diff --git a/.gitignore b/.gitignore
index 5e412df..2576f6f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@
/openjdk-jdk18-jdk-18+37.tar.xz
/openjdk-jdk18u-jdk-18.0.1+0.tar.xz
/openjdk-jdk18u-jdk-18.0.1+10.tar.xz
+/openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz
diff --git a/CheckVendor.java b/CheckVendor.java
new file mode 100644
index 0000000..e2101cf
--- /dev/null
+++ b/CheckVendor.java
@@ -0,0 +1,57 @@
+/* CheckVendor -- Check the vendor properties match specified values.
+ Copyright (C) 2020 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+/**
+ * @test
+ */
+public class CheckVendor {
+
+ public static void main(String[] args) {
+ if (args.length < 3) {
+ System.err.println("CheckVendor ");
+ System.exit(1);
+ }
+
+ String vendor = System.getProperty("java.vendor");
+ String expectedVendor = args[0];
+ String vendorURL = System.getProperty("java.vendor.url");
+ String expectedVendorURL = args[1];
+ String vendorBugURL = System.getProperty("java.vendor.url.bug");
+ String expectedVendorBugURL = args[2];
+
+ if (!expectedVendor.equals(vendor)) {
+ System.err.printf("Invalid vendor %s, expected %s\n",
+ vendor, expectedVendor);
+ System.exit(2);
+ }
+
+ if (!expectedVendorURL.equals(vendorURL)) {
+ System.err.printf("Invalid vendor URL %s, expected %s\n",
+ vendorURL, expectedVendorURL);
+ System.exit(3);
+ }
+
+ if (!expectedVendorBugURL.equals(vendorBugURL)) {
+ System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ vendorBugURL, expectedVendorBugURL);
+ System.exit(4);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL);
+ }
+}
diff --git a/NEWS b/NEWS
index 78938f4..0998f22 100644
--- a/NEWS
+++ b/NEWS
@@ -3,487 +3,95 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release OpenJDK 17.0.2 (2022-01-18):
-===========================================
-Live versions of these release notes can be found at:
- * https://bitly.com/openjdk1702
- * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt
-
-* Security fixes
- - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
- - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
- - JDK-8268488: More valuable DerValues
- - JDK-8268494: Better inlining of inlined interfaces
- - JDK-8268512: More content for ContentInfo
- - JDK-8268813, CVE-2022-21283: Better String matching
- - JDK-8269151: Better construction of EncryptedPrivateKeyInfo
- - JDK-8269944: Better HTTP transport redux
- - JDK-8270386, CVE-2022-21291: Better verification of scan methods
- - JDK-8270392, CVE-2022-21293: Improve String constructions
- - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
- - JDK-8270492, CVE-2022-21282: Better resolution of URIs
- - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
- - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
- - JDK-8270952, CVE-2022-21277: Improve TIFF file handling
- - JDK-8271962: Better TrueType font loading
- - JDK-8271968: Better canonical naming
- - JDK-8271987: Manifest improved manifest entries
- - JDK-8272014, CVE-2022-21305: Better array indexing
- - JDK-8272026, CVE-2022-21340: Verify Jar Verification
- - JDK-8272236, CVE-2022-21341: Improve serial forms for transport
- - JDK-8272272: Enhance jcmd communication
- - JDK-8272462: Enhance image handling
- - JDK-8273290: Enhance sound handling
- - JDK-8273756, CVE-2022-21360: Enhance BMP image support
- - JDK-8273838, CVE-2022-21365: Enhanced BMP processing
- - JDK-8274096, CVE-2022-21366: Improve decoding of image files
+New in release OpenJDK 18.0.1.1 (2022-04-22):
+=============================================
* Other changes
- - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException
- - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
- - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap
- - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently
- - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream
- - JDK-8214761: Bug in parallel Kahan summation implementation
- - JDK-8223923: C2: Missing interference with mismatched unsafe accesses
- - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir().
- - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name
- - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines()))
- - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled
- - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic
- - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol
- - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null
- - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
- - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
- - JDK-8263375: Support stack watermarks in Zero VM
- - JDK-8263773: Reenable German localization for builds at Oracle
- - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer
- - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer
- - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer
- - JDK-8264292: Create implementation for NSAccessibilityList protocol peer
- - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer
- - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer
- - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer
- - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer
- - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer
- - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer
- - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer
- - JDK-8266239: Some duplicated javac command-line options have repeated effect
- - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color
- - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true
- - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl
- - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility
- - JDK-8267387: Create implementation for NSAccessibilityOutline protocol
- - JDK-8267388: Create implementation for NSAccessibilityTable protocol
- - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button"
- - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs.
- - JDK-8268361: Fix the infinite loop in next_line
- - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
- - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests
- - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler
- - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions
- - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
- - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type
- - JDK-8268893: jcmd to trim the glibc heap
- - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition
- - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)"
- - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783
- - JDK-8269113: Javac throws when compiling switch (null)
- - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java
- - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException
- - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString()
- - JDK-8269481: SctpMultiChannel never releases own file descriptor
- - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows
- - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles
- - JDK-8269687: pauth_aarch64.hpp include name is incorrect
- - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
- - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts
- - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked
- - JDK-8270110: Shenandoah: Add test for JDK-8269661
- - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS
- - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests
- - JDK-8270290: NTLM authentication fails if HEAD request is used
- - JDK-8270317: Large Allocation in CipherSuite
- - JDK-8270320: JDK-8270110 committed invalid copyright headers
- - JDK-8270517: Add Zero support for LoongArch
- - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
- - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling
- - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
- - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType
- - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String
- - JDK-8271071: accessibility of a table on macOS lacks cell navigation
- - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug
- - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h
- - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment
- - JDK-8271215: Fix data races in G1PeriodicGCTask
- - JDK-8271254: javac generates unreachable code when using empty semicolon statement
- - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected"
- - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call
- - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes
- - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1
- - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
- - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java
- - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
- - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
- - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling
- - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine"
- - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions
- - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop
- - JDK-8271605: Update JMH devkit to 1.32
- - JDK-8271718: Crash when during color transformation the color profile is replaced
- - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers
- - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest
- - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used
- - JDK-8271868: Warn user when using mac-sign option with unsigned app-image.
- - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18
- - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late
- - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112
- - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64
- - JDK-8272114: Unused _last_state in osThread_windows
- - JDK-8272170: Missing memory barrier when checking active state for regions
- - JDK-8272305: several hotspot runtime/modules don't check exit codes
- - JDK-8272318: Improve performance of HeapDumpAllTest
- - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher
- - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes
- - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions
- - JDK-8272345: macos doesn't check `os::set_boot_path()` result
- - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0"
- - JDK-8272391: Undeleted debug information
- - JDK-8272413: Incorrect num of element count calculation for vector cast
- - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
- - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late
- - JDK-8272570: C2: crash in PhaseCFG::global_code_motion
- - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late
- - JDK-8272639: jpackaged applications using microphone on mac
- - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO
- - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit
- - JDK-8272783: Epsilon: Refactor tests to improve performance
- - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests
- - JDK-8272838: Move CriticalJNI tests out of tier1
- - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1
- - JDK-8272850: Drop zapping values in the Zap* option descriptions
- - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test
- - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag
- - JDK-8272859: Javadoc external links should only have feature version number in URL
- - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups
- - JDK-8272970: Parallelize runtime/InvocationTests/
- - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop
- - JDK-8273021: C2: Improve Add and Xor ideal optimizations
- - JDK-8273026: Slow LoginContext.login() on multi threading application
- - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7
- - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert
- - JDK-8273176: handle latest VS2019 in abstract_vm_version
- - JDK-8273229: Update OS detection code to recognize Windows Server 2022
- - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash
- - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit
- - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT
- - JDK-8273308: PatternMatchTest.java fails on CI
- - JDK-8273314: Add tier4 test groups
- - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test
- - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory
- - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods
- - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs
- - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817
- - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size
- - JDK-8273361: InfoOptsTest is failing in tier1
- - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero
- - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop
- - JDK-8273376: Zero: Disable vtable/itableStub gtests
- - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP
- - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record
- - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1}
- - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java
- - JDK-8273450: Fix the copyright header of SVML files
- - JDK-8273451: Remove unreachable return in mutexLocker::wait
- - JDK-8273483: Zero: Clear pending JNI exception check in native method handler
- - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option
- - JDK-8273487: Zero: Handle "zero" variant in runtime tests
- - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths
- - JDK-8273498: compiler/c2/Test7179138_1.java timed out
- - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes
- - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
- - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
- - JDK-8273592: Backout JDK-8271868
- - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image.
- - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian
- - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch
- - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests
- - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
- - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher
- - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease
- - JDK-8273695: Safepoint deadlock on VMOperation_lock
- - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem
- - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly
- - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java
- - JDK-8273808: Cleanup AddFontsToX11FontPath
- - JDK-8273826: Correct Manifest file name and NPE checks
- - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out
- - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral
- - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release()
- - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
- - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported
- - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds
- - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character
- - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled
- - JDK-8273968: JCK javax_xml tests fail in CI
- - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
- - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM
- - JDK-8274083: Update testing docs to mention tiered testing
- - JDK-8274087: Windows DLL path not set correctly.
- - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition
- - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
- - JDK-8274215: Remove globalsignr2ca root from 17.0.2
- - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86
- - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
- - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated
- - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160
- - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
- - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern
- - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
- - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile
- - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU
- - JDK-8274381: missing CAccessibility definitions in JNI code
- - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread
- - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API
- - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough"
- - JDK-8274407: (tz) Update Timezone Data to 2021c
- - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl
- - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
- - JDK-8274468: TimeZoneTest.java fails with tzdata2021b
- - JDK-8274501: c2i entry barriers read int as long on AArch64
- - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected
- - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah
- - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
- - JDK-8274550: c2i entry barriers read int as long on PPC
- - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah
- - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test
- - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287
- - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume.
- - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
- - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers
- - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform
- - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
- - JDK-8274840: Update OS detection code to recognize Windows 11
- - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior
- - JDK-8274851: [ppc64] Port zgc to linux on ppc64le
- - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155)
- - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
- - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register
- - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag
- - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed
- - JDK-8275104: IR framework does not handle client VM builds correctly
- - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos.
- - JDK-8275131: Exceptions after a touchpad gesture on macOS
- - JDK-8275141: recover corrupted line endings for the version-numbers.conf
- - JDK-8275145: file.encoding system property has an incorrect value on Windows
- - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges
- - JDK-8275302: unexpected compiler error: cast, intersection types and sealed
- - JDK-8275426: PretouchTask num_chunks calculation can overflow
- - JDK-8275604: Zero: Reformat opclabels_data
- - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless
- - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
- - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak
- - JDK-8275766: (tz) Update Timezone Data to 2021e
- - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:]
- - JDK-8275811: Incorrect instance to dispose
- - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective
- - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
- - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings
- - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml
- - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency
- - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance
- - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3
- - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
- - JDK-8276112: Inconsistent scalar replacement debug info at safepoints
- - JDK-8276122: Change openjdk project in jcheck to jdk-updates
- - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme
- - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
- - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32
- - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point
- - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration
- - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition
- - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766
- - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
- - JDK-8276572: Fake libsyslookup.so library causes tooling issues
- - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie
- - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah
- - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager
- - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32
- - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1
- - JDK-8276854: Windows GHA builds fail due to broken Cygwin
- - JDK-8276864: Update boot JDKs to 17.0.1 in GHA
- - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders
- - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le
- - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes
- - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
- - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
- - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest]
- - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches
- - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
- - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint
- - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
+ - JDK-8284920: Incorrect Token type causes XPath expression to return incorrect results
+ - JDK-8285391: Update the release version for respin April CPU22_04 for release jdk18.0.1.1
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285454: Update the JBS version for respin of April CPU22_04
Notes on individual issues:
===========================
-core-libs/java.io:serialization:
-
-JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
-=========================================================================================
-`java.util.Vector` is updated to correctly report
-`ClassNotFoundException that occurs during deserialization using
-`java.io.ObjectInputStream.GetField.get(name, object)` when the class
-of an element of the Vector is not found. Without this fix, a
-`StreamCorruptedException` is thrown that does not provide information
-about the missing class.
-
-security-libs/java.security:
-
-JDK-8272535: Removed Google's GlobalSign Root Certificate
-=========================================================
-The following root certificate from Google has been removed from the
-`cacerts` keystore:
-
-Alias Name: globalsignr2ca [jdk]
-Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
-
core-libs/java.io:
-JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows
-============================================================================
-The initialization of the `file.encoding` system property on non macOS
-platforms has been reverted to align with the behavior on or before
-JDK 11. This has been an issue especially on Windows where the system
-and user's locales are not the same.
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
-hotspot/gc:
-
-JDK-8277533: ZGC: Fixed long Process Non-Strong References times
-================================================================
-A bug has been fixed that could cause long "Concurrent Process
-Non-Strong References" times with ZGC. The bug blocked the GC from
-making significant progress, and caused both latency and throughput
-issues for the Java application.
-
-The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g.
-
-[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms
-
-core-libs/java.time:
-
-JDK-8274857: Update Timezone Data to 2021c
-===========================================
-IANA Time Zone Database, on which JDK's Date/Time libraries are based,
-has been updated to version 2021c
-(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note
-that with this update, some of the time zone rules prior to the year
-1970 have been modified according to the changes which were introduced
-with 2021b. For more detail, refer to the announcement of 2021b
-(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html)
-
-New in release OpenJDK 17.0.1 (2021-10-19):
+New in release OpenJDK 18.0.1 (2022-04-19):
===========================================
Live versions of these release notes can be found at:
- * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-18.0.1.txt
* Security fixes
- - JDK-8263314: Enhance XML Dsig modes
- - JDK-8265167, CVE-2021-35556: Richer Text Editors
- - JDK-8265574: Improve handling of sheets
- - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- - JDK-8265776: Improve Stream handling for SSL
- - JDK-8266097, CVE-2021-35561: Better hashing support
- - JDK-8266103: Better specified spec values
- - JDK-8266109: More Resilient Classloading
- - JDK-8266115: More Manifest Jar Loading
- - JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- - JDK-8266689, CVE-2021-35567: More Constrained Delegation
- - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- - JDK-8267712: Better LDAP reference processing
- - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- - JDK-8267735, CVE-2021-35586: Better BMP support
- - JDK-8268193: Improve requests of certificates
- - JDK-8268199: Correct certificate requests
- - JDK-8268205: Enhance DTLS client handshake
- - JDK-8268500: Better specified ParameterSpecs
- - JDK-8268506: More Manifest Digests
- - JDK-8269618, CVE-2021-35603: Better session identification
- - JDK-8269624: Enhance method selection support
- - JDK-8270398: Enhance canonicalization
- - JDK-8270404: Better canonicalization
+ - JDK-8269938: Enhance XML processing passes redux
+ - JDK-8270504, CVE-2022-21426: Better XPath expression handling
+ - JDK-8272255: Completely handle MIDI files
+ - JDK-8272261: Improve JFR recording file processing
+ - JDK-8272588: Enhanced recording parsing
+ - JDK-8272594: Better record of recordings
+ - JDK-8274221: More definite BER encodings
+ - JDK-8275151, CVE-2022-21443: Improved Object Identification
+ - JDK-8277227: Better identification of OIDs
+ - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
+ - JDK-8277672, CVE-2022-21434: Better invocation handler handling
+ - JDK-8278356: Improve file creation
+ - JDK-8278449: Improve keychain support
+ - JDK-8278798: Improve supported intrinsic
+ - JDK-8278805: Enhance BMP image loading
+ - JDK-8278972, CVE-2022-21496: Improve URL supports
+ - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
* Other changes
- - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
- - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
- - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
- - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations
- - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
- - JDK-8263531: Remove unused buffer int
- - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
- - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
- - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
- - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
- - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
- - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
- - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms
- - JDK-8269297: Bump version numbers for JDK 17.0.1
- - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
- - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
- - JDK-8269763: The JEditorPane is blank after JDK-8265167
- - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- - JDK-8269882: stack-use-after-scope in NewObjectA
- - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible
- - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
- - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
- - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations
- - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
- - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
- - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
- - JDK-8270344: Session resumption errors
- - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
- - JDK-8271276: C2: Wrong JVM state used for receiver null check
- - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
- - JDK-8271589: fatal error with variable shift count integer rotate operation.
- - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java
- - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests
- - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
- - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
- - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails
- - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
- - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
- - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
- - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
- - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
- - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
- - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
- - JDK-8273358: macOS Monterey does not have the font Times needed by Serif
+ - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests
+ - JDK-8267341: macos attempt_reserve_memory_at(arg1, arg2, true) failure
+ - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
+ - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8276819: javax/print/PrintServiceLookup/FlushCustomClassLoader.java fails to free
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
+ - JDK-8277795: ldap connection timeout not honoured under contention
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278869: Bump version numbers for OPENJDK 18.0.1
+ - JDK-8279223: Define version in .jcheck/conf
+ - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
+ - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it
+ - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM
+ - JDK-8279445: Update JMH devkit to 1.34
+ - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN
+ - JDK-8280414: Memory leak in DefaultProxySelector
+ - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
+ - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound
+ - JDK-8280785: change milestone to fcs for releases: jdk-11.0.15, jdk-17.0.3, jdk-18.0.1
+ - JDK-8280910: Update openjdk project in jcheck to "jdk-updates" for jdk18u
+ - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
+ - JDK-8281093: Violating Attribute-Value Normalization in the XML specification 1.0
+ - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
+ - JDK-8281262: Windows builds in different directories are not fully reproducible
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
+ - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
-Notes on individual issues:
-===========================
-
-security-libs/java.security:
-
-JDK-8271434: Removed IdenTrust Root Certificate
-===============================================
-The following root certificate from IdenTrust has been removed from
-the `cacerts` keystore:
-
-Alias Name: identrustdstx3 [jdk]
-Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
-
-New in release OpenJDK 17.0.0 (2021-09-14):
+New in release OpenJDK 18.0.0 (2022-03-22):
===========================================
-The full list of changes in the interim releases from 11u to 17u can be found at:
- * https://builds.shipilev.net/backports-monitor/release-notes-12.txt
- * https://builds.shipilev.net/backports-monitor/release-notes-13.txt
- * https://builds.shipilev.net/backports-monitor/release-notes-14.txt
- * https://builds.shipilev.net/backports-monitor/release-notes-15.txt
- * https://builds.shipilev.net/backports-monitor/release-notes-16.txt
- * https://builds.shipilev.net/backports-monitor/release-notes-17.txt
-
Major changes are listed below. Some changes may have been backported
-to earlier releases following their first appearance in OpenJDK 12
-through to 17.
+to earlier releases following their first appearance in OpenJDK 18.
+
+The full list of changes in 18u can be found at:
+- * https://builds.shipilev.net/backports-monitor/release-notes-18.txt
NEW FEATURES
============
@@ -491,94 +99,10 @@ NEW FEATURES
Language Features
=================
-Switch Expressions
-==================
-https://openjdk.java.net/jeps/325
-https://openjdk.java.net/jeps/354
-https://openjdk.java.net/jeps/361
-
-Extend the `switch` statement so that it can be used as either a
-statement or an expression, and that both forms can use either a
-"traditional" or "simplified" scoping and control flow behavior. Both
-forms can use either traditional `case ... :` labels (with fall
-through) or new `case ... ->` labels (with no fall through), with a
-further new statement for yielding a value from a `switch`
-expression. These changes will simplify everyday coding, and also
-prepare the way for the use of pattern matching in `switch`.
-
-This was a preview feature (http://openjdk.java.net/jeps/12) in
-OpenJDK 12 & 13 and became final in OpenJDK 14.
