toByteArray(); -+ } else { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " unsupported CKO_PRIVATE_KEY key type: " + keyType); -+ } -+ } -+ -+ private static void checkAttrs(Map sensitiveAttrs, -+ String keyName, long... validAttrs) -+ throws PKCS11Exception { -+ int sensitiveAttrsCount = sensitiveAttrs.size(); -+ if (sensitiveAttrsCount <= validAttrs.length) { -+ int validAttrsCount = 0; -+ for (long validAttr : validAttrs) { -+ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; -+ } -+ if (validAttrsCount == sensitiveAttrsCount) return; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ " invalid attribute types for a " + keyName + " key object"); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec( -+ (byte[])importerKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Importer Key"); -+ } -+ } -+ } -+ -+ private static void createExporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Exporter Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ byte[] exporterKeyRaw = new byte[32]; -+ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); -+ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); -+ try { -+ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); -+ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); -+ if (exporterKeyP11 != null) { -+ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, -+ new IvParameterSpec( -+ (byte[])exporterKeyMechanism.pParameter), null); -+ } -+ } catch (Throwable t) { -+ // best effort -+ exporterKey = null; -+ exporterKeyP11 = null; -+ exporterCipher = null; -+ // exporterKeyMechanism value is kept initialized to indicate that -+ // Exporter Key creation has been tried and failed. -+ if (debug != null) { -+ debug.println("Error generating the Exporter Key"); -+ } -+ } -+ } -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index cae28a06d7b..1c5bd3d15ac 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -@@ -37,6 +37,8 @@ import javax.crypto.*; - import javax.crypto.interfaces.*; - import javax.crypto.spec.*; - -+import jdk.internal.access.SharedSecrets; -+ - import sun.security.rsa.RSAUtil.KeyType; - import sun.security.rsa.RSAPublicKeyImpl; - import sun.security.rsa.RSAPrivateCrtKeyImpl; -@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; - */ - abstract class P11Key implements Key, Length { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - private static final long serialVersionUID = -2575874101938349339L; - - private static final String PUBLIC = "public"; -@@ -396,8 +401,9 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_EXTRACTABLE), - }); - -- boolean keySensitive = (attrs[0].getBoolean() || -- attrs[1].getBoolean() || !attrs[2].getBoolean()); -+ boolean keySensitive = (!plainKeySupportEnabled && -+ (attrs[0].getBoolean() || -+ attrs[1].getBoolean() || !attrs[2].getBoolean())); - - switch (algorithm) { - case "RSA": -@@ -452,7 +458,8 @@ abstract class P11Key implements Key, Length { - - public String getFormat() { - token.ensureValid(); -- if (sensitive || !extractable || (isNSS && tokenObject)) { -+ if (!plainKeySupportEnabled && -+ (sensitive || !extractable || (isNSS && tokenObject))) { - return null; - } else { - return "RAW"; -@@ -1574,4 +1581,3 @@ final class SessionKeyRef extends PhantomReference { - this.clear(); - } - } -- -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 0f65a8b3221..0a406e1a2c8 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; - - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.misc.InnocuousThread; - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; -@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ private static final MethodHandle fipsExportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ MethodHandle fipsExportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ fipsExportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "exportKey", -+ MethodType.methodType(void.class, SunPKCS11.class, -+ long.class, long.class, -+ long.class, long.class, Map.class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer-exporter" + -+ " initialization failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ fipsExportKey = fipsExportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -326,9 +361,19 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ MethodHandle fipsKeyExporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ fipsKeyExporter = MethodHandles.insertArguments( -+ fipsExportKey, 0, this); -+ } - try { -- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, -- config.getOmitInitialize()); -+ tmpPKCS11 = PKCS11.getInstance( -+ library, functionList, initArgs, -+ config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -343,8 +388,9 @@ public final class SunPKCS11 extends AuthProvider { - } else { - initArgs.flags = 0; - } -- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, -- config.getOmitInitialize()); -+ tmpPKCS11 = PKCS11.getInstance(library, -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, -+ fipsKeyExporter); - } - p11 = tmpPKCS11; - -@@ -384,6 +430,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 4b06daaf264..55e14945469 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.AccessController; -@@ -174,18 +177,43 @@ public class PKCS11 { - return version; - } - -+ /* -+ * Compatibility wrapper to allow this method to work as before -+ * when FIPS mode support is not active. -+ */ -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { -+ return getInstance(pkcs11ModulePath, functionList, -+ pInitArgs, omitInitialize, null, null); -+ } -+ - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter, -+ MethodHandle fipsKeyExporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null && -+ fipsKeyExporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter, fipsKeyExporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter, fipsKeyExporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1976,4 +2004,194 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ private MethodHandle fipsKeyExporter; -+ private MethodHandle hC_GetAttributeValue; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) -+ throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ this.fipsKeyExporter = fipsKeyExporter; -+ try { -+ hC_GetAttributeValue = MethodHandles.insertArguments( -+ MethodHandles.lookup().findSpecial(PKCS11.class, -+ "C_GetAttributeValue", MethodType.methodType( -+ void.class, long.class, long.class, -+ CK_ATTRIBUTE[].class), -+ FIPSPKCS11.class), 0, this); -+ } catch (Throwable t) { -+ throw new RuntimeException( -+ "sun.security.pkcs11.wrapper.PKCS11" + -+ "::C_GetAttributeValue method not found.", t); -+ } -+ } -+ -+ public long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+ -+ public void C_GetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, -+ fipsKeyExporter, hSession, hObject, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ private MethodHandle fipsKeyExporter; -+ private MethodHandle hC_GetAttributeValue; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) -+ throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ this.fipsKeyExporter = fipsKeyExporter; -+ try { -+ hC_GetAttributeValue = MethodHandles.insertArguments( -+ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, -+ "C_GetAttributeValue", MethodType.methodType( -+ void.class, long.class, long.class, -+ CK_ATTRIBUTE[].class), -+ SynchronizedFIPSPKCS11.class), 0, this); -+ } catch (Throwable t) { -+ throw new RuntimeException( -+ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + -+ "::C_GetAttributeValue method not found.", t); -+ } -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+ -+ public synchronized void C_GetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, -+ fipsKeyExporter, hSession, hObject, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, -+ MethodHandle fipsKeyExporter, long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ Map sensitiveAttrs = new HashMap<>(); -+ List nonSensitiveAttrs = new LinkedList<>(); -+ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, -+ sensitiveAttrs, nonSensitiveAttrs); -+ try { -+ if (sensitiveAttrs.size() > 0) { -+ long keyClass = -1L; -+ long keyType = -1L; -+ try { -+ // Secret and private keys have both class and type -+ // attributes, so we can query them at once. -+ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ -+ new CK_ATTRIBUTE(CKA_CLASS), -+ new CK_ATTRIBUTE(CKA_KEY_TYPE), -+ }; -+ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); -+ keyClass = queryAttrs[0].getLong(); -+ keyType = queryAttrs[1].getLong(); -+ } catch (PKCS11Exception e) { -+ // If the query fails, the object is neither a secret nor a -+ // private key. As this case won't be handled with the FIPS -+ // Key Exporter, we keep keyClass initialized to -1L. -+ } -+ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { -+ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, -+ sensitiveAttrs); -+ if (nonSensitiveAttrs.size() > 0) { -+ CK_ATTRIBUTE[] pNonSensitiveAttrs = -+ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; -+ int i = 0; -+ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { -+ pNonSensitiveAttrs[i++] = nonSensAttr; -+ } -+ hC_GetAttributeValue.invoke(hSession, hObject, -+ pNonSensitiveAttrs); -+ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we -+ // update the reference on the previous CK_ATTRIBUTEs -+ i = 0; -+ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { -+ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; -+ } -+ } -+ return; -+ } -+ } -+ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); -+ } catch (Throwable t) { -+ if (t instanceof PKCS11Exception) { -+ throw (PKCS11Exception)t; -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR, -+ t.getMessage()); -+ } -+ } -+ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, -+ Map sensitiveAttrs, -+ List nonSensitiveAttrs) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ long type = attr.type; -+ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c -+ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || -+ type == CKA_PRIME_1 || type == CKA_PRIME_2 || -+ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || -+ type == CKA_COEFFICIENT) { -+ sensitiveAttrs.put(type, attr); -+ } else { -+ nonSensitiveAttrs.add(attr); -+ } -+ } -+ } -+} - } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -index 8a560a2c48d..7d68520375b 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -@@ -190,6 +190,14 @@ public class PKCS11Exception extends Exception { - return "0x" + Functions.toFullHexString((int)errorCode); - } - -+ /** -+ * Constructor taking the error code from the RV enum and -+ * extra info for error message. -+ */ -+ public PKCS11Exception(RV errorEnum, String extraInfo) { -+ this(errorEnum.value, extraInfo); -+ } -+ - /** - * Constructor taking the error code (the CKR_* constants in PKCS#11) and - * extra info for error