From 624750adb48a5960d66f7475c7ffd8996580d1c2 Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Wed, 25 May 2022 09:59:33 +0100 Subject: [PATCH 01/10] Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build --- java-latest-openjdk.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index a97cf96..0ca64f0 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -130,7 +130,12 @@ # Set of architectures for which java has short vector math library (libsvml.so) %global svml_arches x86_64 # Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else %global gdb_arches %{jit_arches} %{zero_arches} +%endif # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -342,7 +347,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2533,6 +2538,9 @@ cjc.mainProgram(args) %endif %changelog +* Wed May 25 2022 Andrew Hughes - 1:18.0.1.0.10-2.rolling +- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build + * Wed Apr 27 2022 Jiri Vanek - 1:18.0.1.0.10-1.rolling. - updated to CPU jdk-18.0.1+10 sources From 7bc45a52531b2e3e44398a178c5422fce3cf4f2b Mon Sep 17 00:00:00 2001 From: Andrew John Hughes Date: Fri, 24 Jun 2022 17:41:21 +0100 Subject: [PATCH 02/10] Update FIPS support to bring in latest changes * RH2023467: Enable FIPS keys export * RH2094027: SunEC runtime permission for FIPS * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch Enable system security properties in the RPM (now disabled by default in the FIPS repo) Improve security properties test to check both enabled and disabled behaviour Run security properties test with property debugging on Minor sync-ups with java-17-openjdk spec file --- TestSecurityProperties.java | 34 +- ...997e2e.patch => fips-18u-60131cc7271.patch | 738 ++++++++++++++---- java-latest-openjdk.spec | 52 +- ...ut_nss_cfg_provider_to_java_security.patch | 2 +- 4 files changed, 672 insertions(+), 154 deletions(-) rename fips-18u-39968997e2e.patch => fips-18u-60131cc7271.patch (83%) diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java index 06a0b07..552bd0f 100644 --- a/TestSecurityProperties.java +++ b/TestSecurityProperties.java @@ -9,35 +9,59 @@ public class TestSecurityProperties { // JDK 8 private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties "); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); Properties jdkProps = new Properties(); loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } for (Object key: jdkProps.keySet()) { String sKey = (String)key; String securityVal = Security.getProperty(sKey); String jdkSecVal = jdkProps.getProperty(sKey); if (!securityVal.equals(jdkSecVal)) { - String msg = "Expected value '" + jdkSecVal + "' for key '" + + String msg = "Expected value '" + jdkSecVal + "' for key '" + sKey + "'" + " but got value '" + securityVal + "'"; throw new RuntimeException("Test failed! " + msg); } else { - System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); } } System.out.println("TestSecurityProperties PASSED!"); } - + private static void loadProperties(Properties props) { String javaVersion = System.getProperty("java.version"); - System.out.println("Debug: Java version is " + javaVersion); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); String propsFile = JDK_PROPS_FILE_JDK_11; if (javaVersion.startsWith("1.8.0")) { propsFile = JDK_PROPS_FILE_JDK_8; } - try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + try (FileInputStream fin = new FileInputStream(propsFile)) { props.load(fin); } catch (Exception e) { throw new RuntimeException("Test failed!", e); } } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + } diff --git a/fips-18u-39968997e2e.patch b/fips-18u-60131cc7271.patch similarity index 83% rename from fips-18u-39968997e2e.patch rename to fips-18u-60131cc7271.patch index dada82c..f807876 100644 --- a/fips-18u-39968997e2e.patch +++ b/fips-18u-60131cc7271.patch @@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index 2ee706c2448..a4d61eeec20 100644 +index 2ee706c2448..8f4c44a1436 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -32,6 +32,7 @@ import java.net.URL; @@ -1409,7 +1409,7 @@ index 2ee706c2448..a4d61eeec20 100644 import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,6 +48,9 @@ import sun.security.jca.*; +@@ -47,12 +48,20 @@ import sun.security.jca.*; * implementation-specific location, which is typically the properties file * {@code conf/security/java.security} in the Java installation directory. * @@ -1419,7 +1419,18 @@ index 2ee706c2448..a4d61eeec20 100644 * @author Benjamin Renaud * @since 1.1 */ -@@ -67,6 +71,19 @@ public final class Security { + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { } static { @@ -1439,7 +1450,15 @@ index 2ee706c2448..a4d61eeec20 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -99,6 +116,7 @@ public final class Security { +@@ -84,6 +106,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -99,6 +122,7 @@ public final class Security { if (sdebug != null) { sdebug.println("reading security properties file: " + propFile); @@ -1447,30 +1466,63 @@ index 2ee706c2448..a4d61eeec20 100644 } } catch (IOException e) { if (sdebug != null) { -@@ -193,6 +211,28 @@ public final class Security { +@@ -193,6 +217,61 @@ public final class Security { } } -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && -+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { -+ if (!SystemConfigurator.configureSysProps(props)) { ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { + if (sdebug != null) { -+ sdebug.println("WARNING: System properties could not be loaded."); ++ sdebug.println("WARNING: System security properties could not be loaded."); + } + } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } + } + + // FIPS support depends on the contents of java.security so + // ensure it has loaded first -+ if (loadedProps) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS support enabled."); -+ } else { -+ sdebug.println("FIPS support disabled."); ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); + } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); + } + } } @@ -1478,10 +1530,10 @@ index 2ee706c2448..a4d61eeec20 100644 /* diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 00000000000..da2af5defda +index 00000000000..98ffced455b --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,245 @@ +@@ -0,0 +1,249 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * @@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean loadedProps = false; ++ boolean systemSecPropsLoaded = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); -+ loadedProps = true; ++ systemSecPropsLoaded = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); @@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda + e.printStackTrace(); + } + } -+ return loadedProps; ++ return systemSecPropsLoaded; + } + + /* @@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda + sdebug.println("FIPS support enabled without plain key support"); + } + } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } + } + } catch (Exception e) { + if (sdebug != null) { @@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda + return plainKeySupportEnabled; + } + -+ /* -+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips -+ * system property is true (default) and the system is in FIPS mode. ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode + */ + private static boolean enableFips() throws Exception { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); + if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); + } -+ try { -+ shouldEnable = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + shouldEnable); -+ } -+ return shouldEnable; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); + } -+ } else { -+ return false; ++ throw e; + } + } +} @@ -2106,7 +2162,7 @@ index 912cad59714..709d32912ca 100644 /* * Certificates diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java -index ca79f25cc44..16c5ad2e227 100644 +index ca79f25cc44..225517ac69b 100644 --- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java @@ -27,6 +27,7 @@ package sun.security.rsa; @@ -2128,7 +2184,7 @@ index ca79f25cc44..16c5ad2e227 100644 private void add(Provider p, String type, String algo, String cn, List aliases, HashMap attrs) { services.add(new Provider.Service(p, type, algo, cn, -@@ -56,49 +61,52 @@ public final class SunRsaSignEntries { +@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { // start populating content using the specified provider // common attribute map HashMap attrs = new HashMap<>(3); @@ -2139,43 +2195,11 @@ index ca79f25cc44..16c5ad2e227 100644 + attrs.put("SupportedKeyClasses", + "java.security.interfaces.RSAPublicKey" + + "|java.security.interfaces.RSAPrivateKey"); -+ -+ add(p, "KeyFactory", "RSA", -+ "sun.security.rsa.RSAKeyFactory$Legacy", -+ getAliases("PKCS1"), null); -+ add(p, "KeyPairGenerator", "RSA", -+ "sun.security.rsa.RSAKeyPairGenerator$Legacy", -+ getAliases("PKCS1"), null); -+ addA(p, "Signature", "MD2withRSA", -+ "sun.security.rsa.RSASignature$MD2withRSA", attrs); -+ addA(p, "Signature", "MD5withRSA", -+ "sun.security.rsa.RSASignature$MD5withRSA", attrs); -+ addA(p, "Signature", "SHA1withRSA", -+ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); -+ addA(p, "Signature", "SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); -+ addA(p, "Signature", "SHA256withRSA", -+ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); -+ addA(p, "Signature", "SHA384withRSA", -+ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); -+ addA(p, "Signature", "SHA512withRSA", -+ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); -+ addA(p, "Signature", "SHA512/224withRSA", -+ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); -+ addA(p, "Signature", "SHA512/256withRSA", -+ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-224withRSA", -+ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); -+ addA(p, "Signature", "SHA3-256withRSA", -+ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); -+ addA(p, "Signature", "SHA3-384withRSA", -+ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); -+ addA(p, "Signature", "SHA3-512withRSA", -+ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } -- add(p, "KeyFactory", "RSA", -- "sun.security.rsa.RSAKeyFactory$Legacy", -- getAliases("PKCS1"), null); + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); - add(p, "KeyPairGenerator", "RSA", - "sun.security.rsa.RSAKeyPairGenerator$Legacy", - getAliases("PKCS1"), null); @@ -2205,20 +2229,53 @@ index ca79f25cc44..16c5ad2e227 100644 - "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); - addA(p, "Signature", "SHA3-512withRSA", - "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); -+ addA(p, "KeyFactory", "RSASSA-PSS", -+ "sun.security.rsa.RSAKeyFactory$PSS", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { + addA(p, "KeyPairGenerator", "RSASSA-PSS", + "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); + addA(p, "Signature", "RSASSA-PSS", + "sun.security.rsa.RSAPSSSignature", attrs); + } - -- addA(p, "KeyFactory", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyFactory$PSS", attrs); -- addA(p, "KeyPairGenerator", "RSASSA-PSS", -- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); -- addA(p, "Signature", "RSASSA-PSS", -- "sun.security.rsa.RSAPSSSignature", attrs); ++ addA(p, "AlgorithmParameters", "RSASSA-PSS", "sun.security.rsa.PSSParameters", null); } @@ -2351,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644 "sun.security.ssl.SSLContextImpl$TLSContext", List.of("SSL"), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 91b3a01ee57..68a9c1a2d08 100644 +index 91b3a01ee57..33f9fdc6f84 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -79,6 +79,16 @@ security.provider.tbd=Apple @@ -2359,7 +2416,7 @@ index 91b3a01ee57..68a9c1a2d08 100644 security.provider.tbd=SunPKCS11 +# -+# Security providers used when global crypto-policies are set to FIPS. ++# Security providers used when FIPS mode support is active +# +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN @@ -2392,16 +2449,24 @@ index 91b3a01ee57..68a9c1a2d08 100644 +# using the system properties file stored at +# /etc/crypto-policies/back-ends/java.config +# -+security.useSystemPropertiesFile=true ++security.useSystemPropertiesFile=false + # # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy -index b22f26947af..cd385d4a010 100644 +index b22f26947af..3ee2ce6ea88 100644 --- a/src/java.base/share/lib/security/default.policy +++ b/src/java.base/share/lib/security/default.policy -@@ -130,6 +130,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { +@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { grant codeBase "jrt:/jdk.crypto.cryptoki" { permission java.lang.RuntimePermission "accessClassInPackage.com.sun.crypto.provider"; @@ -2411,10 +2476,10 @@ index b22f26947af..cd385d4a010 100644 "accessClassInPackage.sun.security.