-
-Text Blocks
-===========
-https://openjdk.java.net/jeps/355
-https://openjdk.java.net/jeps/368
-https://openjdk.java.net/jeps/378
-
-Add text blocks to the Java language. A text block is a multi-line
-string literal that avoids the need for most escape sequences,
-automatically formats the string in a predictable way, and gives the
-developer control over format when desired.
-
-This was a preview feature (http://openjdk.java.net/jeps/12) in
-OpenJDK 13 & 14 and became final in OpenJDK 15.
-
-Pattern Matching for instanceof
-===============================
-https://openjdk.java.net/jeps/305
-https://openjdk.java.net/jeps/375
-https://openjdk.java.net/jeps/394
-http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html
-
-Enhance the Java programming language with pattern matching for the
-`instanceof` operator. Pattern matching allows common logic in a
-program, namely the conditional extraction of components from objects,
-to be expressed more concisely and safely.
-
-This was a preview feature (http://openjdk.java.net/jeps/12) in
-OpenJDK 14 & 15 and became final in OpenJDK 16.
-
-Records
-=======
-https://openjdk.java.net/jeps/359
-https://openjdk.java.net/jeps/384
-https://openjdk.java.net/jeps/395
-
-Enhance the Java programming language with records. Records provide a
-compact syntax for declaring classes which are transparent holders for
-shallowly immutable data.
-
-This was a preview feature (http://openjdk.java.net/jeps/12) in
-OpenJDK 14 & 15 and became final in OpenJDK 16.
-
-Sealed Classes
-==============
-https://openjdk.java.net/jeps/360
-https://openjdk.java.net/jeps/397
-https://openjdk.java.net/jeps/409
-https://cr.openjdk.java.net/~briangoetz/amber/datum.html
-
-Enhance the Java programming language with sealed classes and
-interfaces. Sealed classes and interfaces restrict which other classes
-or interfaces may extend or implement them.
-
-This was a preview feature (http://openjdk.java.net/jeps/12) in
-OpenJDK 15 & 16 and became final in OpenJDK 17.
-
-Restore Always-Strict Floating-Point Semantics
-==============================================
-https://openjdk.java.net/jeps/306
-
-Make floating-point operations consistently strict, rather than have
-both strict floating-point semantics (`strictfp`) and subtly different
-default floating-point semantics. This will restore the original
-floating-point semantics to the language and VM, matching the
-semantics before the introduction of strict and default floating-point
-modes in Java SE 1.2.
-
Pattern Matching for switch
===========================
-https://openjdk.java.net/jeps/406
+https://openjdk.org/jeps/406
+https://openjdk.org/jeps/420
Enhance the Java programming language with pattern matching for
`switch` expressions and statements, along with extensions to the
@@ -587,100 +111,36 @@ expression to be tested against a number of patterns, each with a
specific action, so that complex data-oriented queries can be
expressed concisely and safely.
-This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK
-17.
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 17 (JEP 406) and sees a second preview in OpenJDK 18 (JEP
+420).
Library Features
================
-JVM Constants API
-=================
-https://openjdk.java.net/jeps/334
+UTF-8 by Default
+================
+https://openjdk.org/jeps/400
-Introduce an API to model nominal descriptions of key class-file and
-run-time artifacts, in particular constants that are loadable from the
-constant pool.
+Specify UTF-8 as the default charset of the standard Java APIs. With
+this change, APIs that depend upon the default charset will behave
+consistently across all implementations, operating systems, locales,
+and configurations.
-Reimplement the Legacy Socket API
-=================================
-https://openjdk.java.net/jeps/353
+Reimplement Core Reflection with Method Handles
+===============================================
+https://openjdk.org/jeps/416
-Replace the underlying implementation used by the `java.net.Socket`
-and `java.net.ServerSocket` APIs with a simpler and more modern
-implementation that is easy to maintain and debug. The new
-implementation will be easy to adapt to work with user-mode threads,
-a.k.a. fibers, currently being explored in Project Loom
-(https://openjdk.java.net/projects/loom).
-
-JFR Event Streaming
-===================
-https://openjdk.java.net/jeps/349
-
-Expose JDK Flight Recorder data for continuous monitoring.
-
-Non-Volatile Mapped Byte Buffers
-================================
-https://openjdk.java.net/jeps/352
-
-Add new JDK-specific file mapping modes so that the `FileChannel` API
-can be used to create `MappedByteBuffer` instances that refer to
-non-volatile memory.
-
-Helpful NullPointerExceptions
-=============================
-https://openjdk.java.net/jeps/358
-
-Improve the usability of `NullPointerException`s generated by the JVM
-by describing precisely which variable was `null`.
-
-Foreign-Memory Access API
-=========================
-https://openjdk.java.net/jeps/370
-https://openjdk.java.net/jeps/383
-https://openjdk.java.net/jeps/393
-
-Introduce an API to allow Java programs to safely and efficiently
-access foreign memory outside of the Java heap.
-
-This was a incubation feature (https://openjdk.java.net/jeps/11) in
-OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory
-API in OpenJDK 17 (see below).
-
-Edwards-Curve Digital Signature Algorithm (EdDSA)
-=================================================
-https://openjdk.java.net/jeps/339
-
-Implement cryptographic signatures using the Edwards-Curve Digital
-Signature Algorithm (EdDSA) as described by RFC 8032
-(https://tools.ietf.org/html/rfc8032).
-
-Hidden Classes
-==============
-https://openjdk.java.net/jeps/371
-
-Introduce hidden classes, which are classes that cannot be used
-directly by the bytecode of other classes. Hidden classes are intended
-for use by frameworks that generate classes at run time and use them
-indirectly, via reflection. A hidden class may be defined as a member
-of an access control nest (https://openjdk.java.net/jeps/181), and may
-be unloaded independently of other classes.
-
-Reimplement the Legacy DatagramSocket API
-=========================================
-https://openjdk.java.net/jeps/373
-
-Replace the underlying implementations of the
-`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with
-simpler and more modern implementations that are easy to maintain and
-debug. The new implementations will be easy to adapt to work with
-virtual threads, currently being explored in Project Loom
-(https://openjdk.java.net/projects/loom). This is a follow-on to JEP
-353 (see above), which already reimplemented the legacy Socket API.
+Reimplement java.lang.reflect.Method, Constructor, and Field on top of
+java.lang.invoke method handles. Making method handles the underlying
+mechanism for reflection will reduce the maintenance and development
+cost of both the java.lang.reflect and java.lang.invoke APIs.
Vector API
==========
-https://openjdk.java.net/jeps/338
-https://openjdk.java.net/jeps/414
+https://openjdk.org/jeps/338
+https://openjdk.org/jeps/414
+https://openjdk.org/jeps/417
Provide an initial iteration of an incubator module,
`jdk.incubator.vector`, to express vector computations that reliably
@@ -689,52 +149,21 @@ supported CPU architectures and thus achieve superior performance to
equivalent scalar computations.
This is an incubation feature (https://openjdk.java.net/jeps/11)
-introduced in OpenJDK 16.
+introduced in OpenJDK 16 (JEP 338). A second round of incubation took
+place in OpenJDK 17 (JEP 414) and OpenJDK 18 (JEP 417) sees a third.
-Unix-Domain Socket Channels
-===========================
-https://openjdk.java.net/jeps/380
+Internet-Address Resolution SPI
+===============================
+https://openjdk.org/jeps/418
-Add Unix-domain (`AF_UNIX`) socket support to the socket channel and
-server-socket channel APIs in the `java.nio.channels` package. Extend
-the inherited channel mechanism to support Unix-domain socket channels
-and server socket channels.
-
-Foreign Linker API (Incubator)
-==============================
-https://openjdk.java.net/jeps/389
-
-Introduce an API that offers statically-typed, pure-Java access to
-native code. This API, together with the Foreign-Memory API (see
-above), will considerably simplify the otherwise error-prone process
-of binding to a native library.
-
-This was an incubation feature (https://openjdk.java.net/jeps/11)
-introduced in OpenJDK 16, now superseded by the Foreign Function &
-Memory API in OpenJDK 17 (see below).
-
-Strongly Encapsulate JDK Internals by Default
-=============================================
-https://openjdk.java.net/jeps/396
-https://openjdk.java.net/jeps/403
-
-Strongly encapsulate all internal elements of the JDK by default,
-except for critical internal APIs such as `sun.misc.Unsafe`. It will
-no longer be possible to relax the strong encapsulation of internal
-elements via a single command-line option, as was possible in OpenJDK
-9 through 16.
-
-Enhanced Pseudo-Random Number Generators
-========================================
-https://openjdk.java.net/jeps/356
-
-Provide new interface types and implementations for pseudo-random
-number generators (PRNGs), including jumpable PRNGs and an additional
-class of splittable PRNG algorithms (LXM).
+Define a service-provider interface (SPI) for host name and address
+resolution, so that java.net.InetAddress can make use of resolvers
+other than the platform's built-in resolver.
Foreign Function & Memory API
=============================
-https://openjdk.java.net/jeps/412
+https://openjdk.org/jeps/412
+https://openjdk.org/jeps/419
Introduce an API by which Java programs can interoperate with code and
data outside of the Java runtime. By efficiently invoking foreign
@@ -744,253 +173,42 @@ Java programs to call native libraries and process native data without
the brittleness and danger of JNI.
This API is an incubation feature (https://openjdk.java.net/jeps/11)
-introduced in OpenJDK 17, and is an evolution of the Foreign Memory
-Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK
-16) (see above).
-
-Context-Specific Deserialization Filters
-========================================
-https://openjdk.java.net/jeps/415
-
-Allow applications to configure context-specific and
-dynamically-selected deserialization filters via a JVM-wide filter
-factory that is invoked to select a filter for each individual
-deserialization operation.
+introduced in OpenJDK 17 (JEP 412), and is an evolution of the Foreign
+Memory Access API (OpenJDK 14 through 16) and Foreign Linker API
+(OpenJDK 16) (see release notes for java-17-openjdk). OpenJDK 18 sees
+a second round of incubation (JEP 419).
Tools
=====
-Packaging Tool
-==============
-https://openjdk.java.net/jeps/343
-https://openjdk.java.net/jeps/392
+Simple Web Server
+=================
+https://openjdk.org/jeps/408
-Provide the `jpackage` tool, for packaging self-contained Java
-applications.