message. -diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 200ed63634f..fa258d736d0 100644 ---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -38,6 +38,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.List; - -+import jdk.internal.access.SharedSecrets; - import sun.security.ec.ed.EdDSAAlgorithmParameters; - import sun.security.ec.ed.EdDSAKeyFactory; - import sun.security.ec.ed.EdDSAKeyPairGenerator; -@@ -56,6 +57,10 @@ public final class SunEC extends Provider { - - private static final long serialVersionUID = -2279741672933606418L; - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private static class ProviderServiceA extends ProviderService { - ProviderServiceA(Provider p, String type, String algo, String cn, - HashMap attrs) { -@@ -249,83 +254,85 @@ public final class SunEC extends Provider { - putXDHEntries(); - putEdDSAEntries(); - -- /* -- * Signature engines -- */ -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -- null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$RawinP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA1withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -- -- putService(new ProviderService(this, "Signature", -- "SHA3-224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -- -- /* -- * Key Pair Generator engine -- */ -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); -- -- /* -- * Key Agreement engine -- */ -- putService(new ProviderService(this, "KeyAgreement", -- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ if (!systemFipsEnabled) { -+ /* -+ * Signature engines -+ */ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -+ null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$RawinP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA1withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -+ -+ putService(new ProviderService(this, "Signature", -+ "SHA3-224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -+ -+ /* -+ * Key Pair Generator engine -+ */ -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "EC", "sun.security.ec.ECKeyPairGenerator", ATTRS)); -+ -+ /* -+ * Key Agreement engine -+ */ -+ putService(new ProviderService(this, "KeyAgreement", -+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ } - } - - private void putXDHEntries() { -@@ -342,23 +349,25 @@ public final class SunEC extends Provider { - "X448", "sun.security.ec.XDHKeyFactory.X448", - ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -- ATTRS)); -- -- putService(new ProviderService(this, "KeyAgreement", -- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X448", "sun.security.ec.XDHKeyAgreement.X448", -- ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "KeyAgreement", -+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X448", "sun.security.ec.XDHKeyAgreement.X448", -+ ATTRS)); -+ } - } - - private void putEdDSAEntries() { -@@ -373,21 +382,23 @@ public final class SunEC extends Provider { - putService(new ProviderServiceA(this, "KeyFactory", - "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ } - - } - } diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index f424bd3..123816f 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -21,10 +21,6 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs -# Build a fresh libjvm.so for use in a copy of the bootstrap JDK -%bcond_without fresh_libjvm -# Build with system libraries -%bcond_with system_libs # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -34,24 +30,14 @@ %global include_staticlibs 0 %endif -%if %{with system_libs} -%global system_libs 1 -%global link_type system +#palceholder - used in regexes, otherwise for no use in portables %global freetype_lib %{nil} -%else -%global system_libs 0 -%global link_type bundled -%global freetype_lib |libfreetype[.]so.* -%endif # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 %global _find_debuginfo_opts -g -# With LTO flags enabled, debuginfo checks fail for some reason. Disable -# LTO for a passing build. This really needs to be looked at. -%define _lto_cflags %{nil} # note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros # also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch @@ -121,8 +107,6 @@ %global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 # Set of architectures which use the Zero assembler port (!jit_arches) %global zero_arches ppc s390 -# Set of architectures which run a full bootstrap cycle -%global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures with a Ahead-Of-Time (AOT) compiler @@ -200,16 +184,6 @@ %global staticlibs_loop %{nil} %endif -%if 0%{?flatpak} -%global bootstrap_build false -%else -%ifarch %{bootstrap_arches} -%global bootstrap_build true -%else -%global bootstrap_build false -%endif -%endif - %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from # other targets since this target is configured to use in-tree @@ -223,14 +197,6 @@ # RPM JDK builds keep the debug symbols internal, to be later stripped by RPM %global debug_symbols internal -# unlike portables,the rpms have to use static_libs_target very dynamically -%global bootstrap_targets images -%global release_targets images docs-zip -# No docs nor bootcycle for debug builds -%global debug_targets images -# Target to use to just build HotSpot -%global hotspot_target hotspot - # VM variant being built %ifarch %{zero_arches} %global vm_variant zero @@ -238,15 +204,6 @@ %global vm_variant server %endif -# Filter out flags from the optflags macro that cause problems with the OpenJDK build -# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 -# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) -# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings -# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ -%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') -%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') -%global ourldflags %{__global_ldflags} - # With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path # the initialization must be here. Later the pkg-config have buggy behavior # looks like openjdk RPM specific bug @@ -324,10 +281,7 @@ %global interimver 0 %global updatever 2 %global patchver 0 -# buildjdkver is usually same as %%{featurever}, -# but in time of bootstrap of next jdk, it is featurever-1, -# and this it is better to change it here, on single place -%global buildjdkver %{featurever} + # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -337,16 +291,6 @@ %global lts_designator "" %global lts_designator_zip "" %endif -# JDK to use for bootstrapping -%global bootjdk %{_jvmdir}/java-%{buildjdkver}-openjdk -# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so -# This will only work where the bootstrap JDK is the same major version -# as the JDK being built -%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever} -%global build_hotspot_first 1 -%else -%global build_hotspot_first 0 -%endif # Define vendor information used by OpenJDK %global oj_vendor Red Hat, Inc. @@ -371,8 +315,6 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 -# Define current Git revision for the FIPS support patches -%global fipsver d95bb40c7c8 # Standard JPackage naming and versioning defines %global origin openjdk @@ -380,7 +322,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -431,8 +373,7 @@ %global static_libs_root lib/static %global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall} %global static_libs_install_dir %{static_libs_arch_dir}/glibc -# output dir stub -%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} + # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -883,9 +824,6 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so -%if ! %{system_libs} -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so @@ -923,7 +861,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* +#%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* #TODO, resolve alt-java man page %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{sdkdir -- %{?1}}/lib/%{vm_variant}/ @@ -1298,6 +1236,8 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} # Prevent brp-java-repack-jars from being run %global __jar_repack 0 +%global portable_name %{name}-portable + Name: java-latest-%{origin} Version: %{newjavaver}.%{buildver} # This package needs `.rolling` as part of Release so as to not conflict on install with @@ -1338,10 +1278,6 @@ Group: Development/Languages License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA URL: http://openjdk.java.net/ - -# The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz - # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). # Systemtap tapsets. Zipped up to keep it small. @@ -1350,15 +1286,6 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea Source9: jconsole.desktop.in -# Release notes -Source10: NEWS - -# nss configuration file -Source11: nss.cfg.in - -# Removed libraries that we link instead -Source12: remove-intree-libraries.sh - # Ensure we aren't using the limited crypto policy Source13: TestCryptoLevel.java @@ -1371,127 +1298,48 @@ Source15: TestSecurityProperties.java # Ensure vendor settings are correct Source16: CheckVendor.java -# nss fips configuration file -Source17: nss.fips.cfg.in - # Ensure translations are available for new timezones Source18: TestTranslations.java -############################################ -# -# RPM/distribution specific patches -# -############################################ - -# NSS via SunPKCS11 Provider (disabled comment -# due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch - -# Ignore AWTError when assistive technologies are loaded -Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch - -# Crypto policy and FIPS support patches -# Patch is generated from the fips-19u tree at https://github.com/rh-openjdk/jdk/tree/fips-19u -# as follows: git diff %%{vcstag} src make > fips-19u-$(git show -s --format=%h HEAD).patch -# Diff is limited to src and make subdirectories to exclude .github changes -# Fixes currently included: -# PR3183, RH1340845: Follow system wide crypto policy -# PR3695: Allow use of system crypto policy to be disabled by the user -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -# RH1929465: Improve system FIPS detection -# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -# RH1996182: Login to the NSS software token in FIPS mode -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# RH2021263: Resolve outstanding FIPS issues -# RH2052819: Fix FIPS reliance on crypto policies -# RH2052829: Detect NSS at Runtime for FIPS detection -# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -# RH2023467: Enable FIPS keys export -# RH2094027: SunEC runtime permission for FIPS -# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -# RH2090378: Revert to disabling system security properties and FIPS mode support together -Patch1001: fips-19u-%{fipsver}.patch - -############################################# -# -# OpenJDK patches in need of upstreaming -# -############################################# - -############################################# -# -# OpenJDK patches which missed 19.0.2 -# -############################################# -# JDK-8297804: (tz) Update Timezone Data to 2022g -Patch2006: jdk8297804-tzdata2022g.patch -# JDK-8295447: NullPointerException with invalid pattern matching construct in constructor call -Patch2007: jdk8295447-npe_in_constructor.patch -# JDK-8296239: ISO 4217 Amendment 174 Update -Patch2008: jdk8296239-iso4217_up174.patch -# JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR -Patch2009: jdk8299439-test_for_hr.patch - -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: alsa-lib-devel -BuildRequires: binutils -BuildRequires: cups-devel +%if %{include_normal_build} +BuildRequires: %{portable_name} +BuildRequires: %{portable_name}-devel +%if %{include_staticlibs} +BuildRequires: %{portable_name}-static-libs +%endif +%endif +%if %{include_fastdebug_build} +BuildRequires: %{portable_name}-fastdebug +BuildRequires: %{portable_name}-devel-fastdebug +%if %{include_staticlibs} +BuildRequires: %{portable_name}-static-libs-fastdebug +%endif +%endif +%if %{include_debug_build} +BuildRequires: %{portable_name}-slowdebug +BuildRequires: %{portable_name}-devel-slowdebug +%if %{include_staticlibs} +BuildRequires: %{portable_name}-static-libs-slowdebug +%endif +%endif BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel -BuildRequires: fontconfig-devel -BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: libxslt -BuildRequires: libX11-devel -BuildRequires: libXi-devel -BuildRequires: libXinerama-devel -BuildRequires: libXrandr-devel -BuildRequires: libXrender-devel -BuildRequires: libXt-devel -BuildRequires: libXtst-devel -# Requirement for setting up nss.cfg and nss.fips.cfg BuildRequires: nss-devel # Requirement for system security property test BuildRequires: crypto-policies BuildRequires: pkgconfig -BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem BuildRequires: java-latest-openjdk-devel -# Zero-assembler build requirement -%ifarch %{zero_arches} -BuildRequires: libffi-devel -%endif -# 2022g required as of JDK-8297804 +# ? BuildRequires: tzdata-java >= 2022g -# Earlier versions have a bug in tree vectorization on PPC -BuildRequires: gcc >= 4.8.3-8 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel %endif -BuildRequires: make -%if %{system_libs} -BuildRequires: freetype-devel -BuildRequires: giflib-devel -BuildRequires: harfbuzz-devel -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel -%else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h Provides: bundled(freetype) = 2.12.0 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h @@ -1506,7 +1354,6 @@ Provides: bundled(libjpeg) = 6b Provides: bundled(libpng) = 1.6.37 # We link statically against libstdc++ to increase portability BuildRequires: libstdc++-static -%endif # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder @@ -1816,16 +1663,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv %endif %prep - echo "Preparing %{oj_vendor_version}" -# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( -%if 0%{?stapinstall:1} - echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" -%else - %{error:Unrecognised architecture %{_target_cpu}} -%endif - if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else @@ -1849,44 +1688,33 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ exit 14 fi -%if %{with fresh_libjvm} && ! %{build_hotspot_first} -echo "WARNING: The build of a fresh libjvm has been disabled due to a JDK version mismatch" -echo "Build JDK version is %{buildjdkver}, feature JDK version is %{featurever}" -%endif - -%setup -q -c -n %{uniquesuffix ""} -T -a 0 -# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` if [ $prioritylength -ne 8 ] ; then echo "priority must be 8 digits in total, violated" exit 14 fi -# OpenJDK patches - -%if %{system_libs} -# Remove libraries that are linked by both static and dynamic builds -sh %{SOURCE12} %{top_level_dir_name} +%if %{include_normal_build} +tar -xf %{_jvmdir}/%{compatiblename}*portable.jdk.*tar.xz +#tar -xf %{_jvmdir}/%{compatiblename}*portable.jre.*tar.xz +%if %{include_staticlibs} +tar -xf %{_jvmdir}/%{compatiblename}*portable.static-libs.*tar.xz +%endif +%endif +%if %{include_fastdebug_build} +tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.jdk.*tar.xz +#tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.jre.*tar.xz +%if %{include_staticlibs} +tar -xf %{_jvmdir}/%{compatiblename}*portable.fastdebug.static-libs.*tar.xz +%endif +%endif +%if %{include_debug_build} +tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.jdk.*tar.xz +#tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.jre.*tar.xz +%if %{include_staticlibs} +tar -xf %{_jvmdir}/%{compatiblename}*portable.slowdebug.static-libs.*tar.xz +%endif %endif - -# Patch the JDK -pushd %{top_level_dir_name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch6 -p1 -# Add crypto policy and FIPS support -%patch1001 -p1 -# alt-java -%patch600 -p1 -# nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 -# updates which missed 19.0.2 -%patch2006 -p1 -%patch2007 -p1 -%patch2008 -p1 -%patch2009 -p1 -popd # openjdk # Extract systemtap tapsets %if %{with_systemtap} @@ -1934,147 +1762,9 @@ for file in %{SOURCE9}; do done done -# Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg - -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg - %build -# How many CPU's do we have? -export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) -export NUM_PROC=${NUM_PROC:-1} -%if 0%{?_smp_ncpus_max} -# Honor %%_smp_ncpus_max -[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} -%endif - -%ifarch s390x sparc64 alpha %{power64} %{aarch64} -export ARCH_DATA_MODEL=64 -%endif -%ifarch alpha -export CFLAGS="$CFLAGS -mieee" -%endif - -# We use ourcppflags because the OpenJDK build seems to -# pass EXTRA_CFLAGS to the HotSpot C++ compiler... -# Explicitly set the C++ standard as the default has changed on GCC >= 6 -EXTRA_CFLAGS="%ourcppflags" -EXTRA_CPP_FLAGS="%ourcppflags" - -%ifarch %{power64} ppc -# fix rpmlint warnings -EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" -%endif -%ifarch %{ix86} -# Align stack boundary on x86_32 -EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" -EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" -%endif -export EXTRA_CFLAGS EXTRA_CPP_FLAGS - -function buildjdk() { - local outputdir=${1} - local buildjdk=${2} - local maketargets="${3}" - local debuglevel=${4} - local link_opt=${5} - - local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} - local top_dir_abs_build_path=$(pwd)/${outputdir} - - # The OpenJDK version file includes the current - # upstream version information. For some reason, - # configure does not automatically use the - # default pre-version supplied there (despite - # what the file claims), so we pass it manually - # to configure - VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf - if [ -f ${VERSION_FILE} ] ; then - EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) - else - echo "Could not find OpenJDK version file."; - exit 16 - fi - if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then - echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; - exit 17 - fi - - # This must be set using the global, so that the - # static libraries still use a dynamic stdc++lib - if [ "x%{link_type}" = "xbundled" ] ; then - libc_link_opt="static"; - else - libc_link_opt="dynamic"; - fi - - echo "Using output directory: ${outputdir}"; - echo "Checking build JDK ${buildjdk} is operational..." - ${buildjdk}/bin/java -version - echo "Using make targets: ${maketargets}" - echo "Using debuglevel: ${debuglevel}" - echo "Using link_opt: ${link_opt}" - echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}" - - mkdir -p ${outputdir} - pushd ${outputdir} - - # Note: zlib and freetype use %{link_type} - # rather than ${link_opt} as the system versions - # are always used in a system_libs build, even - # for the static library build - bash ${top_dir_abs_src_path}/configure \ -%ifarch %{zero_arches} - --with-jvm-variants=zero \ -%endif -%ifarch %{ppc64le} - --with-jobs=1 \ -%endif - --with-version-build=%{buildver} \ - --with-version-pre="${EA_DESIGNATOR}" \ - --with-version-opt=%{lts_designator} \ - --with-vendor-version-string="%{oj_vendor_version}" \ - --with-vendor-name="%{oj_vendor}" \ - --with-vendor-url="%{oj_vendor_url}" \ - --with-vendor-bug-url="%{oj_vendor_bug_url}" \ - --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ - --with-boot-jdk=${buildjdk} \ - --with-debug-level=${debuglevel} \ - --with-native-debug-symbols="%{debug_symbols}" \ - --disable-sysconf-nss \ - --enable-unlimited-crypto \ - --with-zlib=%{link_type} \ - --with-freetype=%{link_type} \ - --with-libjpeg=${link_opt} \ - --with-giflib=${link_opt} \ - --with-libpng=${link_opt} \ - --with-lcms=${link_opt} \ - --with-harfbuzz=${link_opt} \ - --with-stdc++lib=${libc_link_opt} \ - --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ - --with-extra-cflags="$EXTRA_CFLAGS" \ - --with-extra-ldflags="%{ourldflags}" \ - --with-num-cores="$NUM_PROC" \ - --with-source-date="${SOURCE_DATE_EPOCH}" \ - --disable-javac-server \ -%ifarch %{zgc_arches} - --with-jvm-features=zgc \ -%endif - --disable-warnings-as-errors - - cat spec.gmk - - make \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) - - popd -} - +%install function installjdk() { local imagepath=${1} @@ -2090,10 +1780,9 @@ function installjdk() { find ${imagepath}/bin/ -exec chmod +x {} \; # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ - + #is already there from portables # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + #is already there from portables # Turn on system security properties sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ @@ -2108,12 +1797,8 @@ function installjdk() { # Install cacerts symlink needed by some apps which hard-code the path ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # alt-java man and bianry are here from portables. Or not? fi } @@ -2193,94 +1878,48 @@ EOF fi } -%if %{build_hotspot_first} - # Build a fresh libjvm.so first and use it to bootstrap - cp -LR --preserve=mode,timestamps %{bootjdk} newboot - systemjdk=$(pwd)/newboot - buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" - mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} -%else - systemjdk=%{bootjdk} -%endif - for suffix in %{build_loop} ; do - if [ "x$suffix" = "x" ] ; then - debugbuild=release + debugbuild="" else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` + # change -something to .something + debugbuild=`echo $suffix | sed "s/-/./g"` fi - - - for loop in %{main_suffix} %{staticlibs_loop} ; do - - builddir=%{buildoutputdir -- ${suffix}${loop}} - bootbuilddir=boot${builddir} - - if test "x${loop}" = "x%{main_suffix}" ; then - link_opt="%{link_type}" -%if %{system_libs} - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full -%endif - # Debug builds don't need same targets as release for - # build speed-up. We also avoid bootstrapping these - # slower builds. - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - run_bootstrap=false - else - maketargets="%{release_targets}" - run_bootstrap=%{bootstrap_build} - fi - if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - rm -rf ${bootbuilddir} - else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi -%if %{system_libs} - # Restore original source tree we modified by removing full in-tree sources - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -%endif - else - # Use bundled libraries for building statically - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" - # Always just do the one build for the static libraries - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + # Final setup on the untarred images + # TODO revisit. jre may be complety useless to unpack and process, + # as all the files are taken from JDK tarball ans put to packages manually. + # jre tarball may be usefull for checking integrity of jre and jre headless subpackages + #for jdkjre in jdk jre ; do + for jdkjre in jdk ; do + buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.