*"; diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 -index 00000000000..365575d5d4d +index 00000000000..187be7295f3 --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,291 @@ +@@ -0,0 +1,490 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -2446,11 +2511,15 @@ index 00000000000..365575d5d4d +import java.security.KeyFactory; +import java.security.Provider; +import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.locks.ReentrantLock; + +import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; +import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + @@ -2459,8 +2528,10 @@ index 00000000000..365575d5d4d +import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; +import sun.security.pkcs11.wrapper.CK_MECHANISM; +import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; +import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; +import sun.security.rsa.RSAUtil.KeyType; +import sun.security.util.Debug; +import sun.security.util.ECUtil; @@ -2470,15 +2541,21 @@ index 00000000000..365575d5d4d + private static final Debug debug = + Debug.getInstance("sunpkcs11"); + -+ private static P11Key importerKey = null; ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; + private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; + private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; + -+ private static Provider sunECProvider = null; ++ private static volatile Provider sunECProvider = null; + private static final ReentrantLock sunECProviderLock = new ReentrantLock(); + -+ private static KeyFactory DHKF = null; ++ private static volatile KeyFactory DHKF = null; + private static final ReentrantLock DHKFLock = new ReentrantLock(); + + static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) @@ -2502,7 +2579,8 @@ index 00000000000..365575d5d4d + debug.println("Importer Key could not be" + + " generated."); + } -+ throw new PKCS11Exception(); ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); + } + if (debug != null) { + debug.println("Importer Key successfully" + @@ -2630,7 +2708,8 @@ index 00000000000..365575d5d4d + if (debug != null) { + debug.println("Unrecognized private key type."); + } -+ throw new PKCS11Exception(); ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); + } + } else if (keyClass == CKO_SECRET_KEY) { + if (debug != null) { @@ -2643,14 +2722,19 @@ index 00000000000..365575d5d4d + debug.println("Private or secret key plain bytes could" + + " not be obtained. Import failed."); + } -+ throw new PKCS11Exception(); ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); + } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); + attributes = new CK_ATTRIBUTE[attrsMap.size()]; + attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } + attributes = token.getAttributes(TemplateManager.O_IMPORT, + keyClass, keyType, attributes); + keyID = token.p11.C_UnwrapKey(hSession, @@ -2659,13 +2743,155 @@ index 00000000000..365575d5d4d + debug.println("Imported key ID: " + keyID); + } + } catch (Throwable t) { -+ throw new PKCS11Exception(); ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); + } finally { + importerKey.releaseKeyID(); + } + return Long.valueOf(keyID); + } + ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey ++ ); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ + private static void createImporterKey(Token token) { + if (debug != null) { + debug.println("Generating Importer Key..."); @@ -2696,6 +2922,9 @@ index 00000000000..365575d5d4d + } + if (importerKey != null) { + importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); + } + } catch (Throwable t) { + // best effort @@ -2703,11 +2932,91 @@ index 00000000000..365575d5d4d + importerCipher = null; + // importerKeyMechanism value is kept initialized to indicate that + // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } + } + } +} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index bf0c5f2ba84..a4daed24b82 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; + */ + abstract class P11Key implements Key, Length { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final long serialVersionUID = -2575874101938349339L; + + private static final String PUBLIC = "public"; +@@ -392,8 +397,9 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); + +- boolean keySensitive = (attrs[0].getBoolean() || +- attrs[1].getBoolean() || !attrs[2].getBoolean()); ++ boolean keySensitive = (!plainKeySupportEnabled && ++ (attrs[0].getBoolean() || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + switch (algorithm) { + case "RSA": +@@ -448,7 +454,8 @@ abstract class P11Key implements Key, Length { + + public String getFormat() { + token.ensureValid(); +- if (sensitive || (extractable == false)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || (extractable == false))) { + return null; + } else { + return "RAW"; diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 9cdbdfa9d6b..1def9c4506e 100644 +index 9cdbdfa9d6b..ea18bdb82a3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -2728,7 +3037,7 @@ index 9cdbdfa9d6b..1def9c4506e 100644 import jdk.internal.misc.InnocuousThread; import sun.security.util.Debug; import sun.security.util.ResourcesMgr; -@@ -62,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; +@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; */ public final class SunPKCS11 extends AuthProvider { @@ -2739,55 +3048,68 @@ index 9cdbdfa9d6b..1def9c4506e 100644 + .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); + + private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; + static { + MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; + if (plainKeySupportEnabled) { + try { + fipsImportKeyTmp = MethodHandles.lookup().findStatic( + FIPSKeyImporter.class, "importKey", + MethodType.methodType(Long.class, SunPKCS11.class, + long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); + } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); + } + } + fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; + } + private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -326,9 +353,15 @@ public final class SunPKCS11 extends AuthProvider { +@@ -326,9 +361,19 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; + MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; + if (plainKeySupportEnabled) { + fipsKeyImporter = MethodHandles.insertArguments( + fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); + } try { - tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, - config.getOmitInitialize()); + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, -+ config.getOmitInitialize(), fipsKeyImporter); ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -343,8 +376,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -343,8 +388,9 @@ public final class SunPKCS11 extends AuthProvider { } else { initArgs.flags = 0; } - tmpPKCS11 = PKCS11.getInstance(library, functionList, initArgs, - config.getOmitInitialize()); + tmpPKCS11 = PKCS11.getInstance(library, -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); } p11 = tmpPKCS11; -@@ -384,6 +417,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -384,6 +430,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } @@ -2813,35 +3135,52 @@ index 9cdbdfa9d6b..1def9c4506e 100644 if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index f87690bc24f..81a4dc02b21 100644 +index f87690bc24f..79408353609 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; import java.io.File; import java.io.IOException; +import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; import java.util.*; import java.security.AccessController; -@@ -169,16 +170,28 @@ public class PKCS11 { +@@ -167,18 +170,43 @@ public class PKCS11 { + return version; + } ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) + throws IOException, PKCS11Exception { // we may only call C_Initialize once per native .so/.dll // so keep a cache using the (non-canonicalized!) path PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; if ((pInitArgs != null) && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { - pkcs11 = new PKCS11(pkcs11ModulePath, functionList); + if (nssFipsMode) { + pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); ++ fipsKeyImporter, fipsKeyExporter); + } else { + pkcs11 = new PKCS11(pkcs11ModulePath, functionList); + } @@ -2849,14 +3188,14 @@ index f87690bc24f..81a4dc02b21 100644 - pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); + if (nssFipsMode) { + pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); ++ functionList, fipsKeyImporter, fipsKeyExporter); + } else { + pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); + } } if (omitInitialize == false) { try { -@@ -1971,4 +1984,69 @@ static class SynchronizedPKCS11 extends PKCS11 { +@@ -1971,4 +1999,194 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } @@ -2866,13 +3205,29 @@ index f87690bc24f..81a4dc02b21 100644 +// is enabled. +static class FIPSPKCS11 extends PKCS11 { + private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; + FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } + } + -+ public synchronized long C_CreateObject(long hSession, ++ public long C_CreateObject(long hSession, + CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { + // Creating sensitive key objects from plain key material in a + // FIPS-configured NSS Software Token is not allowed. We apply @@ -2882,20 +3237,46 @@ index f87690bc24f..81a4dc02b21 100644 + return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) + .longValue(); + } catch (Throwable t) { -+ throw new PKCS11Exception(); ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); + } + } + return super.C_CreateObject(hSession, pTemplate); + } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } +} + +// FIPSPKCS11 synchronized counterpart. +static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { + private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; + SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } + } + + public synchronized long C_CreateObject(long hSession, @@ -2906,11 +3287,21 @@ index f87690bc24f..81a4dc02b21 100644 + return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) + .longValue(); + } catch (Throwable t) { -+ throw new PKCS11Exception(); ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); + } + } + return super.C_CreateObject(hSession, pTemplate); + } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } +} + +private static class FIPSPKCS11Helper { @@ -2924,10 +3315,83 @@ index f87690bc24f..81a4dc02b21 100644 + } + return false; + } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map sensitiveAttrs = new HashMap<>(); ++ List nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map sensitiveAttrs, ++ List nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } +} } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -index ad2ffc8623b..c59faf26a70 100644 +index ad2ffc8623b..5441fdecea0 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java @@ -190,6 +190,14 @@ public class PKCS11Exception extends Exception { @@ -2935,11 +3399,11 @@ index ad2ffc8623b..c59faf26a70 100644 } + /** -+ * No arguments constructor using CKR_GENERAL_ERROR for the error -+ * code with no extra info for the error message. ++ * Constructor taking the error code from the RV enum and ++ * extra info for error message. + */ -+ public PKCS11Exception() { -+ this(RV.CKR_GENERAL_ERROR.value, null); ++ public PKCS11Exception(RV errorEnum, String extraInfo) { ++ this(errorEnum.value, extraInfo); + } + /** diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 0ca64f0..b1462fb 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -315,7 +315,7 @@ # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver 18 +%global buildjdkver %{featurever} # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} @@ -339,7 +339,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 39968997e2e +%global fipsver 60131cc7271 # Standard JPackage naming and versioning defines %global origin openjdk @@ -347,7 +347,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -366,6 +366,9 @@ # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} + # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1271,9 +1274,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv URL: http://openjdk.java.net/ -# to regenerate source0 (jdk) run update_package.sh -# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz +# The source tarball, generated using generate_source_tarball.sh +Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1321,12 +1323,13 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Depend on pcsc-lite-libs instead of pcs-lite-devel as this is only in optional repo +# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips-18u tree at https://github.com/gnu-andrew/jdk/commits/fips-18u -# as follows: git diff jdk-18+ > fips-18u-$(git show -s --format=%h HEAD).patch +# Patch is generated from the fips-18u tree at https://github.com/rh-openjdk/jdk/tree/fips-18u +# as follows: git diff %%{vcstag} src make > fips-18u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3183, RH1340845: Follow system wide crypto policy # PR3695: Allow use of system crypto policy to be disabled by the user @@ -1342,6 +1345,10 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2052819: Fix FIPS reliance on crypto policies # RH2052829: Detect NSS at Runtime for FIPS detection # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together Patch1001: fips-18u-%{fipsver}.patch ############################################# @@ -2056,6 +2063,12 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} +# Pre-test setup + +# Turn on system security properties +sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${JAVA_HOME}/conf/security/java.security + #check Shenandoah is enabled %if %{use_shenandoah_hotspot} $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version @@ -2069,9 +2082,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") -# Check system crypto (policy) can be disabled +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. $JAVA_HOME/bin/javac -d . %{SOURCE15} -$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -2538,6 +2556,18 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jun 24 2022 Andrew Hughes - 1:18.0.1.0.10-3.rolling +- Update FIPS support to bring in latest changes +- * RH2023467: Enable FIPS keys export +- * RH2094027: SunEC runtime permission for FIPS +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Minor sync-ups with java-17-openjdk spec file + * Wed May 25 2022 Andrew Hughes - 1:18.0.1.0.10-2.rolling - Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch index c697326..c178077 100644 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -9,4 +9,4 @@ index 68a9c1a2d08..7aa25eb2cb7 100644 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # - # Security providers used when global crypto-policies are set to FIPS. + # Security providers used when FIPS mode support is active From 26e1d8bb6d07afd59dbfc09bbaa344f71874f45d Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Tue, 14 Jun 2022 13:08:00 +0200 Subject: [PATCH 03/10] Fix flatpak builds (catering for their uncompressed manual pages) ...see for details --- java-latest-openjdk.spec | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index b1462fb..329ec75 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -347,7 +347,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -947,7 +947,7 @@ exit 0 %ifarch %{sa_arches} %ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb -%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* %endif %endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo @@ -986,13 +986,12 @@ exit 0 %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jwebserver-%{uniquesuffix -- %{?1}}.1* %if %{with_systemtap} @@ -2556,6 +2555,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jun 30 2022 Stephan Bergmann - 1:18.0.1.0.10-4.rolling +- Fix flatpak builds (catering for their uncompressed manual pages) + * Fri Jun 24 2022 Andrew Hughes - 1:18.0.1.0.10-3.rolling - Update FIPS support to bring in latest changes - * RH2023467: Enable FIPS keys export From 742fc4c474faa17eccbd1b63fedb3ca9105a886f Mon Sep 17 00:00:00 2001 From: Francisco Ferrari Bihurriet Date: Thu, 30 Jun 2022 13:51:25 -0300 Subject: [PATCH 04/10] RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION --- java-latest-openjdk.spec | 5 ++++- nss.fips.cfg.in | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 329ec75..27d1abc 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -347,7 +347,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 4 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2555,6 +2555,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:18.0.1.0.10-5.rolling +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode + * Thu Jun 30 2022 Stephan Bergmann - 1:18.0.1.0.10-4.rolling - Fix flatpak builds (catering for their uncompressed manual pages) diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in index 1aff153..2d9ec35 100644 --- a/nss.fips.cfg.in +++ b/nss.fips.cfg.in @@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } + From 7d90e62473a25c0836b56ea05b77cafa7d884389 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Mon, 4 Apr 2022 14:58:57 +0200 Subject: [PATCH 05/10] Fix flatpak builds ...after 19065a8b01585a1aa5f22e38e99fc0c47c597074 "Temporarily move x86 to use Zero in order to get a working build": When building the > if ${run_bootstrap} ; then branch for suffix='' and loop='-main', the second > buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk on the previous line. But installjdk does > rm ${imagepath}/lib/tzdb.dat > ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non- flatpak build) which is not present at build-time (but will be present at runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for the flatpak /app prefix). So using that JDK's compiler during the build kept failing due to java.io.FileNotFoundException for its lib/tzdb.dat. (This was not an issue prior to 19065a8b01585a1aa5f22e38e99fc0c47c597074, as installjdk's modification of lib/tzdb.dat used to be done only for the "Final setup on the main image" at the very end of the build, not during the build for JDKs that are themselves used later during the build.) The easiest workaround for this issue appears to be to just not bootstrap_build in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has been modified through installjdk is used during the build. --- java-latest-openjdk.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 27d1abc..46b7398 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -188,11 +188,15 @@ %global staticlibs_loop %{nil} %endif +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from @@ -347,7 +351,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 5 +%global rpmrelease 6 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2555,6 +2559,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 07 2022 Stephan Bergmann - 1:18.0.1.0.10-6.rolling +- Fix flatpak builds by exempting them from bootstrap + * Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:18.0.1.0.10-5.rolling - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode From f206f3a913ea440f99ef441b70cabd3ef18383ad Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 5 Jul 2022 18:01:34 +0100 Subject: [PATCH 06/10] Turn on system security properties as part of the build's install section Move cacerts replacement to install section and retain original of this and tzdb.dat Run tests on the installed image, rather than the build image Introduce variables to refer to the static library installation directories Use relative symlinks so they work within the image Run debug symbols check during build stage, before the install strips them --- java-latest-openjdk.spec | 259 +++++++++++++++++++++------------------ 1 file changed, 139 insertions(+), 120 deletions(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 46b7398..1b2125f 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -351,7 +351,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 6 +%global rpmrelease 7 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -415,6 +415,10 @@ # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs +# installation directory for static libraries +%global static_libs_root lib/static +%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall} +%global static_libs_install_dir %{static_libs_arch_dir}/glibc # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch @@ -824,6 +828,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so @@ -882,6 +887,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/lib %dir %{etcjavadir -- %{?1}}/lib/security %{etcjavadir -- %{?1}}/lib/security/cacerts +%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream %dir %{etcjavadir -- %{?1}}/conf %dir %{etcjavadir -- %{?1}}/conf/sdp %dir %{etcjavadir -- %{?1}}/conf/management @@ -1054,10 +1060,10 @@ exit 0 } %define files_static_libs() %{expand: -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} +%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } %define files_javadoc() %{expand: @@ -1831,6 +1837,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1955,32 +1962,117 @@ function installjdk() { local imagepath=${1} if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + + # Use system-wide tzdata + mv ${imagepath}/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi +} + +# Checks on debuginfo must be performed before the files are stripped +# by the RPM installation stage +function debugcheckjdk() { + local imagepath=${1} + + if [ -d ${imagepath} ] ; then + + so_suffix="so" + # Check debug symbols are present and can identify code + find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib + do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi + done + + # Make sure gdb can do a backtrace based on line numbers on libjvm.so + # javaCalls.cpp:58 should map to: + # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 + # Using line number 1 might cause build problems. See: + # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 + # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 + gdb -q "${imagepath}/bin/java" < man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd fi } @@ -2050,6 +2142,8 @@ for suffix in %{build_loop} ; do # Final setup on the main image top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + # Check debug symbols were built into the dynamic libraries + debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} # build cycles done # end of release / debug cycle loop @@ -2059,22 +2153,11 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -%if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} -%endif - -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} - -# Pre-test setup - -# Turn on system security properties -sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${JAVA_HOME}/conf/security/java.security +export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} #check Shenandoah is enabled %if %{use_shenandoah_hotspot} -$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version %endif # Check unlimited policy has been used @@ -2106,75 +2189,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c -%endif - -so_suffix="so" -# Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib -do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. - - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 - - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" - done - IFS="$old_IFS" - - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi - - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi - fi -done - -# Make sure gdb can do a backtrace based on line numbers on libjvm.so -# javaCalls.cpp:58 should map to: -# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 -# Using line number 1 might cause build problems. See: -# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 -# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 -gdb -q "$JAVA_HOME/bin/java" < - 1:18.0.1.0.10-7.rolling +- Turn on system security properties as part of the build's install section +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Run tests on the installed image, rather than the build image +- Introduce variables to refer to the static library installation directories +- Use relative symlinks so they work within the image +- Run debug symbols check during build stage, before the install strips them + * Thu Jul 07 2022 Stephan Bergmann - 1:18.0.1.0.10-6.rolling - Fix flatpak builds by exempting them from bootstrap From f94bceceab3eb9db4dcbcf37f70ce6feb5fb3746 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 7 Jul 2022 20:26:58 +0100 Subject: [PATCH 07/10] Sequence spec file sections as they are run by rpmbuild (build, install then test) --- java-latest-openjdk.spec | 129 ++++++++++++++++++++------------------- 1 file changed, 67 insertions(+), 62 deletions(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 1b2125f..4d7b578 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -2148,68 +2148,6 @@ for suffix in %{build_loop} ; do # build cycles done # end of release / debug cycle loop -%check - -# We test debug first as it will give better diagnostics on a crash -for suffix in %{build_loop} ; do - -export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} - -#check Shenandoah is enabled -%if %{use_shenandoah_hotspot} -$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version -%endif - -# Check unlimited policy has been used -$JAVA_HOME/bin/javac -d . %{SOURCE13} -$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel - -# Check ECC is working -$JAVA_HOME/bin/javac -d . %{SOURCE14} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") - -# Check system crypto (policy) is active and can be disabled -# Test takes a single argument - true or false - to state whether system -# security properties are enabled or not. -$JAVA_HOME/bin/javac -d . %{SOURCE15} -export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") -export SEC_DEBUG="-Djava.security.debug=properties" -$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true -$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false - -# Check java launcher has no SSB mitigation -if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi - -# Check alt-java launcher has SSB mitigation on supported architectures -%ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation -%else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi -%endif - -%if %{include_staticlibs} -# Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c -%endif - -# Check src.zip has all sources. See RHBZ#1130490 -$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' - -# Check class files include useful debugging information -$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable - -# Check generated class files include useful debugging information -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable - -# build cycles check -done - %install STRIP_KEEP_SYMTAB=libjvm* @@ -2326,6 +2264,70 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6 # end, dual install done +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# Tests in the check stage are performed on the installed image +# rpmbuild operates as follows: build -> install -> test +export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c +%endif + +# Check src.zip has all sources. See RHBZ#1130490 +$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + +# Check class files include useful debugging information +$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + +# Check generated class files include useful debugging information +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +# build cycles check +done + %if %{include_normal_build} # intentionally only for non-debug %pretrans headless -p @@ -2570,6 +2572,9 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling +- Sequence spec file sections as they are run by rpmbuild (build, install then test) + * Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat From 47c2f1ddce777bdd8a0865bcc0046d7bbd5a5028 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 8 Jul 2022 02:44:46 +0100 Subject: [PATCH 08/10] Fix whitespace in spec file --- java-latest-openjdk.spec | 175 ++++++++++++++++++++------------------- 1 file changed, 89 insertions(+), 86 deletions(-) diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 4d7b578..cc9812b 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -563,7 +563,7 @@ alternatives \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ - %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext %{set_if_needed_alternatives $key %{family}} @@ -1962,41 +1962,41 @@ function installjdk() { local imagepath=${1} if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security - # Use system-wide tzdata - mv ${imagepath}/lib/tzdb.dat{,.upstream} - ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + # Use system-wide tzdata + mv ${imagepath}/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - # Rename OpenJDK cacerts database - mv ${imagepath}/lib/security/cacerts{,.upstream} - # Install cacerts symlink needed by some apps which hard-code the path - ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security + # Rename OpenJDK cacerts database + mv ${imagepath}/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd fi } @@ -2007,58 +2007,58 @@ function debugcheckjdk() { if [ -d ${imagepath} ] ; then - so_suffix="so" - # Check debug symbols are present and can identify code - find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib - do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. + so_suffix="so" + # Check debug symbols are present and can identify code + find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib + do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" - done - IFS="$old_IFS" + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi - fi - done + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi + done - # Make sure gdb can do a backtrace based on line numbers on libjvm.so - # javaCalls.cpp:58 should map to: - # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 - # Using line number 1 might cause build problems. See: - # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 - # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 - gdb -q "${imagepath}/bin/java" < - 1:18.0.1.0.10-7.rolling +- Fix whitespace in spec file + * Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling - Sequence spec file sections as they are run by rpmbuild (build, install then test) @@ -2826,7 +2829,7 @@ cjc.mainProgram(args) * Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling - update to 16.0.1+9 april cpu tag -- dropped jdk8259949-allow_cf-protection_on_x86.patch +- dropped jdk8259949-allow_cf-protection_on_x86.patch * Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling - Perform static library build on a separate source tree with bundled image libraries @@ -2874,7 +2877,7 @@ cjc.mainProgram(args) * Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling - many cosmetic changes taken from more maintained jdk11 -- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches +- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches instead of various hardcoded ifarches - updated systemtap - added requires excludes for debug pkgs @@ -2957,7 +2960,7 @@ cjc.mainProgram(args) * Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling - Remove s390x workaround flags for GCC 10 - bump buildjdkver to 14 -- uploaded new src tarball +- uploaded new src tarball * Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling - removed a whitespace causing fail of postinstall script @@ -2977,7 +2980,7 @@ cjc.mainProgram(args) - fix issues with build with GCC10: JDK-8224851, -fcommon switch * Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling -- Add JDK-8224851 patch to resolve aarch64 issues +- Add JDK-8224851 patch to resolve aarch64 issues * Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling - fix Release, as it was broken by last rpmdev-bumpspec @@ -3298,7 +3301,7 @@ cjc.mainProgram(args) - Removed unneeded patches: PStack-808293.patch multiple-pkcs11-library-init.patch - ppc_stack_overflow_fix.patch + ppc_stack_overflow_fix.patch - Added patches for s390 Zero builds: JDK-8201495-s390-java-opts.patch JDK-8201509-s390-atomic_store.patch From c2d24ea2718e97fd2516d664ff20dbe98d7a3052 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sat, 9 Jul 2022 02:02:43 +0100 Subject: [PATCH 09/10] Include a test in the RPM to check the build has the correct vendor information. Fix issue where CheckVendor.java test erroneously passes when it should fail. Add proper quoting so '&' is not treated as a special character by the shell. --- CheckVendor.java | 57 +++++++++++++++++++++++++++++++++++++ java-latest-openjdk.spec | 61 +++++++++++++++++++++++++--------------- 2 files changed, 96 insertions(+), 22 deletions(-) create mode 100644 CheckVendor.java diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..e2101cf --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,57 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 3) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL%s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + System.err.printf("Vendor information verified as %s, %s, %s\n", + vendor, vendorURL, vendorBugURL); + } +} diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index cc9812b..01ae52b 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -340,6 +340,26 @@ %global build_hotspot_first 0 %endif +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif + # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches @@ -351,7 +371,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 7 +%global rpmrelease 8 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -392,23 +412,6 @@ %global eaprefix 0. %endif -# Define what url should JVM offer in case of a crash report -# order may be important, epel may have rhel declared -%if 0%{?epel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} -%else -%if 0%{?fedora} -# Does not work for rawhide, keeps the version field empty -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} -%else -%if 0%{?rhel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} -%else -%global bugs https://bugzilla.redhat.com/enter_bug.cgi -%endif -%endif -%endif - # parametrized macros are order-sensitive %global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} @@ -1312,6 +1315,9 @@ Source14: TestECDSA.java # Verify system crypto (policy) can be disabled via a property Source15: TestSecurityProperties.java +# Ensure vendor settings are correct +Source16: CheckVendor.java + # nss fips configuration file Source17: nss.fips.cfg.in @@ -1920,10 +1926,10 @@ function buildjdk() { --with-version-pre="${EA_DESIGNATOR}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{vendor_version_string}" \ - --with-vendor-name="Red Hat, Inc." \ - --with-vendor-url="https://www.redhat.com/" \ - --with-vendor-bug-url="%{bugs}" \ - --with-vendor-vm-bug-url="%{bugs}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ @@ -2305,6 +2311,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" + %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} @@ -2572,6 +2582,13 @@ cjc.mainProgram(args) %endif %changelog +* Sat Jul 09 2022 Jayashree Huttanagoudar - 1:18.0.1.0.10-8.rolling +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. + +* Sat Jul 09 2022 Andrew Hughes - 1:18.0.1.0.10-8.rolling +- Include a test in the RPM to check the build has the correct vendor information. + * Fri Jul 08 2022 Andrew Hughes - 1:18.0.1.0.10-7.rolling - Fix whitespace in spec file From fa0aa4658c8bb82e478baca2e883e60b91e4ff59 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Mon, 11 Jul 2022 15:10:14 +0100 Subject: [PATCH 10/10] Update to jdk-18.0.1.1 interim release Update release notes to actually reflect OpenJDK 18 and subsequent releases 18.0.1 & 18.0.1.1 Print release file during build, which should now include a correct SOURCE value from .src-rev Update tarball script with IcedTea GitHub URL and .src-rev generation Include script to generate bug list for release notes Update tzdata requirement to 2022a to match JDK-8283350 --- .gitignore | 1 + NEWS | 1042 +++++------------------------------- generate_source_tarball.sh | 19 +- java-latest-openjdk.spec | 23 +- openjdk_news.sh | 76 +++ sources | 2 +- 6 files changed, 239 insertions(+), 924 deletions(-) create mode 100755 openjdk_news.sh diff --git a/.gitignore b/.gitignore index 5e412df..2576f6f 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /openjdk-jdk18-jdk-18+37.tar.xz /openjdk-jdk18u-jdk-18.0.1+0.tar.xz /openjdk-jdk18u-jdk-18.0.1+10.tar.xz +/openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz diff --git a/NEWS b/NEWS index 78938f4..0998f22 100644 --- a/NEWS +++ b/NEWS @@ -3,487 +3,95 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 