+Provide a command-line tool, `jwebserver`, to start a minimal web
+server that serves static files only. No CGI or servlet-like
+functionality is available. This tool will be useful for prototyping,
+ad-hoc coding, and testing purposes, particularly in educational
+contexts.
-JVM Features
-============
-
-Shenandoah: A Low-Pause-Time Garbage Collector
-==============================================
-https://openjdk.java.net/jeps/189
-https://openjdk.java.net/jeps/379
-
-Add a new garbage collection (GC) algorithm named Shenandoah which
-reduces GC pause times by doing evacuation work concurrently with the
-running Java threads. Pause times with Shenandoah are independent of
-heap size, meaning you will have the same consistent pause times
-whether your heap is 200 MB or 200 GB.
-
-Shenandoah has been provided in Red Hat builds of OpenJDK 8 since
-8u131 in April 2017 and in all 11u builds.
-
-Upstream, it was introduced in OpenJDK 12 as an experimental feature
-and became a production feature in OpenJDK 15. It was backported to
-OpenJDK 11 with the 11.0.9 release in October 2020.
-
-Abortable Mixed Collections for G1
-==================================
-https://openjdk.java.net/jeps/344
-
-Make G1 mixed collections abortable if they might exceed the pause
-target.
-
-Promptly Return Unused Committed Memory from G1
-===============================================
-https://openjdk.java.net/jeps/346
-
-Enhance the G1 garbage collector to automatically return Java heap
-memory to the operating system when idle.
-
-Dynamic CDS Archives
-====================
-https://openjdk.java.net/jeps/310
-https://openjdk.java.net/jeps/350
-
-Extend application class-data sharing to allow the dynamic archiving
-of classes at the end of Java application execution. The archived
-classes will include all loaded application classes and library
-classes that are not present in the default, base-layer CDS archive.
-
-ZGC: Uncommit Unused Memory (Experimental)
-==========================================
-https://openjdk.java.net/jeps/351
-
-Enhance ZGC to return unused heap memory to the operating system.
-
-NUMA-Aware Memory Allocation for G1
-===================================
-https://openjdk.java.net/jeps/345
-
-Improve G1 performance on large machines by implementing NUMA-aware
-memory allocation.
-
-ZGC on macOS (Experimental)
-===========================
-https://openjdk.java.net/jeps/364
-
-Port the ZGC garbage collector to macOS.
-
-ZGC on Windows (Experimental)
-=============================
-https://openjdk.java.net/jeps/365
-
-Port the ZGC garbage collector to Windows.
-
-ZGC: A Scalable Low-Latency Garbage Collector (Production)
-==========================================================
-https://openjdk.java.net/jeps/377
-
-Change the Z Garbage Collector from an experimental feature into a
-product feature.
-
-ZGC: Concurrent Thread-Stack Processing
+Code Snippets in Java API Documentation
=======================================
-https://openjdk.java.net/jeps/376
+https://openjdk.org/jeps/413
-Move ZGC thread-stack processing from safepoints to a concurrent
-phase.
-
-Elastic Metaspace
-=================
-https://openjdk.java.net/jeps/387
-
-Return unused HotSpot class-metadata (i.e., metaspace) memory to the
-operating system more promptly, reduce metaspace footprint, and
-simplify the metaspace code in order to reduce maintenance costs.
-
-Ports
-=====
-
-Alpine Linux Port
-=================
-https://openjdk.java.net/jeps/386
-
-Port the JDK to Alpine Linux, and to other Linux distributions that
-use musl as their primary C library, on both the x64 and AArch64
-architectures,
-
-Windows/AArch64 Port
-====================
-https://openjdk.java.net/jeps/388
-
-Port the JDK to Windows/AArch64.
-
-New macOS Rendering Pipeline
-============================
-https://openjdk.java.net/jeps/382
-
-Implement a Java 2D internal rendering pipeline for macOS using the
-Apple Metal API as alternative to the existing pipeline, which uses
-the deprecated Apple OpenGL API.
-
-macOS/AArch64 Port
-==================
-https://openjdk.java.net/jeps/391
-
-Port the JDK to macOS/AArch64.
+Introduce an @snippet tag for JavaDoc's Standard Doclet, to simplify
+the inclusion of example source code in API documentation.
DEPRECATIONS
============
-Deprecate the ParallelScavenge + SerialOld GC Combination
-=========================================================
-https://openjdk.java.net/jeps/366
-
-Deprecate the combination of the Parallel Scavenge and Serial Old
-garbage collection algorithms.
-
-Deprecate and Disable Biased Locking
-====================================
-https://openjdk.java.net/jeps/374
-
-Disable biased locking by default, and deprecate all related
-command-line options.
-
-Warnings for Value-Based Classes
-================================
-https://openjdk.java.net/jeps/390
-
-Designate the primitive wrapper classes as value-based and deprecate
-their constructors for removal, prompting new deprecation
-warnings. Provide warnings about improper attempts to synchronize on
-instances of any value-based classes in the Java Platform.
-
-Deprecate the Applet API for Removal
-====================================
-https://openjdk.java.net/jeps/398
-
-Deprecate the Applet API for removal. It is essentially irrelevant
-since all web-browser vendors have either removed support for Java
-browser plug-ins or announced plans to do so.
-
-Deprecate the Security Manager for Removal
-==========================================
-https://openjdk.java.net/jeps/411
-
-Deprecate the Security Manager for removal in a future release. The
-Security Manager dates from Java 1.0. It has not been the primary
-means of securing client-side Java code for many years, and it has
-rarely been used to secure server-side code. To move Java forward, we
-intend to deprecate the Security Manager for removal in concert with
-the legacy Applet API (see above). .
-
-REMOVALS
-========
-
-Remove the Concurrent Mark Sweep (CMS) Garbage Collector
-========================================================
-https://openjdk.java.net/jeps/363
-
-Remove the Concurrent Mark Sweep (CMS) garbage collector.
-
-Remove the Pack200 Tools and API
-================================
-https://openjdk.java.net/jeps/336
-https://openjdk.java.net/jeps/367
-
-Remove the `pack200` and `unpack200` tools, and the `Pack200` API in
-the `java.util.jar` package. These tools and API were deprecated for
-removal in OpenJDK 11 with the express intent to remove them in a
-future release.
-
-Remove the Nashorn JavaScript Engine
-====================================
-https://openjdk.java.net/jeps/372
-
-Remove the Nashorn JavaScript script engine and APIs, and the `jjs`
-tool. The engine, the APIs, and the tool were deprecated for removal
-in OpenJDK 11 with the express intent to remove them in a future
-release.
-
-Remove the Solaris and SPARC Ports
+Deprecate Finalization for Removal
==================================
-https://openjdk.java.net/jeps/362
-https://openjdk.java.net/jeps/381
+https://openjdk.org/jeps/421
-Remove the source code and build support for the Solaris/SPARC,
-Solaris/x64, and Linux/SPARC ports. These ports were deprecated for
-removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381).
-
-Remove RMI Activation
-=====================
-https://openjdk.java.net/jeps/385
-https://openjdk.java.net/jeps/407
-https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html
-
-Remove the Remote Method Invocation (RMI) Activation mechanism, while
-preserving the rest of RMI. RMI Activation is an obsolete part of RMI
-that has been optional since OpenJDK 8 and was deprecated in OpenJDK
-15.
-
-Remove the Experimental AOT and JIT Compiler
-============================================
-https://openjdk.java.net/jeps/410
-
-Remove the experimental Java-based ahead-of-time (AOT) and
-just-in-time (JIT) compiler. This compiler has seen little use since
-its introduction and the effort required to maintain it is
-significant. Retain the experimental Java-level JVM compiler
-interface (JVMCI) so that developers can continue to use
-externally-built versions of the compiler for JIT compilation.
+Deprecate finalization for removal in a future release. Finalization
+remains enabled by default for now, but can be disabled to facilitate
+early testing. In a future release it will be disabled by default, and
+in a later release it will be removed. Maintainers of libraries and
+applications that rely upon finalization should consider migrating to
+other resource management techniques such as the try-with-resources
+statement and cleaners.
diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java
index 06a0b07..552bd0f 100644
--- a/TestSecurityProperties.java
+++ b/TestSecurityProperties.java
@@ -9,35 +9,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
}
diff --git a/fips-18u-39968997e2e.patch b/fips-18u-60131cc7271.patch
similarity index 83%
rename from fips-18u-39968997e2e.patch
rename to fips-18u-60131cc7271.patch
index dada82c..f807876 100644
--- a/fips-18u-39968997e2e.patch
+++ b/fips-18u-60131cc7271.patch
@@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644
// Return the instance of this class or create one if needed.
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index 2ee706c2448..a4d61eeec20 100644
+index 2ee706c2448..8f4c44a1436 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
@@ -1409,7 +1409,7 @@ index 2ee706c2448..a4d61eeec20 100644
import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
-@@ -47,6 +48,9 @@ import sun.security.jca.*;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
* implementation-specific location, which is typically the properties file
* {@code conf/security/java.security} in the Java installation directory.