${jdkjre}*` + top_dir_abs_main_build_path=$(pwd)/${buildoutputdir} + installjdk ${top_dir_abs_main_build_path} + # Check debug symbols were built into the dynamic libraries + if [ $jdkjre == jdk ] ; then + #jdk only? + debugcheckjdk ${top_dir_abs_main_build_path} fi - - done # end of main / staticlibs loop - - # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} - installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} - # Check debug symbols were built into the dynamic libraries - debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} - - # Print release information - cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release - + # Print release information + cat ${top_dir_abs_main_build_path}/release + done # build cycles done # end of release / debug cycle loop -%install STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do - -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + if [ "x$suffix" = "x" ] ; then + debugbuild="" + else + # change -something to .something + debugbuild=`echo $suffix | sed "s/-/./g"` + fi + buildoutputdir=`ls -d %{compatiblename}*portable${debugbuild}.jdk*` + top_dir_abs_main_build_path=$(pwd)/${buildoutputdir} %if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} + top_dir_abs_staticlibs_build_path=`ls -d $top_dir_abs_main_build_path/lib/static/*/glibc/` %endif -jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} + jdk_image=${top_dir_abs_main_build_path} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} @@ -2292,7 +1931,7 @@ pushd ${jdk_image} # Install systemtap support files install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset # note, that uniquesuffix is in BUILD dir in this case - cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ + cp -a $RPM_BUILD_DIR/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ tapsetFiles=`ls *.stp` popd @@ -2315,8 +1954,7 @@ pushd ${jdk_image} # Convert man pages to UTF8 encoding iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp mv -f $manpage.tmp $manpage - install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \ - $manpage .1)-%{uniquesuffix -- $suffix}.1 + install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename $manpage .1)-%{uniquesuffix -- $suffix}.1 done # Remove man pages from jdk image rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man @@ -2326,29 +1964,34 @@ popd # Install static libs artefacts %if %{include_staticlibs} mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} -cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} +cp -a ${top_dir_abs_staticlibs_build_path}/*.a $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} %endif if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ - $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ + install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=javadocs.zip + cp -a ${top_dir_abs_main_build_path}/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path} + pushd $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + unzip ${top_dir_abs_main_build_path}/${built_doc_archive} + popd fi # Install release notes commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} install -d -m 755 ${commondocdir} -cp -a %{SOURCE10} ${commondocdir} +cp -a ${top_dir_abs_main_build_path}/NEWS ${commondocdir} # Install icons and menu entries for s in 16 24 32 48 ; do + # TODO!! publish in portables! + mkdir -p ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/ #remove this line to once published + echo "PALCEHOLDER TODO REMOVE.ME" > ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png install -D -p -m 644 \ - %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ - $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png + ${buildoutputdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ + $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png done # Install desktop files @@ -2375,11 +2018,18 @@ pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib popd # end moving files to /etc +#TODO this is done also i portables and in install jdk. But hard to say where the operation will hapen at the end # stabilize permissions find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; +#TODO conslut this clean up +rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/NEWS #is in commondocdir. Ok ot go, or also pack +if [ "x$suffix" = "x" ] ; then + rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/javadocs.zip #is in subpackages, 1 renamed, 2nd unpacked +fi +rm $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/libfreetype.so #bug in portables? bug in rpms? # end, dual install done @@ -2426,15 +2076,17 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" +#TODO skipped vendor check. It now points to PORTABLE version of jdk. +#$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" %if ! 0%{?flatpak} # Check translations are available for new timezones (during flatpak builds, the # tzdb.dat used by this test is not where the test expects it, so this is # disabled for flatpak builds) $JAVA_HOME/bin/javac -d . %{SOURCE18} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE -$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR +#TODO doublecheck tzdata handling +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE || echo "TZDATA no longer can be synced with system, because we repack" +$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR || echo "TZDATA no longer can be synced with system, because we repack" %endif %if %{include_staticlibs} @@ -2704,6 +2356,15 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jan 26 2023 Jiri Vanek - 1:19.0.2.0.7-2.rolling +- repacked portables +- todo icons +- disabled tzdata tests - todo, resolve +- left some duplicated "final tunings" +- todo, lost alt java manpage.. probably already in portables +- TODO conslut this clean up - javdoc, freetype and NEWS +- todo, debuginfo + * Thu Jan 26 2023 Andrew Hughes - 1:19.0.2.0.7-1.rolling - Update to jdk-19.0.2 release - Update release notes to 19.0.2 diff --git a/jdk8295447-npe_in_constructor.patch b/jdk8295447-npe_in_constructor.patch deleted file mode 100644 index 180b343..0000000 --- a/jdk8295447-npe_in_constructor.patch +++ /dev/null @@ -1,97 +0,0 @@ -commit c9d485792b99233f381dcdfd69838e7b973909bd -Author: Victor Rudometov -Date: Thu Dec 1 10:57:43 2022 +0000 - - 8295447: NullPointerException with invalid pattern matching construct in constructor call - - Backport-of: 6c05771b9be3dd5cbcdb40d2e53cc53959926cdd - -diff --git a/src/jdk.compiler/share/classes/com/sun/tools/javac/comp/Attr.java b/src/jdk.compiler/share/classes/com/sun/tools/javac/comp/Attr.java -index 21cc8e57e1f..46b076d3d03 100644 ---- a/src/jdk.compiler/share/classes/com/sun/tools/javac/comp/Attr.java -+++ b/src/jdk.compiler/share/classes/com/sun/tools/javac/comp/Attr.java -@@ -4145,6 +4145,10 @@ public class Attr extends JCTree.Visitor { - Type exprType, - Type pattType) { - Warner warner = new Warner(); -+ // if any type is erroneous, the problem is reported elsewhere -+ if (exprType.isErroneous() || pattType.isErroneous()) { -+ return false; -+ } - if (!types.isCastable(exprType, pattType, warner)) { - chk.basicHandler.report(pos, - diags.fragment(Fragments.InconvertibleTypes(exprType, pattType))); -@@ -4206,7 +4210,7 @@ public class Attr extends JCTree.Visitor { - tree.record = record; - } else { - log.error(tree.pos(), Errors.DeconstructionPatternOnlyRecords(site.tsym)); -- expectedRecordTypes = Stream.generate(() -> Type.noType) -+ expectedRecordTypes = Stream.generate(() -> types.createErrorType(tree.type)) - .limit(tree.nested.size()) - .collect(List.collector()); - } -diff --git a/test/langtools/tools/javac/T8295447.java b/test/langtools/tools/javac/T8295447.java -new file mode 100644 -index 00000000000..76fcaf10f8d ---- /dev/null -+++ b/test/langtools/tools/javac/T8295447.java -@@ -0,0 +1,46 @@ -+/* -+ * Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+/** -+ * @test -+ * @bug 8295447 -+ * @summary NullPointerException with invalid pattern matching construct in constructor call -+ * @modules jdk.compiler -+ * @compile/fail/ref=T8295447.out -XDrawDiagnostics --enable-preview -source ${jdk.version} T8295447.java -+ */ -+public class T8295447 { -+ class Foo { -+ void m(Object o) { -+ if(o instanceof Foo(int x)) {} -+ } -+ -+ Foo(Object o) { -+ m((o instanceof Foo(int x))? 0 : 1); -+ } -+ void m(int i) { } -+ } -+ -+ class Base { int i; Base(int j) { i = j; } } -+ class Sub extends Base { -+ Sub(Object o) { super(o instanceof java.awt.Point(int x, int y)? x + y: 0); } -+ } -+} -diff --git a/test/langtools/tools/javac/T8295447.out b/test/langtools/tools/javac/T8295447.out -new file mode 100644 -index 00000000000..7f6746f802f ---- /dev/null -+++ b/test/langtools/tools/javac/T8295447.out -@@ -0,0 +1,6 @@ -+T8295447.java:33:29: compiler.err.deconstruction.pattern.only.records: T8295447.Foo -+T8295447.java:37:29: compiler.err.deconstruction.pattern.only.records: T8295447.Foo -+T8295447.java:44:44: compiler.err.deconstruction.pattern.only.records: java.awt.Point -+- compiler.note.preview.filename: T8295447.java, DEFAULT -+- compiler.note.preview.recompile -+3 errors -\ No newline at end of file diff --git a/jdk8296239-iso4217_up174.patch b/jdk8296239-iso4217_up174.patch deleted file mode 100644 index 00f6d7c..0000000 --- a/jdk8296239-iso4217_up174.