17.0.2 (2022-01-18): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1702 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt - -* Security fixes - - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - - JDK-8268488: More valuable DerValues - - JDK-8268494: Better inlining of inlined interfaces - - JDK-8268512: More content for ContentInfo - - JDK-8268813, CVE-2022-21283: Better String matching - - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - - JDK-8269944: Better HTTP transport redux - - JDK-8270386, CVE-2022-21291: Better verification of scan methods - - JDK-8270392, CVE-2022-21293: Improve String constructions - - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - - JDK-8270492, CVE-2022-21282: Better resolution of URIs - - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - - JDK-8270952, CVE-2022-21277: Improve TIFF file handling - - JDK-8271962: Better TrueType font loading - - JDK-8271968: Better canonical naming - - JDK-8271987: Manifest improved manifest entries - - JDK-8272014, CVE-2022-21305: Better array indexing - - JDK-8272026, CVE-2022-21340: Verify Jar Verification - - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - - JDK-8272272: Enhance jcmd communication - - JDK-8272462: Enhance image handling - - JDK-8273290: Enhance sound handling - - JDK-8273756, CVE-2022-21360: Enhance BMP image support - - JDK-8273838, CVE-2022-21365: Enhanced BMP processing - - JDK-8274096, CVE-2022-21366: Improve decoding of image files +New in release OpenJDK 18.0.1.1 (2022-04-22): +============================================= * Other changes - - JDK-4819544: SwingSet2 JTable Demo throws NullPointerException - - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing - - JDK-8140241: (fc) Data transfer from FileChannel to itself causes hang in case of overlap - - JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java fails intermittently - - JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes) leads to a negative initial size for ByteArrayOutputStream - - JDK-8214761: Bug in parallel Kahan summation implementation - - JDK-8223923: C2: Missing interference with mismatched unsafe accesses - - JDK-8233020: (fs) UnixFileSystemProvider should use StaticProperty.userDir(). - - JDK-8238649: Call new Win32 API SetThreadDescription in os::set_native_thread_name - - JDK-8244675: assert(IncrementalInline || (_late_inlines.length() == 0 && !has_mh_late_inlines())) - - JDK-8261236: C2: ClhsdbJstackXcompStress test fails when StressGCM is enabled - - JDK-8261579: AArch64: Support for weaker memory ordering in Atomic - - JDK-8262031: Create implementation for NSAccessibilityNavigableStaticText protocol - - JDK-8262095: NPE in Flow$FlowAnalyzer.visitApply: Cannot invoke getThrownTypes because tree.meth.type is null - - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert - - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream - - JDK-8263375: Support stack watermarks in Zero VM - - JDK-8263773: Reenable German localization for builds at Oracle - - JDK-8264286: Create implementation for NSAccessibilityColumn protocol peer - - JDK-8264287: Create implementation for NSAccessibilityComboBox protocol peer - - JDK-8264291: Create implementation for NSAccessibilityCell protocol peer - - JDK-8264292: Create implementation for NSAccessibilityList protocol peer - - JDK-8264293: Create implementation for NSAccessibilityMenu protocol peer - - JDK-8264294: Create implementation for NSAccessibilityMenuBar protocol peer - - JDK-8264295: Create implementation for NSAccessibilityMenuItem protocol peer - - JDK-8264296: Create implementation for NSAccessibilityPopUpButton protocol peer - - JDK-8264297: Create implementation for NSAccessibilityProgressIndicator protocol peer - - JDK-8264298: Create implementation for NSAccessibilityRow protocol peer - - JDK-8264303: Create implementation for NSAccessibilityTabGroup protocol peer - - JDK-8266239: Some duplicated javac command-line options have repeated effect - - JDK-8266510: Nimbus JTree default tree cell renderer does not use selected text color - - JDK-8266988: compiler/jvmci/compilerToVM/IsMatureTest.java fails with Unexpected isMature state for multiple times invoked method: expected false to equal true - - JDK-8267256: Extend minimal retry for loopback connections on Windows to PlainSocketImpl - - JDK-8267385: Create NSAccessibilityElement implementation for JavaComponentAccessibility - - JDK-8267387: Create implementation for NSAccessibilityOutline protocol - - JDK-8267388: Create implementation for NSAccessibilityTable protocol - - JDK-8268284: javax/swing/JComponent/7154030/bug7154030.java fails with "Exception: Failed to hide opaque button" - - JDK-8268294: Reusing HttpClient in a WebSocket.Listener hangs. - - JDK-8268361: Fix the infinite loop in next_line - - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML - - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests - - JDK-8268626: Remove native pre-jdk9 support for jtreg failure handler - - JDK-8268860: Windows-Aarch64 build is failing in GitHub actions - - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc - - JDK-8268885: duplicate checkcast when destination type is not first type of intersection type - - JDK-8268893: jcmd to trim the glibc heap - - JDK-8268894: forged ASTs can provoke an AIOOBE at com.sun.tools.javac.jvm.ClassWriter::writePosition - - JDK-8268927: Windows: link error: unresolved external symbol "int __cdecl convert_to_unicode(char const *,wchar_t * *)" - - JDK-8269031: linux x86_64 check for binutils 2.25 or higher after 8265783 - - JDK-8269113: Javac throws when compiling switch (null) - - JDK-8269216: Useless initialization in com/sun/crypto/provider/PBES2Parameters.java - - JDK-8269269: [macos11] SystemIconTest fails with ClassCastException - - JDK-8269280: (bf) Replace StringBuffer in *Buffer.toString() - - JDK-8269481: SctpMultiChannel never releases own file descriptor - - JDK-8269637: javax/swing/JFileChooser/FileSystemView/SystemIconTest.java fails on windows - - JDK-8269656: The test test/langtools/tools/javac/versions/Versions.java has duplicate test cycles - - JDK-8269687: pauth_aarch64.hpp include name is incorrect - - JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0 - - JDK-8269924: Shenandoah: Introduce weak/strong marking asserts - - JDK-8269951: [macos] Focus not painted in JButton when setBorderPainted(false) is invoked - - JDK-8270110: Shenandoah: Add test for JDK-8269661 - - JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to run in all LaFs, including Aqua on macOS - - JDK-8270171: Shenandoah: Cleanup TestStringDedup and TestStringDedupStress tests - - JDK-8270290: NTLM authentication fails if HEAD request is used - - JDK-8270317: Large Allocation in CipherSuite - - JDK-8270320: JDK-8270110 committed invalid copyright headers - - JDK-8270517: Add Zero support for LoongArch - - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS - - JDK-8270886: Crash in PhaseIdealLoop::verify_strip_mined_scheduling - - JDK-8270893: IndexOutOfBoundsException while reading large TIFF file - - JDK-8270901: Typo PHASE_CPP in CompilerPhaseType - - JDK-8270946: X509CertImpl.getFingerprint should not return the empty String - - JDK-8271071: accessibility of a table on macOS lacks cell navigation - - JDK-8271121: ZGC: stack overflow (segv) when -Xlog:gc+start=debug - - JDK-8271142: package help is not displayed for missing X11/extensions/Xrandr.h - - JDK-8271170: Add unit test for what jpackage app launcher puts in the environment - - JDK-8271215: Fix data races in G1PeriodicGCTask - - JDK-8271254: javac generates unreachable code when using empty semicolon statement - - JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with "lists don't have the same size expected" - - JDK-8271308: (fc) FileChannel.transferTo() transfers no more than Integer.MAX_VALUE bytes in one call - - JDK-8271315: Redo: Nimbus JTree renderer properties persist across L&F changes - - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 - - JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop - - JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck) || outcnt() == 2 assert failure with Test7179138_1.java - - JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity - - JDK-8271463: Updating RE Configs for Upcoming CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8271490: [ppc] [s390]: Crash in JavaThread::pd_get_top_frame_for_profiling - - JDK-8271560: sun/security/ssl/DHKeyExchange/LegacyDHEKeyExchange.java still fails due to "An established connection was aborted by the software in your host machine" - - JDK-8271567: AArch64: AES Galois CounterMode (GCM) interleaved implementation using vector instructions - - JDK-8271600: C2: CheckCastPP which should closely follow Allocate is sunk of a loop - - JDK-8271605: Update JMH devkit to 1.32 - - JDK-8271718: Crash when during color transformation the color profile is replaced - - JDK-8271722: [TESTBUG] gc/g1/TestMixedGCLiveThreshold.java can fail if G1 Full GC uses >1 workers - - JDK-8271855: [TESTBUG] Wrong weakCompareAndSet assumption in UnsafeIntrinsicsTest - - JDK-8271862: C2 intrinsic for Reference.refersTo() is often not used - - JDK-8271868: Warn user when using mac-sign option with unsigned app-image. - - JDK-8271895: UnProblemList javax/swing/JComponent/7154030/bug7154030.java in JDK18 - - JDK-8271954: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272047: java/nio/channels/FileChannel/Transfer2GPlus.java failed with Unexpected transfer size: 2147418112 - - JDK-8272095: ProblemList java/nio/channels/FileChannel/Transfer2GPlus.java on linux-aarch64 - - JDK-8272114: Unused _last_state in osThread_windows - - JDK-8272170: Missing memory barrier when checking active state for regions - - JDK-8272305: several hotspot runtime/modules don't check exit codes - - JDK-8272318: Improve performance of HeapDumpAllTest - - JDK-8272328: java.library.path is not set properly by Windows jpackage app launcher - - JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes - - JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/PageDialogMarginTest.java catches all exceptions - - JDK-8272345: macos doesn't check `os::set_boot_path()` result - - JDK-8272369: java/io/File/GetXSpace.java failed with "RuntimeException: java.nio.file.NoSuchFileException: /run/user/0" - - JDK-8272391: Undeleted debug information - - JDK-8272413: Incorrect num of element count calculation for vector cast - - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong - - JDK-8272562: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272570: C2: crash in PhaseCFG::global_code_motion - - JDK-8272574: C2: assert(false) failed: Bad graph detected in build_loop_late - - JDK-8272639: jpackaged applications using microphone on mac - - JDK-8272703: StressSeed should be set via FLAG_SET_ERGO - - JDK-8272720: Fix the implementation of loop unrolling heuristic with LoopPercentProfileLimit - - JDK-8272783: Epsilon: Refactor tests to improve performance - - JDK-8272836: Limit run time for java/lang/invoke/LFCaching tests - - JDK-8272838: Move CriticalJNI tests out of tier1 - - JDK-8272846: Move some runtime/Metaspace/elastic/ tests out of tier1 - - JDK-8272850: Drop zapping values in the Zap* option descriptions - - JDK-8272854: split runtime/CommandLine/PrintTouchedMethods.java test - - JDK-8272856: DoubleFlagWithIntegerValue uses G1GC-only flag - - JDK-8272859: Javadoc external links should only have feature version number in URL - - JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test groups - - JDK-8272970: Parallelize runtime/InvocationTests/ - - JDK-8272973: Incorrect compile command used by TestIllegalArrayCopyBeforeInfiniteLoop - - JDK-8273021: C2: Improve Add and Xor ideal optimizations - - JDK-8273026: Slow LoginContext.login() on multi threading application - - JDK-8273135: java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java crashes in liblcms.dylib with NULLSeek+0x7 - - JDK-8273165: GraphKit::combine_exception_states fails with "matching stack sizes" assert - - JDK-8273176: handle latest VS2019 in abstract_vm_version - - JDK-8273229: Update OS detection code to recognize Windows Server 2022 - - JDK-8273234: extended 'for' with expression of type tvar causes the compiler to crash - - JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on Windows 32bit - - JDK-8273278: Support XSLT on GraalVM