*
@@ -1419,7 +1419,18 @@ index 2ee706c2448..a4d61eeec20 100644
* @author Benjamin Renaud
* @since 1.1
*/
-@@ -67,6 +71,19 @@ public final class Security {
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -67,6 +76,19 @@ public final class Security {
}
static {
@@ -1439,7 +1450,15 @@ index 2ee706c2448..a4d61eeec20 100644
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
-@@ -99,6 +116,7 @@ public final class Security {
+@@ -84,6 +106,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -99,6 +122,7 @@ public final class Security {
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
@@ -1447,30 +1466,63 @@ index 2ee706c2448..a4d61eeec20 100644
}
} catch (IOException e) {
if (sdebug != null) {
-@@ -193,6 +211,28 @@ public final class Security {
+@@ -193,6 +217,61 @@ public final class Security {
}
}
-+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
-+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
-+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-+ if (!SystemConfigurator.configureSysProps(props)) {
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
++ sdebug.println("WARNING: System security properties could not be loaded.");
+ }
+ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
+ }
+
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+ if (sdebug != null) {
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
+ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
+ }
+ }
}
@@ -1478,10 +1530,10 @@ index 2ee706c2448..a4d61eeec20 100644
/*
diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
-index 00000000000..da2af5defda
+index 00000000000..98ffced455b
--- /dev/null
+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
@@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configureSysProps(Properties props) {
-+ boolean loadedProps = false;
++ boolean systemSecPropsLoaded = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
-+ loadedProps = true;
++ systemSecPropsLoaded = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
@@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda
+ e.printStackTrace();
+ }
+ }
-+ return loadedProps;
++ return systemSecPropsLoaded;
+ }
+
+ /*
@@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
@@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda
+ return plainKeySupportEnabled;
+ }
+
-+ /*
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
+ */
+ private static boolean enableFips() throws Exception {
-+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
-+ if (shouldEnable) {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
+ }
-+ } else {
-+ return false;
++ throw e;
+ }
+ }
+}
@@ -2106,7 +2162,7 @@ index 912cad59714..709d32912ca 100644
/*
* Certificates
diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
-index ca79f25cc44..16c5ad2e227 100644
+index ca79f25cc44..225517ac69b 100644
--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
+++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java
@@ -27,6 +27,7 @@ package sun.security.rsa;
@@ -2128,7 +2184,7 @@ index ca79f25cc44..16c5ad2e227 100644
private void add(Provider p, String type, String algo, String cn,
List aliases, HashMap attrs) {
services.add(new Provider.Service(p, type, algo, cn,
-@@ -56,49 +61,52 @@ public final class SunRsaSignEntries {
+@@ -56,49 +61,58 @@ public final class SunRsaSignEntries {
// start populating content using the specified provider
// common attribute map
HashMap attrs = new HashMap<>(3);
@@ -2139,43 +2195,11 @@ index ca79f25cc44..16c5ad2e227 100644
+ attrs.put("SupportedKeyClasses",
+ "java.security.interfaces.RSAPublicKey" +
+ "|java.security.interfaces.RSAPrivateKey");
-+
-+ add(p, "KeyFactory", "RSA",
-+ "sun.security.rsa.RSAKeyFactory$Legacy",
-+ getAliases("PKCS1"), null);
-+ add(p, "KeyPairGenerator", "RSA",
-+ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
-+ getAliases("PKCS1"), null);
-+ addA(p, "Signature", "MD2withRSA",
-+ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
-+ addA(p, "Signature", "MD5withRSA",
-+ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
-+ addA(p, "Signature", "SHA1withRSA",
-+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
-+ addA(p, "Signature", "SHA224withRSA",
-+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
-+ addA(p, "Signature", "SHA256withRSA",
-+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
-+ addA(p, "Signature", "SHA384withRSA",
-+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
-+ addA(p, "Signature", "SHA512withRSA",
-+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
-+ addA(p, "Signature", "SHA512/224withRSA",
-+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
-+ addA(p, "Signature", "SHA512/256withRSA",
-+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
-+ addA(p, "Signature", "SHA3-224withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
-+ addA(p, "Signature", "SHA3-256withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
-+ addA(p, "Signature", "SHA3-384withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
-+ addA(p, "Signature", "SHA3-512withRSA",
-+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++ }
-- add(p, "KeyFactory", "RSA",
-- "sun.security.rsa.RSAKeyFactory$Legacy",
-- getAliases("PKCS1"), null);
+ add(p, "KeyFactory", "RSA",
+ "sun.security.rsa.RSAKeyFactory$Legacy",
+ getAliases("PKCS1"), null);
- add(p, "KeyPairGenerator", "RSA",
- "sun.security.rsa.RSAKeyPairGenerator$Legacy",
- getAliases("PKCS1"), null);
@@ -2205,20 +2229,53 @@ index ca79f25cc44..16c5ad2e227 100644
- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
- addA(p, "Signature", "SHA3-512withRSA",
- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
-+ addA(p, "KeyFactory", "RSASSA-PSS",
-+ "sun.security.rsa.RSAKeyFactory$PSS", attrs);
++
++ if (!systemFipsEnabled) {
++ add(p, "KeyPairGenerator", "RSA",
++ "sun.security.rsa.RSAKeyPairGenerator$Legacy",
++ getAliases("PKCS1"), null);
++ addA(p, "Signature", "MD2withRSA",
++ "sun.security.rsa.RSASignature$MD2withRSA", attrs);
++ addA(p, "Signature", "MD5withRSA",
++ "sun.security.rsa.RSASignature$MD5withRSA", attrs);
++ addA(p, "Signature", "SHA1withRSA",
++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs);
++ addA(p, "Signature", "SHA224withRSA",
++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs);
++ addA(p, "Signature", "SHA256withRSA",
++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs);
++ addA(p, "Signature", "SHA384withRSA",
++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs);
++ addA(p, "Signature", "SHA512withRSA",
++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs);
++ addA(p, "Signature", "SHA512/224withRSA",
++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs);
++ addA(p, "Signature", "SHA512/256withRSA",
++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-224withRSA",
++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs);
++ addA(p, "Signature", "SHA3-256withRSA",
++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs);
++ addA(p, "Signature", "SHA3-384withRSA",
++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs);
++ addA(p, "Signature", "SHA3-512withRSA",
++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs);
++ }
+
+ addA(p, "KeyFactory", "RSASSA-PSS",
+ "sun.security.rsa.RSAKeyFactory$PSS", attrs);
+- addA(p, "KeyPairGenerator", "RSASSA-PSS",
+- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
+- addA(p, "Signature", "RSASSA-PSS",
+- "sun.security.rsa.RSAPSSSignature", attrs);
++
++ if (!systemFipsEnabled) {
+ addA(p, "KeyPairGenerator", "RSASSA-PSS",
+ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
+ addA(p, "Signature", "RSASSA-PSS",
+ "sun.security.rsa.RSAPSSSignature", attrs);
+ }
-
-- addA(p, "KeyFactory", "RSASSA-PSS",
-- "sun.security.rsa.RSAKeyFactory$PSS", attrs);
-- addA(p, "KeyPairGenerator", "RSASSA-PSS",
-- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs);
-- addA(p, "Signature", "RSASSA-PSS",
-- "sun.security.rsa.RSAPSSSignature", attrs);
++
addA(p, "AlgorithmParameters", "RSASSA-PSS",
"sun.security.rsa.PSSParameters", null);
}
@@ -2351,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644
"sun.security.ssl.SSLContextImpl$TLSContext",
List.of("SSL"), null);
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
-index 91b3a01ee57..68a9c1a2d08 100644
+index 91b3a01ee57..33f9fdc6f84 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -79,6 +79,16 @@ security.provider.tbd=Apple
@@ -2359,7 +2416,7 @@ index 91b3a01ee57..68a9c1a2d08 100644
security.provider.tbd=SunPKCS11
+#
-+# Security providers used when global crypto-policies are set to FIPS.
++# Security providers used when FIPS mode support is active
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
@@ -2392,16 +2449,24 @@ index 91b3a01ee57..68a9c1a2d08 100644
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
-+security.useSystemPropertiesFile=true
++security.useSystemPropertiesFile=false
+
#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
-index b22f26947af..cd385d4a010 100644
+index b22f26947af..3ee2ce6ea88 100644
--- a/src/java.base/share/lib/security/default.policy
+++ b/src/java.base/share/lib/security/default.policy
-@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" {
+ grant codeBase "jrt:/jdk.crypto.ec" {
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.sun.security.*";
++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
+ permission java.lang.RuntimePermission "loadLibrary.sunec";
+ permission java.security.SecurityPermission "putProviderProperty.SunEC";
+ permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
@@ -2411,10 +2476,10 @@ index b22f26947af..cd385d4a010 100644
"accessClassInPackage.sun.security.*";
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
-index 00000000000..365575d5d4d
+index 00000000000..187be7295f3
--- /dev/null
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,291 @@
+@@ -0,0 +1,490 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@@ -2446,11 +2511,15 @@ index 00000000000..365575d5d4d
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
++import java.security.interfaces.RSAPrivateCrtKey;
++import java.security.interfaces.RSAPrivateKey;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
++import javax.crypto.SecretKeyFactory;
++import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
@@ -2459,8 +2528,10 @@ index 00000000000..365575d5d4d
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAPrivateCrtKeyImpl;
++import sun.security.rsa.RSAUtil;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
@@ -2470,15 +2541,21 @@ index 00000000000..365575d5d4d
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
-+ private static P11Key importerKey = null;
++ private static volatile P11Key importerKey = null;
++ private static SecretKeySpec exporterKey = null;
++ private static volatile P11Key exporterKeyP11 = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
++ // Do not take the exporterKeyLock with the importerKeyLock held.
++ private static final ReentrantLock exporterKeyLock = new ReentrantLock();
++ private static volatile CK_MECHANISM importerKeyMechanism = null;
++ private static volatile CK_MECHANISM exporterKeyMechanism = null;
+ private static Cipher importerCipher = null;
++ private static Cipher exporterCipher = null;
+
-+ private static Provider sunECProvider = null;
++ private static volatile Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
-+ private static KeyFactory DHKF = null;
++ private static volatile KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
@@ -2502,7 +2579,8 @@ index 00000000000..365575d5d4d
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
-+ throw new PKCS11Exception();
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
@@ -2630,7 +2708,8 @@ index 00000000000..365575d5d4d
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
-+ throw new PKCS11Exception();
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
@@ -2643,14 +2722,19 @@ index 00000000000..365575d5d4d
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
-+ throw new PKCS11Exception();
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key importer");
+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
++ importerKeyLock.lock();
++ try {
++ // No need to reset the cipher object because no multi-part
++ // operations are performed.
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ } finally {
++ importerKeyLock.unlock();
++ }
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
@@ -2659,13 +2743,155 @@ index 00000000000..365575d5d4d
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
-+ throw new PKCS11Exception();
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject,
++ long keyClass, long keyType, Map sensitiveAttrs)
++ throws PKCS11Exception {
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be exported in" +
++ " system FIPS mode.");
++ }
++ if (exporterKeyP11 == null) {
++ try {
++ exporterKeyLock.lock();
++ if (exporterKeyP11 == null) {
++ if (exporterKeyMechanism == null) {
++ // Exporter Key creation has not been tried yet. Try it.