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit bf899de7aa8cc862ed123865b9aa26e06d96a7de -Author: duke -Date: Thu Jan 26 00:55:32 2023 +0000 - - Backport fd837649811c866c144c9133d211fb5ad8f994a7 - -diff --git a/src/java.base/share/data/currency/CurrencyData.properties b/src/java.base/share/data/currency/CurrencyData.properties -index 688de592c7b..d234c96c476 100644 ---- a/src/java.base/share/data/currency/CurrencyData.properties -+++ b/src/java.base/share/data/currency/CurrencyData.properties -@@ -32,7 +32,7 @@ formatVersion=3 - # Version of the currency code information in this class. - # It is a serial number that accompanies with each amendment. - --dataVersion=173 -+dataVersion=174 - - # List of all valid ISO 4217 currency codes. - # To ensure compatibility, do not remove codes. -@@ -189,7 +189,7 @@ CR=CRC - # COTE D'IVOIRE - CI=XOF - # CROATIA --HR=HRK -+HR=HRK;2022-12-31-23-00-00;EUR - # CUBA - CU=CUP - # Cura\u00e7ao -diff --git a/test/jdk/java/util/Currency/ValidateISO4217.java b/test/jdk/java/util/Currency/ValidateISO4217.java -index b7e64f318b1..b6a91835b19 100644 ---- a/test/jdk/java/util/Currency/ValidateISO4217.java -+++ b/test/jdk/java/util/Currency/ValidateISO4217.java -@@ -24,7 +24,7 @@ - * @test - * @bug 4691089 4819436 4942982 5104960 6544471 6627549 7066203 7195759 - * 8039317 8074350 8074351 8145952 8187946 8193552 8202026 8204269 -- * 8208746 8209775 8264792 8274658 8283277 -+ * 8208746 8209775 8264792 8274658 8283277 8296239 - * @summary Validate ISO 4217 data for Currency class. - * @modules java.base/java.util:open - * jdk.localedata -@@ -34,7 +34,7 @@ - * ############################################################################ - * - * ValidateISO4217 is a tool to detect differences between the latest ISO 4217 -- * data and and Java's currency data which is based on ISO 4217. -+ * data and Java's currency data which is based on ISO 4217. - * If there is a difference, the following file which includes currency data - * may need to be updated. - * src/share/classes/java/util/CurrencyData.properties -diff --git a/test/jdk/java/util/Currency/tablea1.txt b/test/jdk/java/util/Currency/tablea1.txt -index 3e107823042..3eef0eba00e 100644 ---- a/test/jdk/java/util/Currency/tablea1.txt -+++ b/test/jdk/java/util/Currency/tablea1.txt -@@ -1,12 +1,12 @@ - # - # --# Amendments up until ISO 4217 AMENDMENT NUMBER 173 --# (As of 23 September 2022) -+# Amendments up until ISO 4217 AMENDMENT NUMBER 174 -+# (As of 2 November 2022) - # - - # Version - FILEVERSION=3 --DATAVERSION=173 -+DATAVERSION=174 - - # ISO 4217 currency data - AF AFN 971 2 -@@ -67,7 +67,7 @@ CD CDF 976 2 - CK NZD 554 2 - CR CRC 188 2 - CI XOF 952 0 --HR HRK 191 2 -+HR HRK 191 2 2022-12-31-23-00-00 EUR 978 2 - CU CUP 192 2 - CW ANG 532 2 - CY EUR 978 2 diff --git a/jdk8297804-tzdata2022g.patch b/jdk8297804-tzdata2022g.patch deleted file mode 100644 index 769fa95..0000000 --- a/jdk8297804-tzdata2022g.patch +++ /dev/null @@ -1,682 +0,0 @@ -commit c560f395ae688867089ba3ea3acaf2c17afb0c35 -Author: duke -Date: Wed Dec 7 00:41:54 2022 +0000 - - Backport ce896731d38866c2bf99cd49525062e150d94160 - -diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml -index ddbccff077c..57d81ed48ec 100644 ---- a/make/data/cldr/common/bcp47/timezone.xml -+++ b/make/data/cldr/common/bcp47/timezone.xml -@@ -280,6 +280,7 @@ For terms of use, see http://www.unicode.org/copyright.html - - - -+ - - - -diff --git a/make/data/cldr/common/main/root.xml b/make/data/cldr/common/main/root.xml -index 3a9ec1e33ba..1d09e037fd9 100644 ---- a/make/data/cldr/common/main/root.xml -+++ b/make/data/cldr/common/main/root.xml -@@ -2958,6 +2958,18 @@ Warnings: All cp values have U+FE0F characters removed. See /annotationsDerived/ - - Ho Chi Minh - -+ -+ Bahía de Banderas -+ -+ -+ Cancún -+ -+ -+ Ciudad Juárez -+ -+ -+ Mérida -+ - - - -diff --git a/make/data/cldr/common/supplemental/metaZones.xml b/make/data/cldr/common/supplemental/metaZones.xml -index bfdadad6ba2..a0204c2aa25 100644 ---- a/make/data/cldr/common/supplemental/metaZones.xml -+++ b/make/data/cldr/common/supplemental/metaZones.xml -@@ -333,6 +333,12 @@ For terms of use, see http://www.unicode.org/copyright.html - - - -+ -+ -+ -+ -+ -+ - - - -@@ -621,8 +627,7 @@ For terms of use, see http://www.unicode.org/copyright.html - - - -- -- -+ - - - -diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -index db892dbb595..bf7918659ae 100644 ---- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -@@ -430,6 +430,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle { - "French Guiana Time", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/java.base/share/data/tzdata/VERSION b/src/java.base/share/data/tzdata/VERSION -index b8d9ae74fbd..0f328a4a7ff 100644 ---- a/src/java.base/share/data/tzdata/VERSION -+++ b/src/java.base/share/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022f -+tzdata2022g -diff --git a/src/java.base/share/data/tzdata/africa b/src/java.base/share/data/tzdata/africa -index cbf6322c4ee..830d7d10b7e 100644 ---- a/src/java.base/share/data/tzdata/africa -+++ b/src/java.base/share/data/tzdata/africa -@@ -611,6 +611,10 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis - # Agalega Is, Rodriguez - # no information; probably like Indian/Mauritius - -+ -+# Morocco -+# See Africa/Ceuta for Spanish Morocco. -+ - # From Alex Krivenyshev (2008-05-09): - # Here is an article that Morocco plan to introduce Daylight Saving Time between - # 1 June, 2008 and 27 September, 2008. -diff --git a/src/java.base/share/data/tzdata/asia b/src/java.base/share/data/tzdata/asia -index 89784bf4c33..ff81978bc47 100644 ---- a/src/java.base/share/data/tzdata/asia -+++ b/src/java.base/share/data/tzdata/asia -@@ -3608,7 +3608,7 @@ Zone Asia/Singapore 6:55:25 - LMT 1901 Jan 1 - 7:20 - +0720 1941 Sep 1 - 7:30 - +0730 1942 Feb 16 - 9:00 - +09 1945 Sep 12 -- 7:30 - +0730 1982 Jan 1 -+ 7:30 - +0730 1981 Dec 31 16:00u - 8:00 - +08 - - # Spratly Is -diff --git a/src/java.base/share/data/tzdata/backward b/src/java.base/share/data/tzdata/backward -index 1fb087a6d87..fa44f655009 100644 ---- a/src/java.base/share/data/tzdata/backward -+++ b/src/java.base/share/data/tzdata/backward -@@ -290,6 +290,7 @@ Link America/Tijuana America/Ensenada - Link America/Indiana/Indianapolis America/Fort_Wayne - Link America/Toronto America/Montreal - Link America/Toronto America/Nipigon -+Link America/Iqaluit America/Pangnirtung - Link America/Rio_Branco America/Porto_Acre - Link America/Winnipeg America/Rainy_River - Link America/Argentina/Cordoba America/Rosario -diff --git a/src/java.base/share/data/tzdata/europe b/src/java.base/share/data/tzdata/europe -index f88730002ca..acc5da3ec79 100644 ---- a/src/java.base/share/data/tzdata/europe -+++ b/src/java.base/share/data/tzdata/europe -@@ -1126,7 +1126,30 @@ Zone Atlantic/Faroe -0:27:04 - LMT 1908 Jan 11 # Tórshavn - # "National Park" by Executive Order: - # http://naalakkersuisut.gl/~/media/Nanoq/Files/Attached%20Files/Engelske-tekster/Legislation/Executive%20Order%20National%20Park.rtf - # It is their only National Park. --# -+ -+# From Jonas Nyrup (2022-11-24): -+# On last Saturday in October 2023 when DST ends America/Nuuk will switch -+# from -03/-02 to -02/-01 -+# https://sermitsiaq.ag/forslagtidsforskel-danmark-mindskes-sommertid-beholdes -+# ... -+# https://sermitsiaq.ag/groenland-skifte-tidszone-trods-bekymringer -+# -+# From Jürgen Appel (2022-11-25): -+# https://ina.gl/samlinger/oversigt-over-samlinger/samling/dagsordener/dagsorden.aspx?lang=da&day=24-11-2022 -+# If I understand this correctly, from the next planned switch to -+# summer time, Greenland will permanently stay at that time, i.e. no -+# switch back to winter time in 2023 will occur. -+# -+# From Paul Eggert (2022-11-28): -+# The official document in Danish -+# https://naalakkersuisut.gl/-/media/naalakkersuisut/filer/kundgoerelser/2022/11/2511/31_da_inatsisartutlov-om-tidens-bestemmelse.pdf?la=da&hash=A33597D8A38CC7038465241119EF34F3 -+# says standard time for Greenland is -02, that Naalakkersuisut can lay down -+# rules for DST and can require some areas to use a different time zone, -+# and that this all takes effect 2023-03-25 22:00. The abovementioned -+# "bekymringer" URL says the intent is no transition March 25, that -+# Greenland will not go back to winter time in fall 2023, and that -+# only America/Nuuk is affected (though further changes may occur). -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D - Rule Thule 1991 1992 - Sep lastSun 2:00 0 S -@@ -1149,7 +1172,8 @@ Zone America/Scoresbysund -1:27:52 - LMT 1916 Jul 28 # Ittoqqortoormiit - -1:00 EU -01/+00 - Zone America/Nuuk -3:26:56 - LMT 1916 Jul 28 # Godthåb - -3:00 - -03 1980 Apr 6 2:00 -- -3:00 EU -03/-02 -+ -3:00 EU -03/-02 2023 Mar 25 22:00 -+ -2:00 - -02 - Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik - -4:00 Thule A%sT - -diff --git a/src/java.base/share/data/tzdata/iso3166.tab b/src/java.base/share/data/tzdata/iso3166.tab -index 544b3034c17..fbfb74bec45 100644 ---- a/src/java.base/share/data/tzdata/iso3166.tab -+++ b/src/java.base/share/data/tzdata/iso3166.tab -@@ -26,13 +26,13 @@ - # This file is in the public domain, so clarified as of - # 2009-05-17 by Arthur David Olson. - # --# From Paul Eggert (2015-05-02): -+# From Paul Eggert (2022-11-18): - # This file contains a table of two-letter country codes. Columns are - # separated by a single tab. Lines beginning with '#' are comments. - # All text uses UTF-8 encoding. The columns of the table are as follows: - # - # 1. ISO 3166-1 alpha-2 country code, current as of --# ISO 3166-1 N976 (2018-11-06). See: Updates on ISO 3166-1 -+# ISO 3166-1 N1087 (2022-09-02). See: Updates on ISO 3166-1 - # https://isotc.iso.org/livelink/livelink/Open/16944257 - # 2. The usual English name for the coded region, - # chosen so that alphabetic sorting of subsets produces helpful lists. -@@ -261,7 +261,7 @@ SY Syria - SZ Eswatini (Swaziland) - TC Turks & Caicos Is - TD Chad --TF French Southern & Antarctic Lands -+TF French Southern Territories - TG Togo - TH Thailand - TJ Tajikistan -diff --git a/src/java.base/share/data/tzdata/northamerica b/src/java.base/share/data/tzdata/northamerica -index 465e8c234ed..a5fd701f88c 100644 ---- a/src/java.base/share/data/tzdata/northamerica -+++ b/src/java.base/share/data/tzdata/northamerica -@@ -1992,6 +1992,37 @@ Zone America/Fort_Nelson -8:10:47 - LMT 1884 - - # Northwest Territories, Nunavut, Yukon - -+# From Chris Walton (2022-11-06): -+# Whitehorse Star - Thursday April 22, 1965 - page 1 -+# title: DST Starts Monday ... -+# https://www.newspapers.com/image/578587481/ -+# The title of this first article is wrong and/or misleading. -+# Also, the start time shown in the article is vague; it simply says "after -+# midnight" when it probably should have stated 2:00a.m.... -+# -+# Whitehorse Star - Monday October 25, 1965 - page 15 ... -+# https://www.newspapers.com/image/578589147/ -+# The 1965 Yukon Council minutes can be found here: -+# http://assets.yukonarchives.ca/PER_YG_06_1965_C20_S02_v1.pdf -+# ... I do not currently believe that NWT touched any of its