++ createExporterKey(token);
++ }
++ if (exporterKeyP11 == null || exporterCipher == null) {
++ if (debug != null) {
++ debug.println("Exporter Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key exporter");
++ }
++ if (debug != null) {
++ debug.println("Exporter Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ exporterKeyLock.unlock();
++ }
++ }
++ long exporterKeyID = exporterKeyP11.getKeyID();
++ try {
++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession,
++ exporterKeyMechanism, exporterKeyID, hObject);
++ byte[] plainExportedKey = null;
++ exporterKeyLock.lock();
++ try {
++ // No need to reset the cipher object because no multi-part
++ // operations are performed.
++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes);
++ } finally {
++ exporterKeyLock.unlock();
++ }
++ if (keyClass == CKO_PRIVATE_KEY) {
++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey);
++ } else if (keyClass == CKO_SECRET_KEY) {
++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey;
++ } else {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " fips key exporter");
++ }
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ } finally {
++ exporterKeyP11.releaseKeyID();
++ }
++ }
++
++ private static void exportPrivateKey(
++ Map sensitiveAttrs, long keyType,
++ byte[] plainExportedKey) throws Throwable {
++ if (keyType == CKK_RSA) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2,
++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT);
++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey(
++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey
++ );
++ CK_ATTRIBUTE attr;
++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) {
++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray();
++ }
++ if (rsaPKey instanceof RSAPrivateCrtKey) {
++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey;
++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) {
++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray();
++ }
++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) {
++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray();
++ }
++ } else {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA",
++ CKA_PRIVATE_EXPONENT);
++ }
++ } else if (keyType == CKK_DSA) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue =
++ new sun.security.provider.DSAPrivateKey(plainExportedKey)
++ .getX().toByteArray();
++ } else if (keyType == CKK_EC) {
++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE);
++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs'
++ // size is greater than 0 and no invalid attributes exist
++ sensitiveAttrs.get(CKA_VALUE).pValue =
++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey)
++ .getS().toByteArray();
++ } else {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " unsupported CKO_PRIVATE_KEY key type: " + keyType);
++ }
++ }
++
++ private static void checkAttrs(Map sensitiveAttrs,
++ String keyName, long... validAttrs)
++ throws PKCS11Exception {
++ int sensitiveAttrsCount = sensitiveAttrs.size();
++ if (sensitiveAttrsCount <= validAttrs.length) {
++ int validAttrsCount = 0;
++ for (long validAttr : validAttrs) {
++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++;
++ }
++ if (validAttrsCount == sensitiveAttrsCount) return;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ " invalid attribute types for a " + keyName + " key object");
++ }
++
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
@@ -2696,6 +2922,9 @@ index 00000000000..365575d5d4d
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec(
++ (byte[])importerKeyMechanism.pParameter), null);
+ }
+ } catch (Throwable t) {
+ // best effort
@@ -2703,11 +2932,91 @@ index 00000000000..365575d5d4d
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
++ if (debug != null) {
++ debug.println("Error generating the Importer Key");
++ }
++ }
++ }
++
++ private static void createExporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Exporter Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ byte[] exporterKeyRaw = new byte[32];
++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw);
++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES");
++ try {
++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES");
++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey));
++ if (exporterKeyP11 != null) {
++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey,
++ new IvParameterSpec(
++ (byte[])exporterKeyMechanism.pParameter), null);
++ }
++ } catch (Throwable t) {
++ // best effort
++ exporterKey = null;
++ exporterKeyP11 = null;
++ exporterCipher = null;
++ // exporterKeyMechanism value is kept initialized to indicate that
++ // Exporter Key creation has been tried and failed.
++ if (debug != null) {
++ debug.println("Error generating the Exporter Key");
++ }
+ }
+ }
+}
+diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+index bf0c5f2ba84..a4daed24b82 100644
+--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+@@ -37,6 +37,8 @@ import javax.crypto.*;
+ import javax.crypto.interfaces.*;
+ import javax.crypto.spec.*;
+
++import jdk.internal.access.SharedSecrets;
++
+ import sun.security.rsa.RSAUtil.KeyType;
+ import sun.security.rsa.RSAPublicKeyImpl;
+ import sun.security.rsa.RSAPrivateCrtKeyImpl;
+@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil;
+ */
+ abstract class P11Key implements Key, Length {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ private static final long serialVersionUID = -2575874101938349339L;
+
+ private static final String PUBLIC = "public";
+@@ -392,8 +397,9 @@ abstract class P11Key implements Key, Length {
+ new CK_ATTRIBUTE(CKA_EXTRACTABLE),
+ });
+
+- boolean keySensitive = (attrs[0].getBoolean() ||
+- attrs[1].getBoolean() || !attrs[2].getBoolean());
++ boolean keySensitive = (!plainKeySupportEnabled &&
++ (attrs[0].getBoolean() ||
++ attrs[1].getBoolean() || !attrs[2].getBoolean()));
+
+ switch (algorithm) {
+ case "RSA":
+@@ -448,7 +454,8 @@ abstract class P11Key implements Key, Length {
+
+ public String getFormat() {
+ token.ensureValid();
+- if (sensitive || (extractable == false)) {
++ if (!plainKeySupportEnabled &&
++ (sensitive || (extractable == false))) {
+ return null;
+ } else {
+ return "RAW";
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 9cdbdfa9d6b..1def9c4506e 100644
+index 9cdbdfa9d6b..ea18bdb82a3 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@@ -2728,7 +3037,7 @@ index 9cdbdfa9d6b..1def9c4506e 100644
import jdk.internal.misc.InnocuousThread;
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
-@@ -62,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
+@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
*/
public final class SunPKCS11 extends AuthProvider {
@@ -2739,55 +3048,68 @@ index 9cdbdfa9d6b..1def9c4506e 100644
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
++ private static final MethodHandle fipsExportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
++ MethodHandle fipsExportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
++ fipsExportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "exportKey",
++ MethodType.methodType(void.class, SunPKCS11.class,
++ long.class, long.class,
++ long.class, long.class, Map.class));
+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
++ throw new SecurityException("FIPS key importer-exporter" +
++ " initialization failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
++ fipsExportKey = fipsExportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -326,9 +353,15 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -326,9 +361,19 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
++ MethodHandle fipsKeyExporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
++ fipsKeyExporter = MethodHandles.insertArguments(
++ fipsExportKey, 0, this);
+ }
try {
- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs,
- config.getOmitInitialize());
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
-+ config.getOmitInitialize(), fipsKeyImporter);
++ config.getOmitInitialize(), fipsKeyImporter,
++ fipsKeyExporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
-@@ -343,8 +376,8 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -343,8 +388,9 @@ public final class SunPKCS11 extends AuthProvider {
} else {
initArgs.flags = 0;
}
- tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs,
- config.getOmitInitialize());
+ tmpPKCS11 = PKCS11.getInstance(library,
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter,
++ fipsKeyExporter);
}
p11 = tmpPKCS11;
-@@ -384,6 +417,24 @@ public final class SunPKCS11 extends AuthProvider {
+@@ -384,6 +430,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
@@ -2813,35 +3135,52 @@ index 9cdbdfa9d6b..1def9c4506e 100644
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index f87690bc24f..81a4dc02b21 100644
+index f87690bc24f..79408353609 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
import java.util.*;
import java.security.AccessController;
-@@ -169,16 +170,28 @@ public class PKCS11 {
+@@ -167,18 +170,43 @@ public class PKCS11 {
+ return version;
+ }
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null, null);
++ }
++
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ boolean omitInitialize, MethodHandle fipsKeyImporter,
++ MethodHandle fipsKeyExporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
++ boolean nssFipsMode = fipsKeyImporter != null &&
++ fipsKeyExporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
++ fipsKeyImporter, fipsKeyExporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
@@ -2849,14 +3188,14 @@ index f87690bc24f..81a4dc02b21 100644
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
++ functionList, fipsKeyImporter, fipsKeyExporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
-@@ -1971,4 +1984,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+@@ -1971,4 +1999,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
@@ -2866,13 +3205,29 @@ index f87690bc24f..81a4dc02b21 100644
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(PKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ FIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.PKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
+ }
+
-+ public synchronized long C_CreateObject(long hSession,
++ public long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
@@ -2882,20 +3237,46 @@ index f87690bc24f..81a4dc02b21 100644
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
-+ throw new PKCS11Exception();
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
++
++ public void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
++ private MethodHandle fipsKeyExporter;
++ private MethodHandle hC_GetAttributeValue;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter)
++ throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
++ this.fipsKeyExporter = fipsKeyExporter;
++ try {
++ hC_GetAttributeValue = MethodHandles.insertArguments(
++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class,
++ "C_GetAttributeValue", MethodType.methodType(
++ void.class, long.class, long.class,
++ CK_ATTRIBUTE[].class),
++ SynchronizedFIPSPKCS11.class), 0, this);
++ } catch (Throwable t) {
++ throw new RuntimeException(
++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" +
++ "::C_GetAttributeValue method not found.", t);
++ }
+ }
+
+ public synchronized long C_CreateObject(long hSession,
@@ -2906,11 +3287,21 @@ index f87690bc24f..81a4dc02b21 100644
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
-+ throw new PKCS11Exception();
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
++
++ public synchronized void C_GetAttributeValue(long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue,
++ fipsKeyExporter, hSession, hObject, pTemplate);
++ }
+}
+
+private static class FIPSPKCS11Helper {
@@ -2924,10 +3315,83 @@ index f87690bc24f..81a4dc02b21 100644
+ }
+ return false;
+ }
++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue,
++ MethodHandle fipsKeyExporter, long hSession, long hObject,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ Map sensitiveAttrs = new HashMap<>();
++ List nonSensitiveAttrs = new LinkedList<>();
++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate,
++ sensitiveAttrs, nonSensitiveAttrs);
++ try {
++ if (sensitiveAttrs.size() > 0) {
++ long keyClass = -1L;
++ long keyType = -1L;
++ try {
++ // Secret and private keys have both class and type
++ // attributes, so we can query them at once.