clocks in 1965.... -+# -+# Whitehorse Star - Thursday Feb 24,1966 - page 2 -+# title: It's Time for YDT ... -+# https://www.newspapers.com/image/578575979/ ... -+# America/Whitehorse as a permanent change from UTC-9(YST) to -+# UTC-8(PST) at 00:00 on Sunday February 27, 1966.... -+# -+# Whitehorse Star - Friday April 28,1972 - page 6 -+# title: Daylight Saving Time for N.W.T.... -+# https://www.newspapers.com/image/578701610/ ... -+# Nunavut and NWT zones ... DST starting in 1972.... Start and End ... -+# should be the same as the rest of Canada -+# -+# -+# From Paul Eggert (2022-11-06): -+# For now, assume Yukon's 1965-04-22 spring forward was 00:00 -> 02:00, as this -+# seems likely than 02:00 -> 04:00 and matches "after midnight". -+ - # From Paul Eggert (2006-03-22): - # Dawson switched to PST in 1973. Inuvik switched to MST in 1979. - # Mathew Englander (1996-10-07) gives the following refs: -@@ -2106,6 +2137,13 @@ Zone America/Fort_Nelson -8:10:47 - LMT 1884 - # * Interpretation Act, RSY 2002, c 125 - # https://www.canlii.org/en/yk/laws/stat/rsy-2002-c-125/latest/rsy-2002-c-125.html - -+# From Chris Walton (2022-11-06): -+# The 5th edition of the Atlas of Canada contains a time zone map that -+# shows both legislated and observed time zone boundaries. -+# All communities on Baffin Island are shown to be observing Eastern time. -+# The date on the map is 1984. -+# https://ftp.maps.canada.ca/pub/nrcan_rncan/raster/atlas_5_ed/eng/other/referencemaps/mcr4056.pdf -+ - # From Rives McDow (1999-09-04): - # Nunavut ... moved ... to incorporate the whole territory into one time zone. - # Nunavut moves to single time zone Oct. 31 -@@ -2118,40 +2156,7 @@ Zone America/Fort_Nelson -8:10:47 - LMT 1884 - # From Paul Eggert (1999-09-20): - # Basic Facts: The New Territory - # http://www.nunavut.com/basicfacts/english/basicfacts_1territory.html --# (1999) reports that Pangnirtung operates on eastern time, --# and that Coral Harbour does not observe DST. We don't know when --# Pangnirtung switched to eastern time; we'll guess 1995. -- --# From Rives McDow (1999-11-08): --# On October 31, when the rest of Nunavut went to Central time, --# Pangnirtung wobbled. Here is the result of their wobble: --# --# The following businesses and organizations in Pangnirtung use Central Time: --# --# First Air, Power Corp, Nunavut Construction, Health Center, RCMP, --# Eastern Arctic National Parks, A & D Specialist --# --# The following businesses and organizations in Pangnirtung use Eastern Time: --# --# Hamlet office, All other businesses, Both schools, Airport operator --# --# This has made for an interesting situation there, which warranted the news. --# No one there that I spoke with seems concerned, or has plans to --# change the local methods of keeping time, as it evidently does not --# really interfere with any activities or make things difficult locally. --# They plan to celebrate New Year's turn-over twice, one hour apart, --# so it appears that the situation will last at least that long. --# The Nunavut Intergovernmental Affairs hopes that they will "come to --# their senses", but the locals evidently don't see any problem with --# the current state of affairs. -- --# From Michaela Rodrigue, writing in the --# Nunatsiaq News (1999-11-19): --# http://www.nunatsiaqonline.ca/archives/nunavut991130/nvt91119_17.html --# Clyde River, Pangnirtung and Sanikiluaq now operate with two time zones, --# central - or Nunavut time - for government offices, and eastern time --# for municipal offices and schools.... Igloolik [was similar but then] --# made the switch to central time on Saturday, Nov. 6. -+# (1999) reports that ... Coral Harbour does not observe DST. - - # From Paul Eggert (2000-10-02): - # Matthews and Vincent (1998) say the following, but we lack histories -@@ -2310,18 +2315,12 @@ Rule NT_YK 1919 only - Nov 1 0:00 0 S - Rule NT_YK 1942 only - Feb 9 2:00 1:00 W # War - Rule NT_YK 1945 only - Aug 14 23:00u 1:00 P # Peace - Rule NT_YK 1945 only - Sep 30 2:00 0 S --Rule NT_YK 1965 only - Apr lastSun 0:00 2:00 DD --Rule NT_YK 1965 only - Oct lastSun 2:00 0 S --Rule NT_YK 1980 1986 - Apr lastSun 2:00 1:00 D --Rule NT_YK 1980 2006 - Oct lastSun 2:00 0 S -+Rule NT_YK 1972 1986 - Apr lastSun 2:00 1:00 D -+Rule NT_YK 1972 2006 - Oct lastSun 2:00 0 S - Rule NT_YK 1987 2006 - Apr Sun>=1 2:00 1:00 D -+Rule Yukon 1965 only - Apr lastSun 0:00 2:00 DD -+Rule Yukon 1965 only - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --# aka Panniqtuuq --Zone America/Pangnirtung 0 - -00 1921 # trading post est. -- -4:00 NT_YK A%sT 1995 Apr Sun>=1 2:00 -- -5:00 Canada E%sT 1999 Oct 31 2:00 -- -6:00 Canada C%sT 2000 Oct 29 2:00 -- -5:00 Canada E%sT - # formerly Frobisher Bay - Zone America/Iqaluit 0 - -00 1942 Aug # Frobisher Bay est. - -5:00 NT_YK E%sT 1999 Oct 31 2:00 -@@ -2354,13 +2353,15 @@ Zone America/Inuvik 0 - -00 1953 # Inuvik founded - -7:00 NT_YK M%sT 1980 - -7:00 Canada M%sT - Zone America/Whitehorse -9:00:12 - LMT 1900 Aug 20 -- -9:00 NT_YK Y%sT 1967 May 28 0:00 -- -8:00 NT_YK P%sT 1980 -+ -9:00 NT_YK Y%sT 1965 -+ -9:00 Yukon Y%sT 1966 Feb 27 0:00 -+ -8:00 - PST 1980 - -8:00 Canada P%sT 2020 Nov 1 - -7:00 - MST - Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 -- -9:00 NT_YK Y%sT 1973 Oct 28 0:00 -- -8:00 NT_YK P%sT 1980 -+ -9:00 NT_YK Y%sT 1965 -+ -9:00 Yukon Y%sT 1973 Oct 28 0:00 -+ -8:00 - PST 1980 - -8:00 Canada P%sT 2020 Nov 1 - -7:00 - MST - -@@ -2582,6 +2583,14 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 - # This abolishes DST except where US DST rules are observed, - # and in addition changes all of Chihuahua to -06 with no DST. - -+# From Heitor David Pinto (2022-11-28): -+# Now the northern municipalities want to have the same time zone as the -+# respective neighboring cities in the US, for example Juárez in UTC-7 with -+# DST, matching El Paso, and Ojinaga in UTC-6 with DST, matching Presidio.... -+# the president authorized the publication of the decree for November 29, -+# so the time change would occur on November 30 at 0:00. -+# http://puentelibre.mx/noticia/ciudad_juarez_cambio_horario_noviembre_2022/ -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Mexico 1931 only - May 1 23:00 1:00 D - Rule Mexico 1931 only - Oct 1 0:00 0 S -@@ -2613,14 +2622,12 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u - -6:00 Mexico C%sT - # Coahuila, Nuevo León, Tamaulipas (near US border) - # This includes the following municipalities: --# in Coahuila: Ocampo, Acuña, Zaragoza, Jiménez, Piedras Negras, Nava, --# Guerrero, Hidalgo. --# in Nuevo León: Anáhuac, Los Aldama. -+# in Coahuila: Acuña, Allende, Guerrero, Hidalgo, Jiménez, Morelos, Nava, -+# Ocampo, Piedras Negras, Villa Unión, Zaragoza -+# in Nuevo León: Anáhuac - # in Tamaulipas: Nuevo Laredo, Guerrero, Mier, Miguel Alemán, Camargo, - # Gustavo Díaz Ordaz, Reynosa, Río Bravo, Valle Hermoso, Matamoros. --# See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, --# 2016-03-12 --# http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza -+# https://www.dof.gob.mx/nota_detalle.php?codigo=5670045&fecha=28/10/2022 - Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 -@@ -2639,10 +2646,24 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u - -6:00 Mexico C%sT 2001 Sep 30 2:00 - -6:00 - CST 2002 Feb 20 - -6:00 Mexico C%sT --# Chihuahua (near US border) -+# Chihuahua (near US border - western side) - # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, --# Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. --# (See the 2016-03-12 El Universal source mentioned above.) -+# and Práxedis G Guerrero. -+# http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf -+Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u -+ -7:00 - MST 1927 Jun 10 23:00 -+ -6:00 - CST 1930 Nov 15 -+ -7:00 Mexico M%sT 1932 Apr 1 -+ -6:00 - CST 1996 -+ -6:00 Mexico C%sT 1998 -+ -6:00 - CST 1998 Apr Sun>=1 3:00 -+ -7:00 Mexico M%sT 2010 -+ -7:00 US M%sT 2022 Oct 30 2:00 -+ -6:00 - CST 2022 Nov 30 0:00 -+ -7:00 US M%sT -+# Chihuahua (near US border - eastern side) -+# The municipalities of Coyame del Sotol, Ojinaga, and Manuel Benavides. -+# http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf - Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -@@ -2652,7 +2673,8 @@ Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT 2010 - -7:00 US M%sT 2022 Oct 30 2:00 -- -6:00 - CST -+ -6:00 - CST 2022 Nov 30 0:00 -+ -6:00 US C%sT - # Chihuahua (away from US border) - Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 -@@ -2674,6 +2696,18 @@ Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u - -7:00 Mexico M%sT 1999 - -7:00 - MST - -+# Baja California Sur, Nayarit (except Bahía de Banderas), Sinaloa -+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u -+ -7:00 - MST 1927 Jun 10 23:00 -+ -6:00 - CST 1930 Nov 15 -+ -7:00 Mexico M%sT 1932 Apr 1 -+ -6:00 - CST 1942 Apr 24 -+ -7:00 - MST 1949 Jan 14 -+ -8:00 - PST 1970 -+ -7:00 Mexico M%sT -+ -+# Bahía de Banderas -+ - # From Alexander Krivenyshev (2010-04-21): - # According to news, Bahía de Banderas (Mexican state of Nayarit) - # changed time zone UTC-7 to new time zone UTC-6 on April 4, 2010 (to -@@ -2701,17 +2735,6 @@ Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u - # From Arthur David Olson (2010-05-01): - # Use "Bahia_Banderas" to keep the name to fourteen characters. - --# Mazatlán --Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u -- -7:00 - MST 1927 Jun 10 23:00 -- -6:00 - CST 1930 Nov 15 -- -7:00 Mexico M%sT 1932 Apr 1 -- -6:00 - CST 1942 Apr 24 -- -7:00 - MST 1949 Jan 14 -- -8:00 - PST 1970 -- -7:00 Mexico M%sT -- --# Bahía de Banderas - Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -diff --git a/src/java.base/share/data/tzdata/southamerica b/src/java.base/share/data/tzdata/southamerica -index 982ad09c408..81fdd793df4 100644 ---- a/src/java.base/share/data/tzdata/southamerica -+++ b/src/java.base/share/data/tzdata/southamerica -@@ -1441,9 +1441,14 @@ Zone Antarctica/Palmer 0 - -00 1965 - # Milne gives 4:56:16.4 for Bogotá time in 1899. He writes, - # "A variation of fifteen minutes in the public clocks of Bogota is not rare." - -+# From Alois Treindl (2022-11-10): -+# End of time change in Colombia 1993 ... should be 6 February 24h ... -+# DECRETO 267 DE 1993 -+# https://www.suin-juriscol.gov.co/viewDocument.asp?ruta=Decretos/1061335 -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S --Rule CO 1992 only - May 3 0:00 1:00 - --Rule CO 1993 only - Apr 4 0:00 0 - -+Rule CO 1992 only - May 3 0:00 1:00 - -+Rule CO 1993 only - Feb 6 24:00 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - #STDOFF -4:56:16.4 - Zone America/Bogota -4:56:16 - LMT 1884 Mar 13 -diff --git a/src/java.base/share/data/tzdata/zone.tab b/src/java.base/share/data/tzdata/zone.tab -index 535d1c94af1..939432d3456 100644 ---- a/src/java.base/share/data/tzdata/zone.tab -+++ b/src/java.base/share/data/tzdata/zone.tab -@@ -137,8 +137,7 @@ CA +4606-06447 America/Moncton Atlantic - New Brunswick - CA +5320-06025 America/Goose_Bay Atlantic - Labrador (most areas) - CA +5125-05707 America/Blanc-Sablon AST - QC (Lower North Shore) - CA +4339-07923 America/Toronto Eastern - ON, QC (most areas) --CA +6344-06828 America/Iqaluit Eastern - NU (most east areas) --CA +6608-06544 America/Pangnirtung Eastern - NU (Pangnirtung) -+CA +6344-06828 America/Iqaluit Eastern - NU (most areas) - CA +484531-0913718 America/Atikokan EST - ON (Atikokan); NU (Coral H) - CA +4953-09709 America/Winnipeg Central - ON (west); Manitoba - CA +744144-0944945 America/Resolute Central - NU (Resolute) -@@ -300,17 +299,18 @@ MT +3554+01431 Europe/Malta - MU -2010+05730 Indian/Mauritius - MV +0410+07330 Indian/Maldives - MW -1547+03500 Africa/Blantyre --MX +1924-09909 America/Mexico_City Central Time --MX +2105-08646 America/Cancun Eastern Standard Time - Quintana Roo --MX +2058-08937 America/Merida Central Time - Campeche, Yucatan --MX +2540-10019 America/Monterrey Central Time - Durango; Coahuila, Nuevo Leon, Tamaulipas (most areas) --MX +2550-09730 America/Matamoros Central Time US - Coahuila, Nuevo Leon, Tamaulipas (US border) --MX +2313-10625 America/Mazatlan Mountain Time - Baja California Sur, Nayarit, Sinaloa --MX +2838-10605 America/Chihuahua Mountain Time - Chihuahua (most areas) --MX +2934-10425 America/Ojinaga Mountain Time US - Chihuahua (US border) --MX +2904-11058 America/Hermosillo Mountain Standard Time - Sonora --MX +3232-11701 America/Tijuana Pacific Time US - Baja California --MX +2048-10515 America/Bahia_Banderas Central Time - Bahia de Banderas -+MX +1924-09909 America/Mexico_City Central Mexico -+MX +2105-08646 America/Cancun Quintana Roo -+MX +2058-08937 America/Merida Campeche, Yucatan -+MX +2540-10019 America/Monterrey Durango; Coahuila, Nuevo Leon, Tamaulipas (most areas) -+MX +2550-09730 America/Matamoros Coahuila, Nuevo Leon, Tamaulipas (US border) -+MX +2838-10605 America/Chihuahua Chihuahua (most areas) -+MX +3144-10629 America/Ciudad_Juarez Chihuahua (US border - west) -+MX +2934-10425 America/Ojinaga Chihuahua (US border - east) -+MX +2313-10625 America/Mazatlan Baja California Sur, Nayarit (most areas), Sinaloa -+MX +2048-10515 America/Bahia_Banderas Bahia de Banderas -+MX +2904-11058 America/Hermosillo Sonora -+MX +3232-11701 America/Tijuana Baja California - MY +0310+10142 Asia/Kuala_Lumpur Malaysia (peninsula) - MY +0133+11020 Asia/Kuching Sabah, Sarawak - MZ -2558+03235 Africa/Maputo -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -index 08550acd037..1f437ae8ec2 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle { - "Franz\u00F6sisch-Guiana Zeit", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -index a12dedb94e9..126010ba396 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle { - "Hora de la Guayana Francesa", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -index f2064397e5e..bd6bceb6ddd 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle { - "Heure de Guyane fran\u00E7aise", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -index b7fb55286f7..7f55e19fff5 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle { - "Ora della Guyana Francese", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -index 3ccf8c2514c..fe00a00404d 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle { - "\u30D5\u30E9\u30F3\u30B9\u9818\u30AE\u30A2\u30CA\u6642\u9593", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -index 9bf7c119d52..3b0f44a2e4e 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle { - "\uD504\uB791\uC2A4\uB839 \uAE30\uC544\uB098 \uD45C\uC900\uC2DC", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -index c0cae47bd97..557e0bf9001 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle { - "Hor\u00E1rio da Guiana Francesa", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -index afcdcd348bf..d4b1377b430 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle { - "Franska Guyana-tid", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -index e6328ee8347..8224549464f 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle { - "\u6CD5\u5C5E\u572D\u4E9A\u90A3\u65F6\u95F4", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -index 236959b8a69..3d28bfa2cd6 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -@@ -428,6 +428,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle { - "\u6CD5\u5C6C\u572D\u4E9E\u90A3\u6642\u9593", "GFT"}}, - {"America/Cayman", EST}, - {"America/Chihuahua", CST}, -+ {"America/Ciudad_Juarez", MST}, - {"America/Creston", MST}, - {"America/Coral_Harbour", EST}, - {"America/Cordoba", AGT}, -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -index f29d2d938b1..0f66ee12c94 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022f -+tzdata2022g -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -index 24cec5af700..d495743b268 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -@@ -204,6 +204,7 @@ Link America/Tijuana America/Ensenada - Link America/Indiana/Indianapolis America/Fort_Wayne - Link America/Toronto America/Montreal - Link America/Toronto America/Nipigon -+Link America/Iqaluit America/Pangnirtung - Link America/Rio_Branco America/Porto_Acre - Link America/Winnipeg America/Rainy_River - Link America/Argentina/Cordoba America/Rosario -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -index a1cd41d283d..44db4dbdb81 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -25,6 +25,7 @@ America/Cambridge_Bay MST MDT - America/Cancun EST - America/Chicago CST CDT - America/Chihuahua CST -+America/Ciudad_Juarez MST MDT - America/Costa_Rica CST CDT - America/Danmarkshavn GMT - America/Dawson MST -@@ -71,9 +72,8 @@ America/Nome AKST AKDT - America/North_Dakota/Beulah CST CDT - America/North_Dakota/Center CST CDT - America/North_Dakota/New_Salem CST CDT --America/Ojinaga CST -+America/Ojinaga CST CDT - America/Panama EST --America/Pangnirtung EST EDT - America/Phoenix MST - America/Port-au-Prince EST EDT - America/Puerto_Rico AST diff --git a/jdk8299439-test_for_hr.patch b/jdk8299439-test_for_hr.patch deleted file mode 100644 index 8dd1ed5..0000000 --- a/jdk8299439-test_for_hr.patch +++ /dev/null @@ -1,63 +0,0 @@ -commit cf262d7441d797942d33ed2a79540230fc5c97fa -Author: Christoph Langer -Date: Thu Jan 12 08:02:58 2023 +0000 - - 8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - - Reviewed-by: naoto - Backport-of: 3b374c0153950ab193f3a188b57d3404b4ce2fe2 - -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/CurrencyNames_hr_HR.properties b/src/jdk.localedata/share/classes/sun/util/resources/ext/CurrencyNames_hr_HR.properties -index 70f210e2da6..56e61953a8c 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/CurrencyNames_hr_HR.properties -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/CurrencyNames_hr_HR.properties -@@ -1,5 +1,5 @@ - # --# Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. -+# Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - # - # This code is free software; you can redistribute it and/or modify it -@@ -35,4 +35,5 @@ - # This notice and attribution to Taligent may not be removed. - # Taligent is a registered trademark of Taligent, Inc. - -+EUR=\u20AC - HRK=Kn -diff --git a/test/jdk/ProblemList.txt b/test/jdk/ProblemList.txt -index dc167492272..a806ebe778a 100644 ---- a/test/jdk/ProblemList.txt -+++ b/test/jdk/ProblemList.txt -@@ -1,6 +1,6 @@ - ########################################################################### - # --# Copyright (c) 2009, 2022, Oracle and/or its affiliates. All rights reserved. -+# Copyright (c) 2009, 2023, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - # - # This code is free software; you can redistribute it and/or modify it -diff --git a/test/jdk/java/text/Format/NumberFormat/CurrencySymbols.properties b/test/jdk/java/text/Format/NumberFormat/CurrencySymbols.properties -index cf73a9c7e31..665dd3b290a 100644 ---- a/test/jdk/java/text/Format/NumberFormat/CurrencySymbols.properties -+++ b/test/jdk/java/text/Format/NumberFormat/CurrencySymbols.properties -@@ -79,7 +79,7 @@ fr_FR=\u20AC - fr_LU=\u20AC - hi_IN=\u0930\u0942 - hr=\u00A4 --hr_HR=Kn -+hr_HR=\u20AC - hu=\u00A4 - hu_HU=Ft - is=\u00A4 -@@ -94,9 +94,9 @@ ja_JP=\uFFE5 - ko=\u00A4 - ko_KR=\uFFE6 - lt=\u00A4 --lt_LT=Lt;2014-12-31-22-00-00;\u20AC -+lt_LT=\u20AC - lv=\u00A4 --lv_LV=Ls;2013-12-31-22-00-00;\u20AC -+lv_LV=\u20AC - mk=\u00A4 - mk_MK=Den - nl=\u00A4 diff --git a/nss.cfg.in b/nss.cfg.in deleted file mode 100644 index 377a39c..0000000 --- a/nss.cfg.in +++ /dev/null @@ -1,5 +0,0 @@ -name = NSS -nssLibraryDirectory = @NSS_LIBDIR@ -nssDbMode = noDb -attributes = compatibility -handleStartupErrors = ignoreMultipleInitialisation diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in deleted file mode 100644 index 2d9ec35..0000000 --- a/nss.fips.cfg.in +++ /dev/null @@ -1,8 +0,0 @@ -name = NSS-FIPS -nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = sql:/etc/pki/nssdb -nssDbMode = readOnly -nssModule = fips - -attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } - diff --git a/openjdk_news.sh b/openjdk_news.sh deleted file mode 100755 index 560b356..0000000 --- a/openjdk_news.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# Copyright (C) 2022 Red Hat, Inc. -# Written by Andrew John Hughes , 2012-2022 -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -OLD_RELEASE=$1 -NEW_RELEASE=$2 -SUBDIR=$3 -REPO=$4 -SCRIPT_DIR=$(dirname ${0}) - -if test "x${SUBDIR}" = "x"; then - echo "No subdirectory specified; using ."; - SUBDIR="."; -fi - -if test "x$REPO" = "x"; then - echo "No repository specified; using ${PWD}" - REPO=${PWD} -fi - -if test x${TMPDIR} = x; then - TMPDIR=/tmp; -fi - -echo "Repository: ${REPO}" - -if [ -e ${REPO}/.git ] ; then - TYPE=git; -elif [ -e ${REPO}/.hg ] ; then - TYPE=hg; -else - echo "No Mercurial or Git repository detected."; - exit 1; -fi - -if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then - echo "ERROR: Need to specify old and new release"; - exit 2; -fi - -echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO" -rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes -for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO}); -do - if test "x$TYPE" = "xhg"; then - hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ - egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \ - sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2; - hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ - egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3; - else - git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \ - sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2; - touch ${TMPDIR}/fixes3 ; # unused - fi -done - -sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes -rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 - -echo "In ${TMPDIR}/fixes:" -cat ${TMPDIR}/fixes diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh deleted file mode 100644 index 25c2fc8..0000000 --- a/remove-intree-libraries.sh +++ /dev/null @@ -1,164 +0,0 @@ -#!