++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{
++ new CK_ATTRIBUTE(CKA_CLASS),
++ new CK_ATTRIBUTE(CKA_KEY_TYPE),
++ };
++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs);
++ keyClass = queryAttrs[0].getLong();
++ keyType = queryAttrs[1].getLong();
++ } catch (PKCS11Exception e) {
++ // If the query fails, the object is neither a secret nor a
++ // private key. As this case won't be handled with the FIPS
++ // Key Exporter, we keep keyClass initialized to -1L.
++ }
++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) {
++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType,
++ sensitiveAttrs);
++ if (nonSensitiveAttrs.size() > 0) {
++ CK_ATTRIBUTE[] pNonSensitiveAttrs =
++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()];
++ int i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ pNonSensitiveAttrs[i++] = nonSensAttr;
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject,
++ pNonSensitiveAttrs);
++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we
++ // update the reference on the previous CK_ATTRIBUTEs
++ i = 0;
++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) {
++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue;
++ }
++ }
++ return;
++ }
++ }
++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate);
++ } catch (Throwable t) {
++ if (t instanceof PKCS11Exception) {
++ throw (PKCS11Exception)t;
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR,
++ t.getMessage());
++ }
++ }
++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate,
++ Map sensitiveAttrs,
++ List nonSensitiveAttrs) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ long type = attr.type;
++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c
++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT ||
++ type == CKA_PRIME_1 || type == CKA_PRIME_2 ||
++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 ||
++ type == CKA_COEFFICIENT) {
++ sensitiveAttrs.put(type, attr);
++ } else {
++ nonSensitiveAttrs.add(attr);
++ }
++ }
++ }
+}
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
-index ad2ffc8623b..c59faf26a70 100644
+index ad2ffc8623b..5441fdecea0 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
@@ -190,6 +190,14 @@ public class PKCS11Exception extends Exception {
@@ -2935,11 +3399,11 @@ index ad2ffc8623b..c59faf26a70 100644
}
+ /**
-+ * No arguments constructor using CKR_GENERAL_ERROR for the error
-+ * code with no extra info for the error message.
++ * Constructor taking the error code from the RV enum and
++ * extra info for error message.
+ */
-+ public PKCS11Exception() {
-+ this(RV.CKR_GENERAL_ERROR.value, null);
++ public PKCS11Exception(RV errorEnum, String extraInfo) {
++ this(errorEnum.value, extraInfo);
+ }
+
/**
diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh
index 515d472..d6a7f8d 100755
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@@ -37,6 +37,8 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com
COMPRESSION_DEFAULT=xz
+# Corresponding IcedTea version
+ICEDTEA_VERSION=13.0
if [ "x$1" = "xhelp" ] ; then
echo -e "Behaviour may be specified by setting the following variables:\n"
@@ -126,11 +128,10 @@ pushd "${FILE_NAME_ROOT}"
echo "Syncing EC list with NSS"
if [ "x$PR3823" = "x" ] ; then
- # originally for 8:
- # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
- # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
+ # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+ # Do not push it or publish it
echo "PR3823 not found. Downloading..."
- wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
+ wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch
echo "Applying ${PWD}/pr3823.patch"
patch -Np1 < pr3823.patch
rm pr3823.patch
@@ -142,6 +143,14 @@ pushd "${FILE_NAME_ROOT}"
popd
fi
+ # Generate .src-rev so build has knowledge of the revision the tarball was created from
+ mkdir build
+ pushd build
+ sh ${PWD}/../openjdk/configure
+ make store-source-revision
+ popd
+ rm -rf build
+
echo "Compressing remaining forest"
if [ "X$COMPRESSION" = "Xxz" ] ; then
SWITCH=cJf
@@ -152,5 +161,3 @@ pushd "${FILE_NAME_ROOT}"
mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} ..
popd
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
-
-
diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec
index a97cf96..4fc69de 100644
--- a/java-latest-openjdk.spec
+++ b/java-latest-openjdk.spec
@@ -130,7 +130,12 @@
# Set of architectures for which java has short vector math library (libsvml.so)
%global svml_arches x86_64
# Set of architectures where we verify backtraces with gdb
+# s390x fails on RHEL 7 so we exclude it there
+%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
+%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches}
+%else
%global gdb_arches %{jit_arches} %{zero_arches}
+%endif
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
@@ -183,11 +188,15 @@
%global staticlibs_loop %{nil}
%endif
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@@ -302,7 +311,7 @@
%global featurever 18
%global interimver 0
%global updatever 1
-%global patchver 0
+%global patchver 1
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
# GA'ed in March 2022 => 22.3
@@ -310,7 +319,7 @@
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
-%global buildjdkver 18
+%global buildjdkver %{featurever}
# We don't add any LTS designator for STS packages (Fedora and EPEL).
# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined.
%if 0%{?rhel} && !0%{?epel}
@@ -331,17 +340,37 @@
%global build_hotspot_first 0
%endif
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
-%global fipsver 39968997e2e
+%global fipsver 60131cc7271
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 10
+%global buildver 2
%global rpmrelease 1
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -361,6 +390,9 @@
# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
+
# Define milestone (EA for pre-releases, GA for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -380,29 +412,16 @@
%global eaprefix 0.
%endif
-# Define what url should JVM offer in case of a crash report
-# order may be important, epel may have rhel declared
-%if 0%{?epel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
-%else
-%if 0%{?fedora}
-# Does not work for rawhide, keeps the version field empty
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
-%else
-%if 0%{?rhel}
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
-%else
-%global bugs https://bugzilla.redhat.com/enter_bug.cgi
-%endif
-%endif
-%endif
-
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs
+# installation directory for static libraries
+%global static_libs_root lib/static
+%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
+%global static_libs_install_dir %{static_libs_arch_dir}/glibc
# output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
@@ -547,7 +566,7 @@ alternatives \\
--slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
--slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
- %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
+ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
%{set_if_needed_alternatives $key %{family}}
@@ -812,6 +831,7 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
@@ -870,6 +890,7 @@ exit 0
%dir %{etcjavadir -- %{?1}}/lib
%dir %{etcjavadir -- %{?1}}/lib/security
%{etcjavadir -- %{?1}}/lib/security/cacerts
+%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
%dir %{etcjavadir -- %{?1}}/conf
%dir %{etcjavadir -- %{?1}}/conf/sdp
%dir %{etcjavadir -- %{?1}}/conf/management
@@ -939,7 +960,7 @@ exit 0
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
-%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@@ -978,13 +999,12 @@ exit 0
%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
-%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
-%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
@@ -1043,10 +1063,10 @@ exit 0
}
%define files_static_libs() %{expand:
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
-%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
-%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
+%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
}
%define files_javadoc() %{expand:
@@ -1105,7 +1125,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-Requires: tzdata-java >= 2015d
+# 2022a required as of JDK-8283350 in 18.0.1.1
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1266,9 +1287,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv
URL: http://openjdk.java.net/
-# to regenerate source0 (jdk) run update_package.sh
-# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+# The source tarball, generated using generate_source_tarball.sh
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1296,6 +1316,9 @@ Source14: TestECDSA.java
# Verify system crypto (policy) can be disabled via a property
Source15: TestSecurityProperties.java
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
# nss fips configuration file
Source17: nss.fips.cfg.in
@@ -1316,12 +1339,13 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# Depend on pcsc-lite-libs instead of pcs-lite-devel as this is only in optional repo
+# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# Crypto policy and FIPS support patches
-# Patch is generated from the fips-18u tree at https://github.com/gnu-andrew/jdk/commits/fips-18u
-# as follows: git diff jdk-18+ > fips-18u-$(git show -s --format=%h HEAD).patch
+# Patch is generated from the fips-18u tree at https://github.com/rh-openjdk/jdk/tree/fips-18u
+# as follows: git diff %%{vcstag} src make > fips-18u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
# PR3695: Allow use of system crypto policy to be disabled by the user
@@ -1337,6 +1361,10 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2052819: Fix FIPS reliance on crypto policies
# RH2052829: Detect NSS at Runtime for FIPS detection
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
Patch1001: fips-18u-%{fipsver}.patch
#############################################
@@ -1383,7 +1411,8 @@ BuildRequires: java-latest-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-BuildRequires: tzdata-java >= 2015d
+# 2022a required as of JDK-8283350 in 18.0.1.1
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1816,6 +1845,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
+
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1}
@@ -1898,10 +1928,10 @@ function buildjdk() {
--with-version-pre="${EA_DESIGNATOR}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
- --with-vendor-name="Red Hat, Inc." \
- --with-vendor-url="https://www.redhat.com/" \
- --with-vendor-bug-url="%{bugs}" \
- --with-vendor-vm-bug-url="%{bugs}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
@@ -1940,32 +1970,117 @@ function installjdk() {
local imagepath=${1}
if [ -d ${imagepath} ] ; then
- # the build (erroneously) removes read permissions from some jars
- # this is a regression in OpenJDK 7 (our compiler):
- # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
- find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
- # Build screws up permissions on binaries
- # https://bugs.openjdk.java.net/browse/JDK-8173610
- find ${imagepath} -iname '*.so' -exec chmod +x {} \;
- find ${imagepath}/bin/ -exec chmod +x {} \;
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
- # Install nss.cfg right away as we will be using the JRE above
- install -m 644 nss.cfg ${imagepath}/conf/security/
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
- # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
- install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
- # Use system-wide tzdata
- rm ${imagepath}/lib/tzdb.dat
- ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
+ # Use system-wide tzdata
+ mv ${imagepath}/lib/tzdb.dat{,.upstream}
+ ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+ # Rename OpenJDK cacerts database
+ mv ${imagepath}/lib/security/cacerts{,.upstream}
+ # Install cacerts symlink needed by some apps which hard-code the path
+ ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+ fi
+}
+
+# Checks on debuginfo must be performed before the files are stripped
+# by the RPM installation stage
+function debugcheckjdk() {
+ local imagepath=${1}
+
+ if [ -d ${imagepath} ] ; then
+
+ so_suffix="so"
+ # Check debug symbols are present and can identify code
+ find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+ do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+ done
+
+ # Make sure gdb can do a backtrace based on line numbers on libjvm.so
+ # javaCalls.cpp:58 should map to:
+ # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+ # Using line number 1 might cause build problems. See:
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+ gdb -q "${imagepath}/bin/java" < man/man1/%{alt_java_name}.1
- cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
- popd
fi
}
@@ -2035,138 +2150,15 @@ for suffix in %{build_loop} ; do
# Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+ # Check debug symbols were built into the dynamic libraries
+ debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+ # Print release information
+ cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
# build cycles
done # end of release / debug cycle loop
-%check
-
-# We test debug first as it will give better diagnostics on a crash
-for suffix in %{build_loop} ; do
-
-top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
-%if %{include_staticlibs}
-top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
-%endif
-
-export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
-
-#check Shenandoah is enabled
-%if %{use_shenandoah_hotspot}
-$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
-%endif
-
-# Check unlimited policy has been used
-$JAVA_HOME/bin/javac -d . %{SOURCE13}
-$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
-
-# Check ECC is working
-$JAVA_HOME/bin/javac -d . %{SOURCE14}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-
-# Check system crypto (policy) can be disabled
-$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
-
-# Check java launcher has no SSB mitigation
-if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
-
-# Check alt-java launcher has SSB mitigation on supported architectures
-%ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
-%else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
-%endif
-
-%if %{include_staticlibs}
-# Check debug symbols in static libraries (smoke test)
-export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
-readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
-readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
-%endif
-
-so_suffix="so"
-# Check debug symbols are present and can identify code
-find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
-do
- if [ -f "$lib" ] ; then
- echo "Testing $lib for debug symbols"
- # All these tests rely on RPM failing the build if the exit code of any set
- # of piped commands is non-zero.