/bin/sh - -# Arguments: -TREE=${1} -TYPE=${2} - -ZIP_SRC=src/java.base/share/native/libzip/zlib/ -FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ -JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ -GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ -PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ -LCMS_SRC=src/java.desktop/share/native/liblcms/ - -if test "x${TREE}" = "x"; then - echo "$0 (MINIMAL|FULL)"; - exit 1; -fi - -if test "x${TYPE}" = "x"; then - TYPE=minimal; -fi - -if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then - echo "Type must be minimal or full"; - exit 2; -fi - -echo "Removing in-tree libraries from ${TREE}" -echo "Cleansing operation: ${TYPE}"; - -cd ${TREE} - -echo "Removing built-in libs (they will be linked)" - -# On full runs, allow for zlib & freetype having already been deleted by minimal -echo "Removing zlib" -if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then - echo "${ZIP_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${ZIP_SRC} -echo "Removing freetype" -if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then - echo "${FREETYPE_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${FREETYPE_SRC} - -# Minimal is limited to just zlib and freetype so finish here -if test "x${TYPE}" = "xminimal"; then - echo "Finished."; - exit 0; -fi - -echo "Removing libjpeg" -if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist - echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." - exit 1 -fi - -rm -vf ${JPEG_SRC}/jcomapi.c -rm -vf ${JPEG_SRC}/jdapimin.c -rm -vf ${JPEG_SRC}/jdapistd.c -rm -vf ${JPEG_SRC}/jdcoefct.c -rm -vf ${JPEG_SRC}/jdcolor.c -rm -vf ${JPEG_SRC}/jdct.h -rm -vf ${JPEG_SRC}/jddctmgr.c -rm -vf ${JPEG_SRC}/jdhuff.c -rm -vf ${JPEG_SRC}/jdhuff.h -rm -vf ${JPEG_SRC}/jdinput.c -rm -vf ${JPEG_SRC}/jdmainct.c -rm -vf ${JPEG_SRC}/jdmarker.c -rm -vf ${JPEG_SRC}/jdmaster.c -rm -vf ${JPEG_SRC}/jdmerge.c -rm -vf ${JPEG_SRC}/jdphuff.c -rm -vf ${JPEG_SRC}/jdpostct.c -rm -vf ${JPEG_SRC}/jdsample.c -rm -vf ${JPEG_SRC}/jerror.c -rm -vf ${JPEG_SRC}/jerror.h -rm -vf ${JPEG_SRC}/jidctflt.c -rm -vf ${JPEG_SRC}/jidctfst.c -rm -vf ${JPEG_SRC}/jidctint.c -rm -vf ${JPEG_SRC}/jidctred.c -rm -vf ${JPEG_SRC}/jinclude.h -rm -vf ${JPEG_SRC}/jmemmgr.c -rm -vf ${JPEG_SRC}/jmemsys.h -rm -vf ${JPEG_SRC}/jmemnobs.c -rm -vf ${JPEG_SRC}/jmorecfg.h -rm -vf ${JPEG_SRC}/jpegint.h -rm -vf ${JPEG_SRC}/jpeglib.h -rm -vf ${JPEG_SRC}/jquant1.c -rm -vf ${JPEG_SRC}/jquant2.c -rm -vf ${JPEG_SRC}/jutils.c -rm -vf ${JPEG_SRC}/jcapimin.c -rm -vf ${JPEG_SRC}/jcapistd.c -rm -vf ${JPEG_SRC}/jccoefct.c -rm -vf ${JPEG_SRC}/jccolor.c -rm -vf ${JPEG_SRC}/jcdctmgr.c -rm -vf ${JPEG_SRC}/jchuff.c -rm -vf ${JPEG_SRC}/jchuff.h -rm -vf ${JPEG_SRC}/jcinit.c -rm -vf ${JPEG_SRC}/jconfig.h -rm -vf ${JPEG_SRC}/jcmainct.c -rm -vf ${JPEG_SRC}/jcmarker.c -rm -vf ${JPEG_SRC}/jcmaster.c -rm -vf ${JPEG_SRC}/jcparam.c -rm -vf ${JPEG_SRC}/jcphuff.c -rm -vf ${JPEG_SRC}/jcprepct.c -rm -vf ${JPEG_SRC}/jcsample.c -rm -vf ${JPEG_SRC}/jctrans.c -rm -vf ${JPEG_SRC}/jdtrans.c -rm -vf ${JPEG_SRC}/jfdctflt.c -rm -vf ${JPEG_SRC}/jfdctfst.c -rm -vf ${JPEG_SRC}/jfdctint.c -rm -vf ${JPEG_SRC}/jversion.h -rm -vf ${JPEG_SRC}/README - -echo "Removing giflib" -if [ ! -d ${GIF_SRC} ]; then - echo "${GIF_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${GIF_SRC} - -echo "Removing libpng" -if [ ! -d ${PNG_SRC} ]; then - echo "${PNG_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -rvf ${PNG_SRC} - -echo "Removing lcms" -if [ ! -d ${LCMS_SRC} ]; then - echo "${LCMS_SRC} does not exist. Refusing to proceed." - exit 1 -fi -rm -vf ${LCMS_SRC}/cmscam02.c -rm -vf ${LCMS_SRC}/cmscgats.c -rm -vf ${LCMS_SRC}/cmscnvrt.c -rm -vf ${LCMS_SRC}/cmserr.c -rm -vf ${LCMS_SRC}/cmsgamma.c -rm -vf ${LCMS_SRC}/cmsgmt.c -rm -vf ${LCMS_SRC}/cmshalf.c -rm -vf ${LCMS_SRC}/cmsintrp.c -rm -vf ${LCMS_SRC}/cmsio0.c -rm -vf ${LCMS_SRC}/cmsio1.c -rm -vf ${LCMS_SRC}/cmslut.c -rm -vf ${LCMS_SRC}/cmsmd5.c -rm -vf ${LCMS_SRC}/cmsmtrx.c -rm -vf ${LCMS_SRC}/cmsnamed.c -rm -vf ${LCMS_SRC}/cmsopt.c -rm -vf ${LCMS_SRC}/cmspack.c -rm -vf ${LCMS_SRC}/cmspcs.c -rm -vf ${LCMS_SRC}/cmsplugin.c -rm -vf ${LCMS_SRC}/cmsps2.c -rm -vf ${LCMS_SRC}/cmssamp.c -rm -vf ${LCMS_SRC}/cmssm.c -rm -vf ${LCMS_SRC}/cmstypes.c -rm -vf ${LCMS_SRC}/cmsvirt.c -rm -vf ${LCMS_SRC}/cmswtpnt.c -rm -vf ${LCMS_SRC}/cmsxform.c -rm -vf ${LCMS_SRC}/lcms2.h -rm -vf ${LCMS_SRC}/lcms2_internal.h -rm -vf ${LCMS_SRC}/lcms2_plugin.h diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch deleted file mode 100644 index 3042186..0000000 --- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java ---- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200 -+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200 -@@ -595,7 +595,11 @@ - toolkit = new HeadlessToolkit(toolkit); - } - if (!GraphicsEnvironment.isHeadless()) { -- loadAssistiveTechnologies(); -+ try { -+ loadAssistiveTechnologies(); -+ } catch (AWTError error) { -+ // ignore silently -+ } - } - } - return toolkit; diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch deleted file mode 100644 index c178077..0000000 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security -index 68a9c1a2d08..7aa25eb2cb7 100644 ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI - security.provider.tbd=Apple - #endif - security.provider.tbd=SunPKCS11 -+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # - # Security providers used when FIPS mode support is active diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch deleted file mode 100644 index 53026ad..0000000 --- a/rh1648644-java_access_bridge_privileged_security.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -304,6 +304,8 @@ - # - package.access=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # List of comma-separated packages that start with or equal this string -@@ -316,6 +318,8 @@ - # - package.definition=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # Determines whether this properties file can be appended to diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch deleted file mode 100644 index 4c1476f..0000000 --- a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -index bacff32efbc..ff7b3dcc81c 100644 ---- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -@@ -46,8 +46,8 @@ class PlatformPCSC { - - private static final String PROP_NAME = "sun.security.smartcardio.library"; - -- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so"; -- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so"; -+ private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so.1"; -+ private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1"; - private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC"; - - PlatformPCSC() { diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch deleted file mode 100644 index 88f5e5a..0000000 --- a/rh1750419-redhat_alt_java.patch +++ /dev/null @@ -1,117 +0,0 @@ -diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk -index 700ddefda49..2882de68eb2 100644 ---- openjdk.orig/make/modules/java.base/Launcher.gmk -+++ openjdk/make/modules/java.base/Launcher.gmk -@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \ - OPTIMIZATION := HIGH, \ - )) - -+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c -+$(eval $(call SetupBuildLauncher, alt-java, \ -+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ -+ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \ -+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ -+ OPTIMIZATION := HIGH, \ -+)) -+ - ifeq ($(call isTargetOs, windows), true) - $(eval $(call SetupBuildLauncher, javaw, \ - CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ -diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h -new file mode 100644 -index 00000000000..697df2898ac ---- /dev/null -+++ openjdk/src/java.base/share/native/launcher/alt_main.h -@@ -0,0 +1,73 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#ifdef REDHAT_ALT_JAVA -+ -+#include -+ -+ -+/* Per task speculation control */ -+#ifndef PR_GET_SPECULATION_CTRL -+# define PR_GET_SPECULATION_CTRL 52 -+#endif -+#ifndef PR_SET_SPECULATION_CTRL -+# define PR_SET_SPECULATION_CTRL 53 -+#endif -+/* Speculation control variants */ -+#ifndef PR_SPEC_STORE_BYPASS -+# define PR_SPEC_STORE_BYPASS 0 -+#endif -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+ -+#ifndef PR_SPEC_NOT_AFFECTED -+# define PR_SPEC_NOT_AFFECTED 0 -+#endif -+#ifndef PR_SPEC_PRCTL -+# define PR_SPEC_PRCTL (1UL << 0) -+#endif -+#ifndef PR_SPEC_ENABLE -+# define PR_SPEC_ENABLE (1UL << 1) -+#endif -+#ifndef PR_SPEC_DISABLE -+# define PR_SPEC_DISABLE (1UL << 2) -+#endif -+#ifndef PR_SPEC_FORCE_DISABLE -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) -+#endif -+#ifndef PR_SPEC_DISABLE_NOEXEC -+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) -+#endif -+ -+static void set_speculation() __attribute__((constructor)); -+static void set_speculation() { -+ if ( prctl(PR_SET_SPECULATION_CTRL, -+ PR_SPEC_STORE_BYPASS, -+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { -+ return; -+ } -+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+} -+ -+#endif // REDHAT_ALT_JAVA -diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c -index b734fe2ba78..79dc8307650 100644 ---- openjdk.orig/src/java.base/share/native/launcher/main.c -+++ openjdk/src/java.base/share/native/launcher/main.c -@@ -34,6 +34,14 @@ - #include "jli_util.h" - #include "jni.h" - -+#ifdef REDHAT_ALT_JAVA -+#if defined(__linux__) && defined(__x86_64__) -+#include "alt_main.h" -+#else -+#warning alt-java requested but SSB mitigation not available on this platform. -+#endif -+#endif -+ - #ifdef _MSC_VER - #if _MSC_VER > 1400 && _MSC_VER < 1600 - diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch deleted file mode 100644 index 1b706a1..0000000 --- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +++ /dev/null @@ -1,19 +0,0 @@ -Remove uses of FAR in jpeg code - -Upstream libjpeg-trubo removed the (empty) FAR macro: -http://sourceforge.net/p/libjpeg-turbo/code/1312/ - -Adjust our code to not use the undefined FAR macro anymore. - -diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -@@ -1385,7 +1385,7 @@ - /* and fill it in */ - dst_ptr = icc_data; - for (seq_no = first; seq_no < last; seq_no++) { -- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; -+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; - unsigned int length = - icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; - diff --git a/sources b/sources index e8cdef6..3bbbb1b 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk19u-jdk-19.0.2+7.tar.xz) = f9b54ae43074caa53773000ed8000ff5592cda44b2bef8fafa2c38cf623048722c34a111aacfd1831050525804230b29cc20fd95ad2162c43412b957190cc7b0