-
- # Test for .debug_* sections in the shared object. This is the main test
- # Stripped objects will not contain these
- eu-readelf -S "$lib" | grep "] .debug_"
- test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
-
- # Test FILE symbols. These will most likely be removed by anything that
- # manipulates symbol tables because it's generally useless. So a nice test
- # that nothing has messed with symbols
- old_IFS="$IFS"
- IFS=$'\n'
- for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
- do
- # We expect to see .cpp files, except for architectures like aarch64 and
- # s390 where we expect .o and .oS files
- echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
- done
- IFS="$old_IFS"
-
- # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
- if [ "`basename $lib`" = "libjvm.so" ]; then
- eu-readelf -s "$lib" | \
- grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
- fi
-
- # Test that there are no .gnu_debuglink sections pointing to another
- # debuginfo file. There shouldn't be any debuginfo files, so the link makes
- # no sense either
- eu-readelf -S "$lib" | grep 'gnu'
- if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
- echo "bad .gnu_debuglink section."
- eu-readelf -x .gnu_debuglink "$lib"
- false
- fi
- fi
-done
-
-# Make sure gdb can do a backtrace based on line numbers on libjvm.so
-# javaCalls.cpp:58 should map to:
-# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
-# Using line number 1 might cause build problems. See:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
-# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
-gdb -q "$JAVA_HOME/bin/java" < install -> test
+export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
+readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
+%endif
+
+# Check src.zip has all sources. See RHBZ#1130490
+$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
+
+# Check class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+
+# Check generated class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+
+# build cycles check
+done
+
%if %{include_normal_build}
# intentionally only for non-debug
%pretrans headless -p
@@ -2304,7 +2358,7 @@ local posix = require "posix"
if (os.getenv("debug") == "true") then
debug = true;
print("cjc: in spec debug is on")
-else
+else
debug = false;
end
@@ -2533,6 +2587,59 @@ cjc.mainProgram(args)
%endif
%changelog
+* Mon Jul 11 2022 Andrew Hughes - 1:18.0.1.1.2-1.rolling
+- Update to jdk-18.0.1.1 interim release
+- Update release notes to actually reflect OpenJDK 18 and subsequent releases 18.0.1 & 18.0.1.1
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+
+* Sat Jul 09 2022 Jayashree Huttanagoudar - 1:18.0.1.0.10-8.rolling
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+
+* Sat Jul 09 2022 Andrew Hughes - 1:18.0.1.0.10-8.rolling
+- Include a test in the RPM to check the build has the correct vendor information.
+
+* Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling
+- Fix whitespace in spec file
+
+* Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling
+- Sequence spec file sections as they are run by rpmbuild (build, install then test)
+
+* Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling
+- Turn on system security properties as part of the build's install section
+- Move cacerts replacement to install section and retain original of this and tzdb.dat
+- Run tests on the installed image, rather than the build image
+- Introduce variables to refer to the static library installation directories
+- Use relative symlinks so they work within the image
+- Run debug symbols check during build stage, before the install strips them
+
+* Thu Jul 07 2022 Stephan Bergmann - 1:18.0.1.0.10-6.rolling
+- Fix flatpak builds by exempting them from bootstrap
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:18.0.1.0.10-5.rolling
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+
+* Thu Jun 30 2022 Stephan Bergmann - 1:18.0.1.0.10-4.rolling
+- Fix flatpak builds (catering for their uncompressed manual pages)
+
+* Fri Jun 24 2022 Andrew Hughes - 1:18.0.1.0.10-3.rolling
+- Update FIPS support to bring in latest changes
+- * RH2023467: Enable FIPS keys export
+- * RH2094027: SunEC runtime permission for FIPS
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Minor sync-ups with java-17-openjdk spec file
+
+* Wed May 25 2022 Andrew Hughes - 1:18.0.1.0.10-2.rolling
+- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build
+
* Wed Apr 27 2022 Jiri Vanek - 1:18.0.1.0.10-1.rolling.
- updated to CPU jdk-18.0.1+10 sources
@@ -2752,7 +2859,7 @@ cjc.mainProgram(args)
* Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling
- update to 16.0.1+9 april cpu tag
-- dropped jdk8259949-allow_cf-protection_on_x86.patch
+- dropped jdk8259949-allow_cf-protection_on_x86.patch
* Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling
- Perform static library build on a separate source tree with bundled image libraries
@@ -2800,7 +2907,7 @@ cjc.mainProgram(args)
* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling
- many cosmetic changes taken from more maintained jdk11
-- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
+- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches
instead of various hardcoded ifarches
- updated systemtap
- added requires excludes for debug pkgs
@@ -2883,7 +2990,7 @@ cjc.mainProgram(args)
* Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling
- Remove s390x workaround flags for GCC 10
- bump buildjdkver to 14
-- uploaded new src tarball
+- uploaded new src tarball
* Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling
- removed a whitespace causing fail of postinstall script
@@ -2903,7 +3010,7 @@ cjc.mainProgram(args)
- fix issues with build with GCC10: JDK-8224851, -fcommon switch
* Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling
-- Add JDK-8224851 patch to resolve aarch64 issues
+- Add JDK-8224851 patch to resolve aarch64 issues
* Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling
- fix Release, as it was broken by last rpmdev-bumpspec
@@ -3224,7 +3331,7 @@ cjc.mainProgram(args)
- Removed unneeded patches:
PStack-808293.patch
multiple-pkcs11-library-init.patch
- ppc_stack_overflow_fix.patch
+ ppc_stack_overflow_fix.patch
- Added patches for s390 Zero builds:
JDK-8201495-s390-java-opts.patch
JDK-8201509-s390-atomic_store.patch
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
index 1aff153..2d9ec35 100644
--- a/nss.fips.cfg.in
+++ b/nss.fips.cfg.in
@@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
+
diff --git a/openjdk_news.sh b/openjdk_news.sh
new file mode 100755
index 0000000..560b356
--- /dev/null
+++ b/openjdk_news.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Copyright (C) 2022 Red Hat, Inc.
+# Written by Andrew John Hughes , 2012-2022
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see .
+
+OLD_RELEASE=$1
+NEW_RELEASE=$2
+SUBDIR=$3
+REPO=$4
+SCRIPT_DIR=$(dirname ${0})
+
+if test "x${SUBDIR}" = "x"; then
+ echo "No subdirectory specified; using .";
+ SUBDIR=".";
+fi
+
+if test "x$REPO" = "x"; then
+ echo "No repository specified; using ${PWD}"
+ REPO=${PWD}
+fi
+
+if test x${TMPDIR} = x; then
+ TMPDIR=/tmp;
+fi
+
+echo "Repository: ${REPO}"
+
+if [ -e ${REPO}/.git ] ; then
+ TYPE=git;
+elif [ -e ${REPO}/.hg ] ; then
+ TYPE=hg;
+else
+ echo "No Mercurial or Git repository detected.";
+ exit 1;
+fi
+
+if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then
+ echo "ERROR: Need to specify old and new release";
+ exit 2;
+fi
+
+echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO"
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes
+for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO});
+do
+ if test "x$TYPE" = "xhg"; then
+ hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \
+ sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2;
+ hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \
+ egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3;
+ else
+ git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \
+ sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2;
+ touch ${TMPDIR}/fixes3 ; # unused
+ fi
+done
+
+sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes
+rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3
+
+echo "In ${TMPDIR}/fixes:"
+cat ${TMPDIR}/fixes
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
index c697326..c178077 100644
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -9,4 +9,4 @@ index 68a9c1a2d08..7aa25eb2cb7 100644
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
- # Security providers used when global crypto-policies are set to FIPS.
+ # Security providers used when FIPS mode support is active
diff --git a/sources b/sources
index 94b9ab3..0d24fba 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk18u-jdk-18.0.1+10.tar.xz) = 9d4cc24675019f0078540874f0feb884c1f6513886272f2c1f86384c4a882f1b8d7fa6c653ae5f493757203c91b445e0da6559082ba5ef2f53eab27b43e6bea1
+SHA512 (openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz) = 183ff4b1c4b501edd2c2a436a093f9d99ec0df86046ca3ac26d7f44981d72d3036baa1f8b6036288edb6c6fc637468a80e9ea55dffdc1d18b61a237660e103b3