Native Image--deterministic bytecode generation in XSLT - - JDK-8273308: PatternMatchTest.java fails on CI - - JDK-8273314: Add tier4 test groups - - JDK-8273315: Parallelize and increase timeouts for java/foreign/TestMatrix.java test - - JDK-8273318: Some containers/docker/TestJFREvents.java configs are running out of memory - - JDK-8273333: Zero should warn about unimplemented -XX:+LogTouchedMethods - - JDK-8273335: compiler/blackhole tests should not run with interpreter-only VMs - - JDK-8273342: Null pointer dereference in classFileParser.cpp:2817 - - JDK-8273359: CI: ciInstanceKlass::get_canonical_holder() doesn't respect instance size - - JDK-8273361: InfoOptsTest is failing in tier1 - - JDK-8273373: Zero: Cannot invoke JVM in primordial threads on Zero - - JDK-8273375: Remove redundant 'new String' calls after concatenation in java.desktop - - JDK-8273376: Zero: Disable vtable/itableStub gtests - - JDK-8273378: Shenandoah: Remove the remaining uses of os::is_MP - - JDK-8273408: java.lang.AssertionError: typeSig ERROR on generated class property of record - - JDK-8273416: C2: assert(false) failed: bad AD file after JDK-8252372 with UseSSE={0,1} - - JDK-8273440: Zero: Disable runtime/Unsafe/InternalErrorTest.java - - JDK-8273450: Fix the copyright header of SVML files - - JDK-8273451: Remove unreachable return in mutexLocker::wait - - JDK-8273483: Zero: Clear pending JNI exception check in native method handler - - JDK-8273486: Zero: Handle DiagnoseSyncOnValueBasedClasses VM option - - JDK-8273487: Zero: Handle "zero" variant in runtime tests - - JDK-8273489: Zero: Handle UseHeavyMonitors on all monitorenter paths - - JDK-8273498: compiler/c2/Test7179138_1.java timed out - - JDK-8273505: runtime/cds/appcds/loaderConstraints/DynamicLoaderConstraintsTest.java#default-cl crashed with SIGSEGV in MetaspaceShared::link_shared_classes - - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure - - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated - - JDK-8273592: Backout JDK-8271868 - - JDK-8273593: [REDO] Warn user when using mac-sign option with unsigned app-image. - - JDK-8273595: tools/jpackage tests do not work on apt-based Linux distros like Debian - - JDK-8273606: Zero: SPARC64 build fails with si_band type mismatch - - JDK-8273614: Shenandoah: intermittent timeout with ConcurrentGCBreakpoint tests - - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F - - JDK-8273646: Add openssl from path variable also in to Default System Openssl Path in OpensslArtifactFetcher - - JDK-8273678: TableAccessibility and TableRowAccessibility miss autorelease - - JDK-8273695: Safepoint deadlock on VMOperation_lock - - JDK-8273790: Potential cyclic dependencies between Gregorian and CalendarSystem - - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly - - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java - - JDK-8273808: Cleanup AddFontsToX11FontPath - - JDK-8273826: Correct Manifest file name and NPE checks - - JDK-8273887: [macos] java/awt/color/ICC_ColorSpace/MTTransformReplacedProfile.java timed out - - JDK-8273894: ConcurrentModificationException raised every time ReferralsCache drops referral - - JDK-8273902: Memory leak in OopStorage due to bug in OopHandle::release() - - JDK-8273924: ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() - - JDK-8273935: (zipfs) Files.getFileAttributeView() throws UOE instead of returning null when view not supported - - JDK-8273958: gtest/MetaspaceGtests executes unnecessary tests in debug builds - - JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file path contains '+' character - - JDK-8273965: some testlibrary_tests/ir_framework tests fail when c1 disabled - - JDK-8273968: JCK javax_xml tests fail in CI - - JDK-8274056: JavaAccessibilityUtilities leaks JNI objects - - JDK-8274074: SIGFPE with C2 compiled code with -XX:+StressGCM - - JDK-8274083: Update testing docs to mention tiered testing - - JDK-8274087: Windows DLL path not set correctly. - - JDK-8274145: C2: condition incorrectly made redundant with dominating main loop exit condition - - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC - - JDK-8274215: Remove globalsignr2ca root from 17.0.2 - - JDK-8274242: Implement fast-path for ASCII-compatible CharsetEncoders on x86 - - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp - - JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork is deprecated - - JDK-8274325: C4819 warning at vm_version_x86.cpp on Windows after JDK-8234160 - - JDK-8274326: [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m - - JDK-8274329: Fix non-portable HotSpot code in MethodMatcher::parse_method_pattern - - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" - - JDK-8274347: Passing a *nested* switch expression as a parameter causes an NPE during compile - - JDK-8274349: ForkJoinPool.commonPool() does not work with 1 CPU - - JDK-8274381: missing CAccessibility definitions in JNI code - - JDK-8274383: JNI call of getAccessibleSelection on a wrong thread - - JDK-8274401: C2: GraphKit::load_array_element bypasses Access API - - JDK-8274406: RunThese30M.java failed "assert(!LCA_orig->dominates(pred_block) || early->dominates(pred_block)) failed: early is high enough" - - JDK-8274407: (tz) Update Timezone Data to 2021c - - JDK-8274435: EXCEPTION_ACCESS_VIOLATION in BFSClosure::closure_impl - - JDK-8274467: TestZoneInfo310.java fails with tzdata2021b - - JDK-8274468: TimeZoneTest.java fails with tzdata2021b - - JDK-8274501: c2i entry barriers read int as long on AArch64 - - JDK-8274521: jdk/jfr/event/gc/detailed/TestGCLockerEvent.java fails when other GC is selected - - JDK-8274522: java/lang/management/ManagementFactory/MXBeanException.java test fails with Shenandoah - - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah - - JDK-8274550: c2i entry barriers read int as long on PPC - - JDK-8274560: JFR: Add test for OldObjectSample event when using Shenandoah - - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test - - JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with NoSuchElementException after JDK-8271287 - - JDK-8274716: JDWP Spec: the description for the Dispose command confuses suspend with resume. - - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily - - JDK-8274770: [PPC64] resolve_jobject needs a generic implementation to support load barriers - - JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently fails on weak memory model platform - - JDK-8274779: HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST - - JDK-8274840: Update OS detection code to recognize Windows 11 - - JDK-8274848: LambdaMetaFactory::metafactory on REF_invokeSpecial impl method has incorrect behavior - - JDK-8274851: [ppc64] Port zgc to linux on ppc64le - - JDK-8274942: AssertionError at jdk.compiler/com.sun.tools.javac.util.Assert.error(Assert.java:155) - - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11 - - JDK-8275049: [ZGC] missing null check in ZNMethod::log_register - - JDK-8275051: Shenandoah: Correct ordering of requested gc cause and gc request flag - - JDK-8275071: [macos] A11y cursor gets stuck when combobox is closed - - JDK-8275104: IR framework does not handle client VM builds correctly - - JDK-8275110: Correct RE Configs for CPU Release 17.0.2 on master branch for jdk17u-cpu and jdk17u-cpu-open repos. - - JDK-8275131: Exceptions after a touchpad gesture on macOS - - JDK-8275141: recover corrupted line endings for the version-numbers.conf - - JDK-8275145: file.encoding system property has an incorrect value on Windows - - JDK-8275226: Shenandoah: Relax memory constraint for worker claiming tasks/ranges - - JDK-8275302: unexpected compiler error: cast, intersection types and sealed - - JDK-8275426: PretouchTask num_chunks calculation can overflow - - JDK-8275604: Zero: Reformat opclabels_data - - JDK-8275666: serviceability/jvmti/GetObjectSizeClass.java shouldn't have vm.flagless - - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem - - JDK-8275720: CommonComponentAccessibility.createWithParent isWrapped causes mem leak - - JDK-8275766: (tz) Update Timezone Data to 2021e - - JDK-8275809: crash in [CommonComponentAccessibility getCAccessible:withEnv:] - - JDK-8275811: Incorrect instance to dispose - - JDK-8275819: [TableRowAccessibility accessibilityChildren] method is ineffective - - JDK-8275849: TestZoneInfo310.java fails with tzdata2021e - - JDK-8275863: Use encodeASCII for ASCII-compatible DoubleByte encodings - - JDK-8275872: Sync J2DBench run and analyze Makefile targets with build.xml - - JDK-8276025: Hotspot's libsvml.so may conflict with user dependency - - JDK-8276066: Reset LoopPercentProfileLimit for x86 due to suboptimal performance - - JDK-8276076: Updating RE Configs for BUILD REQUEST 17.0.2+3 - - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly - - JDK-8276112: Inconsistent scalar replacement debug info at safepoints - - JDK-8276122: Change openjdk project in jcheck to jdk-updates - - JDK-8276130: Fix Github Actions of JDK17u to account for update version scheme - - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test - - JDK-8276157: C2: Compiler stack overflow during escape analysis on Linux x86_32 - - JDK-8276201: Shenandoah: Race results degenerated GC to enter wrong entry point - - JDK-8276205: Shenandoah: CodeCache_lock should always be held for initializing code cache iteration - - JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails intermittently on storage acquisition - - JDK-8276536: Update TimeZoneNames files to follow the changes made by JDK-8275766 - - JDK-8276550: Use SHA256 hash in build.tools.depend.Depend - - JDK-8276572: Fake libsyslookup.so library causes tooling issues - - JDK-8276774: Cookie stored in CookieHandler not sent if user headers contain cookie - - JDK-8276801: gc/stress/CriticalNativeStress.java fails intermittently with Shenandoah - - JDK-8276805: java/awt/print/PrinterJob/CheckPrivilege.java fails due to disabled SecurityManager - - JDK-8276845: (fs) java/nio/file/spi/SetDefaultProvider.java fails on x86_32 - - JDK-8276846: JDK-8273416 is incomplete for UseSSE=1 - - JDK-8276854: Windows GHA builds fail due to broken Cygwin - - JDK-8276864: Update boot JDKs to 17.0.1 in GHA - - JDK-8276905: Use appropriate macosx_version_minimum value while compiling metal shaders - - JDK-8276927: [ppc64] Port shenandoahgc to linux on ppc64le - - JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify output array sizes - - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element - - JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points - - JDK-8277195: missing CAccessibility definition in [CommonComponentAccessibility accessibilityHitTest] - - JDK-8277212: GC accidentally cleans valid megamorphic vtable inline caches - - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE - - JDK-8277529: SIGSEGV in C2 CompilerThread Node::rematerialize() compiling Packet::readUnsignedTrint - - JDK-8277981: String Deduplication table is never cleaned up due to bad dead_factor_for_cleanup + - JDK-8283350: (tz) Update Timezone Data to 2022a + - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException + - JDK-8284920: Incorrect Token type causes XPath expression to return incorrect results + - JDK-8285391: Update the release version for respin April CPU22_04 for release jdk18.0.1.1 + - JDK-8285445: cannot open file "NUL:" + - JDK-8285454: Update the JBS version for respin of April CPU22_04 Notes on individual issues: =========================== -core-libs/java.io:serialization: - -JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element -========================================================================================= -`java.util.Vector` is updated to correctly report -`ClassNotFoundException that occurs during deserialization using -`java.io.ObjectInputStream.GetField.get(name, object)` when the class -of an element of the Vector is not found. Without this fix, a -`StreamCorruptedException` is thrown that does not provide information -about the missing class. - -security-libs/java.security: - -JDK-8272535: Removed Google's GlobalSign Root Certificate -========================================================= -The following root certificate from Google has been removed from the -`cacerts` keystore: - -Alias Name: globalsignr2ca [jdk] -Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 - core-libs/java.io: -JDK-8275343: file.encoding System Property Has an Incorrect Value on Windows -============================================================================ -The initialization of the `file.encoding` system property on non macOS -platforms has been reverted to align with the behavior on or before -JDK 11. This has been an issue especially on Windows where the system -and user's locales are not the same. +JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File +================================================================================================= +The Windows implementation of `java.io.File` allows access to NTFS +Alternate Data Streams (ADS) by default. Such streams have a structure +like “filename:streamname”. A system property `jdk.io.File.enableADS` +has been added to control this behavior. To disable ADS support in +`java.io.File`, the system property `jdk.io.File.enableADS` should be +set to `false` (case ignored). Stricter path checking however prevents +the use of special devices such as `NUL:` -hotspot/gc: - -JDK-8277533: ZGC: Fixed long Process Non-Strong References times -================================================================ -A bug has been fixed that could cause long "Concurrent Process -Non-Strong References" times with ZGC. The bug blocked the GC from -making significant progress, and caused both latency and throughput -issues for the Java application. - -The long times could be seen in the GC logs when running with `-Xlog:gc*` e.g. - -[17606.140s][info][gc,phases ] GC(719) Concurrent Process Non-Strong References 25781.928ms - -core-libs/java.time: - -JDK-8274857: Update Timezone Data to 2021c -=========================================== -IANA Time Zone Database, on which JDK's Date/Time libraries are based, -has been updated to version 2021c -(https://mm.icann.org/pipermail/tz-announce/2021-October/000067.html). Note -that with this update, some of the time zone rules prior to the year -1970 have been modified according to the changes which were introduced -with 2021b. For more detail, refer to the announcement of 2021b -(https://mm.icann.org/pipermail/tz-announce/2021-September/000066.html) - -New in release OpenJDK 17.0.1 (2021-10-19): +New in release OpenJDK 18.0.1 (2022-04-19): =========================================== Live versions of these release notes can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt + * https://builds.shipilev.net/backports-monitor/release-notes-18.0.1.txt * Security fixes - - JDK-8263314: Enhance XML Dsig modes - - JDK-8265167, CVE-2021-35556: Richer Text Editors - - JDK-8265574: Improve handling of sheets - - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit - - JDK-8265776: Improve Stream handling for SSL - - JDK-8266097, CVE-2021-35561: Better hashing support - - JDK-8266103: Better specified spec values - - JDK-8266109: More Resilient Classloading - - JDK-8266115: More Manifest Jar Loading - - JDK-8266137, CVE-2021-35564: Improve Keystore integrity - - JDK-8266689, CVE-2021-35567: More Constrained Delegation - - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic - - JDK-8267712: Better LDAP reference processing - - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking - - JDK-8267735, CVE-2021-35586: Better BMP support - - JDK-8268193: Improve requests of certificates - - JDK-8268199: Correct certificate requests - - JDK-8268205: Enhance DTLS client handshake - - JDK-8268500: Better specified ParameterSpecs - - JDK-8268506: More Manifest Digests - - JDK-8269618, CVE-2021-35603: Better session identification - - JDK-8269624: Enhance method selection support - - JDK-8270398: Enhance canonicalization - - JDK-8270404: Better canonicalization + - JDK-8269938: Enhance XML processing passes redux + - JDK-8270504, CVE-2022-21426: Better XPath expression handling + - JDK-8272255: Completely handle MIDI files + - JDK-8272261: Improve JFR recording file processing + - JDK-8272588: Enhanced recording parsing + - JDK-8272594: Better record of recordings + - JDK-8274221: More definite BER encodings + - JDK-8275151, CVE-2022-21443: Improved Object Identification + - JDK-8277227: Better identification of OIDs + - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support + - JDK-8277672, CVE-2022-21434: Better invocation handler handling + - JDK-8278356: Improve file creation + - JDK-8278449: Improve keychain support + - JDK-8278798: Improve supported intrinsic + - JDK-8278805: Enhance BMP image loading + - JDK-8278972, CVE-2022-21496: Improve URL supports + - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo * Other changes - - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021 - - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails - - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked - - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations - - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" - - JDK-8263531: Remove unused buffer int - - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java - - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type - - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file - - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info. - - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance - - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms - - JDK-8269297: Bump version numbers for JDK 17.0.1 - - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient - - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events - - JDK-8269763: The JEditorPane is blank after JDK-8265167 - - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers - - JDK-8269882: stack-use-after-scope in NewObjectA - - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible - - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status - - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags - - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations - - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode - - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert - - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup - - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error - - JDK-8270344: Session resumption errors - - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added - - JDK-8271276: C2: Wrong JVM state used for receiver null check - - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4 - - JDK-8271589: fatal error with variable shift count integer rotate operation. - - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java - - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests - - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier - - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon - - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj - - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails - - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790 - - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34 - - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182 - - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used - - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848 - - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled - - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed - - JDK-8273358: macOS Monterey does not have the font Times needed by Serif + - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests + - JDK-8267341: macos attempt_reserve_memory_at(arg1, arg2, true) failure + - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled + - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency + - JDK-8274751: Drag And Drop hangs on Windows + - JDK-8276819: javax/print/PrintServiceLookup/FlushCustomClassLoader.java fails to free + - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 + - JDK-8277795: ldap connection timeout not honoured under contention + - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT + - JDK-8278472: Invalid value set to CANDIDATEFORM structure + - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + - JDK-8278869: Bump version numbers for OPENJDK 18.0.1 + - JDK-8279223: Define version in .jcheck/conf + - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers + - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it + - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM + - JDK-8279445: Update JMH devkit to 1.34 + - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN + - JDK-8280414: Memory leak in DefaultProxySelector + - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} + - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound + - JDK-8280785: change milestone to fcs for releases: jdk-11.0.15, jdk-17.0.3, jdk-18.0.1 + - JDK-8280910: Update openjdk project in jcheck to "jdk-updates" for jdk18u + - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix + - JDK-8281093: Violating Attribute-Value Normalization in the XML specification 1.0 + - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 + - JDK-8281262: Windows builds in different directories are not fully reproducible + - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 + - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8271434: Removed IdenTrust Root Certificate -=============================================== -The following root certificate from IdenTrust has been removed from -the `cacerts` keystore: - -Alias Name: identrustdstx3 [jdk] -Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co. - -New in release OpenJDK 17.0.0 (2021-09-14): +New in release OpenJDK 18.0.0 (2022-03-22): =========================================== -The full list of changes in the interim releases from 11u to 17u can be found at: - * https://builds.shipilev.net/backports-monitor/release-notes-12.txt - * https://builds.shipilev.net/backports-monitor/release-notes-13.txt - * https://builds.shipilev.net/backports-monitor/release-notes-14.txt - * https://builds.shipilev.net/backports-monitor/release-notes-15.txt - * https://builds.shipilev.net/backports-monitor/release-notes-16.txt - * https://builds.shipilev.net/backports-monitor/release-notes-17.txt - Major changes are listed below. Some changes may have been backported -to earlier releases following their first appearance in OpenJDK 12 -through to 17. +to earlier releases following their first appearance in OpenJDK 18. + +The full list of changes in 18u can be found at: +- * https://builds.shipilev.net/backports-monitor/release-notes-18.txt NEW FEATURES ============ @@ -491,94 +99,10 @@ NEW FEATURES Language Features ================= -Switch Expressions -================== -https://openjdk.java.net/jeps/325 -https://openjdk.java.net/jeps/354 -https://openjdk.java.net/jeps/361 - -Extend the `switch` statement so that it can be used as either a -statement or an expression, and that both forms can use either a -"traditional" or "simplified" scoping and control flow behavior. Both -forms can use either traditional `case ... :` labels (with fall -through) or new `case ... ->` labels (with no fall through), with a -further new statement for yielding a value from a `switch` -expression. These changes will simplify everyday coding, and also -prepare the way for the use of pattern matching in `switch`. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 12 & 13 and became final in OpenJDK 14. - -Text Blocks -=========== -https://openjdk.java.net/jeps/355 -https://openjdk.java.net/jeps/368 -https://openjdk.java.net/jeps/378 - -Add text blocks to the Java language. A text block is a multi-line -string literal that avoids the need for most escape sequences, -automatically formats the string in a predictable way, and gives the -developer control over format when desired. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 13 & 14 and became final in OpenJDK 15. - -Pattern Matching for instanceof -=============================== -https://openjdk.java.net/jeps/305 -https://openjdk.java.net/jeps/375 -https://openjdk.java.net/jeps/394 -http://cr.openjdk.java.net/~briangoetz/amber/pattern-match.html - -Enhance the Java programming language with pattern matching for the -`instanceof` operator. Pattern matching allows common logic in a -program, namely the conditional extraction of components from objects, -to be expressed more concisely and safely. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Records -======= -https://openjdk.java.net/jeps/359 -https://openjdk.java.net/jeps/384 -https://openjdk.java.net/jeps/395 - -Enhance the Java programming language with records. Records provide a -compact syntax for declaring classes which are transparent holders for -shallowly immutable data. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 14 & 15 and became final in OpenJDK 16. - -Sealed Classes -============== -https://openjdk.java.net/jeps/360 -https://openjdk.java.net/jeps/397 -https://openjdk.java.net/jeps/409 -https://cr.openjdk.java.net/~briangoetz/amber/datum.html - -Enhance the Java programming language with sealed classes and -interfaces. Sealed classes and interfaces restrict which other classes -or interfaces may extend or implement them. - -This was a preview feature (http://openjdk.java.net/jeps/12) in -OpenJDK 15 & 16 and became final in OpenJDK 17. - -Restore Always-Strict Floating-Point Semantics -============================================== -https://openjdk.java.net/jeps/306 - -Make floating-point operations consistently strict, rather than have -both strict floating-point semantics (`strictfp`) and subtly different -default floating-point semantics. This will restore the original -floating-point semantics to the language and VM, matching the -semantics before the introduction of strict and default floating-point -modes in Java SE 1.2. - Pattern Matching for switch =========================== -https://openjdk.java.net/jeps/406 +https://openjdk.org/jeps/406 +https://openjdk.org/jeps/420 Enhance the Java programming language with pattern matching for `switch` expressions and statements, along with extensions to the @@ -587,100 +111,36 @@ expression to be tested against a number of patterns, each with a specific action, so that complex data-oriented queries can be expressed concisely and safely. -This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK -17. +This was a preview feature (http://openjdk.java.net/jeps/12) in +OpenJDK 17 (JEP 406) and sees a second preview in OpenJDK 18 (JEP +420). Library Features ================ -JVM Constants API -================= -https://openjdk.java.net/jeps/334 +UTF-8 by Default +================ +https://openjdk.org/jeps/400 -Introduce an API to model nominal descriptions of key class-file and -run-time artifacts, in particular constants that are loadable from the -constant pool. +Specify UTF-8 as the default charset of the standard Java APIs. With +this change, APIs that depend upon the default charset will behave +consistently across all implementations, operating systems, locales, +and configurations. -Reimplement the Legacy Socket API -================================= -https://openjdk.java.net/jeps/353 +Reimplement Core Reflection with Method Handles +=============================================== +https://openjdk.org/jeps/416 -Replace the underlying implementation used by the `java.net.Socket` -and `java.net.ServerSocket` APIs with a simpler and more modern -implementation that is easy to maintain and debug. The new -implementation will be easy to adapt to work with user-mode threads, -a.k.a. fibers, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). - -JFR Event Streaming -=================== -https://openjdk.java.net/jeps/349 - -Expose JDK Flight Recorder data for continuous monitoring. - -Non-Volatile Mapped Byte Buffers -================================ -https://openjdk.java.net/jeps/352 - -Add new JDK-specific file mapping modes so that the `FileChannel` API -can be used to create `MappedByteBuffer` instances that refer to -non-volatile memory. - -Helpful NullPointerExceptions -============================= -https://openjdk.java.net/jeps/358 - -Improve the usability of `NullPointerException`s generated by the JVM -by describing precisely which variable was `null`. - -Foreign-Memory Access API -========================= -https://openjdk.java.net/jeps/370 -https://openjdk.java.net/jeps/383 -https://openjdk.java.net/jeps/393 - -Introduce an API to allow Java programs to safely and efficiently -access foreign memory outside of the Java heap. - -This was a incubation feature (https://openjdk.java.net/jeps/11) in -OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory -API in OpenJDK 17 (see below). - -Edwards-Curve Digital Signature Algorithm (EdDSA) -================================================= -https://openjdk.java.net/jeps/339 - -Implement cryptographic signatures using the Edwards-Curve Digital -Signature Algorithm (EdDSA) as described by RFC 8032 -(https://tools.ietf.org/html/rfc8032). - -Hidden Classes -============== -https://openjdk.java.net/jeps/371 - -Introduce hidden classes, which are classes that cannot be used -directly by the bytecode of other classes. Hidden classes are intended -for use by frameworks that generate classes at run time and use them -indirectly, via reflection. A hidden class may be defined as a member -of an access control nest (https://openjdk.java.net/jeps/181), and may -be unloaded independently of other classes. - -Reimplement the Legacy DatagramSocket API -========================================= -https://openjdk.java.net/jeps/373 - -Replace the underlying implementations of the -`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with -simpler and more modern implementations that are easy to maintain and -debug. The new implementations will be easy to adapt to work with -virtual threads, currently being explored in Project Loom -(https://openjdk.java.net/projects/loom). This is a follow-on to JEP -353 (see above), which already reimplemented the legacy Socket API. +Reimplement java.lang.reflect.Method, Constructor, and Field on top of +java.lang.invoke method handles. Making method handles the underlying +mechanism for reflection will reduce the maintenance and development +cost of both the java.lang.reflect and java.lang.invoke APIs. Vector API ========== -https://openjdk.java.net/jeps/338 -https://openjdk.java.net/jeps/414 +https://openjdk.org/jeps/338 +https://openjdk.org/jeps/414 +https://openjdk.org/jeps/417 Provide an initial iteration of an incubator module, `jdk.incubator.vector`, to express vector computations that reliably @@ -689,52 +149,21 @@ supported CPU architectures and thus achieve superior performance to equivalent scalar computations. This is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16. +introduced in OpenJDK 16 (JEP 338). A second round of incubation took +place in OpenJDK 17 (JEP 414) and OpenJDK 18 (JEP 417) sees a third. -Unix-Domain Socket Channels -=========================== -https://openjdk.java.net/jeps/380 +Internet-Address Resolution SPI +=============================== +https://openjdk.org/jeps/418 -Add Unix-domain (`AF_UNIX`) socket support to the socket channel and -server-socket channel APIs in the `java.nio.channels` package. Extend -the inherited channel mechanism to support Unix-domain socket channels -and server socket channels. - -Foreign Linker API (Incubator) -============================== -https://openjdk.java.net/jeps/389 - -Introduce an API that offers statically-typed, pure-Java access to -native code. This API, together with the Foreign-Memory API (see -above), will considerably simplify the otherwise error-prone process -of binding to a native library. - -This was an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 16, now superseded by the Foreign Function & -Memory API in OpenJDK 17 (see below). - -Strongly Encapsulate JDK Internals by Default -============================================= -https://openjdk.java.net/jeps/396 -https://openjdk.java.net/jeps/403 - -Strongly encapsulate all internal elements of the JDK by default, -except for critical internal APIs such as `sun.misc.Unsafe`. It will -no longer be possible to relax the strong encapsulation of internal -elements via a single command-line option, as was possible in OpenJDK -9 through 16. - -Enhanced Pseudo-Random Number Generators -======================================== -https://openjdk.java.net/jeps/356 - -Provide new interface types and implementations for pseudo-random -number generators (PRNGs), including jumpable PRNGs and an additional -class of splittable PRNG algorithms (LXM). +Define a service-provider interface (SPI) for host name and address +resolution, so that java.net.InetAddress can make use of resolvers +other than the platform's built-in resolver. Foreign Function & Memory API ============================= -https://openjdk.java.net/jeps/412 +https://openjdk.org/jeps/412 +https://openjdk.org/jeps/419 Introduce an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign @@ -744,253 +173,42 @@ Java programs to call native libraries and process native data without the brittleness and danger of JNI. This API is an incubation feature (https://openjdk.java.net/jeps/11) -introduced in OpenJDK 17, and is an evolution of the Foreign Memory -Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK -16) (see above). - -Context-Specific Deserialization Filters -======================================== -https://openjdk.java.net/jeps/415 - -Allow applications to configure context-specific and -dynamically-selected deserialization filters via a JVM-wide filter -factory that is invoked to select a filter for each individual -deserialization operation. +introduced in OpenJDK 17 (JEP 412), and is an evolution of the Foreign +Memory Access API (OpenJDK 14 through 16) and Foreign Linker API +(OpenJDK 16) (see release notes for java-17-openjdk). OpenJDK 18 sees +a second round of incubation (JEP 419). Tools ===== -Packaging Tool -============== -https://openjdk.java.net/jeps/343 -https://openjdk.java.net/jeps/392 +Simple Web Server +================= +https://openjdk.org/jeps/408 -Provide the `jpackage` tool, for packaging self-contained Java -applications. +Provide a command-line tool, `jwebserver`, to start a minimal web +server that serves static files only. No CGI or servlet-like +functionality is available. This tool will be useful for prototyping, +ad-hoc coding, and testing purposes, particularly in educational +contexts. -JVM Features -============ - -Shenandoah: A Low-Pause-Time Garbage Collector -============================================== -https://openjdk.java.net/jeps/189 -https://openjdk.java.net/jeps/379 - -Add a new garbage collection (GC) algorithm named Shenandoah which -reduces GC pause times by doing evacuation work concurrently with the -running Java threads. Pause times with Shenandoah are independent of -heap size, meaning you will have the same consistent pause times -whether your heap is 200 MB or 200 GB. - -Shenandoah has been provided in Red Hat builds of OpenJDK 8 since -8u131 in April 2017 and in all 11u builds. - -Upstream, it was introduced in OpenJDK 12 as an experimental feature -and became a production feature in OpenJDK 15. It was backported to -OpenJDK 11 with the 11.0.9 release in October 2020. - -Abortable Mixed Collections for G1 -================================== -https://openjdk.java.net/jeps/344 - -Make G1 mixed collections abortable if they might exceed the pause -target. - -Promptly Return Unused Committed Memory from G1 -=============================================== -https://openjdk.java.net/jeps/346 - -Enhance the G1 garbage collector to automatically return Java heap -memory to the operating system when idle. - -Dynamic CDS Archives -==================== -https://openjdk.java.net/jeps/310 -https://openjdk.java.net/jeps/350 - -Extend application class-data sharing to allow the dynamic archiving -of classes at the end of Java application execution. The archived -classes will include all loaded application classes and library -classes that are not present in the default, base-layer CDS archive. - -ZGC: Uncommit Unused Memory (Experimental) -========================================== -https://openjdk.java.net/jeps/351 - -Enhance ZGC to return unused heap memory to the operating system. - -NUMA-Aware Memory Allocation for G1 -=================================== -https://openjdk.java.net/jeps/345 - -Improve G1 performance on large machines by implementing NUMA-aware -memory allocation. - -ZGC on macOS (Experimental) -=========================== -https://openjdk.java.net/jeps/364 - -Port the ZGC garbage collector to macOS. - -ZGC on Windows (Experimental) -============================= -https://openjdk.java.net/jeps/365 - -Port the ZGC garbage collector to Windows. - -ZGC: A Scalable Low-Latency Garbage Collector (Production) -========================================================== -https://openjdk.java.net/jeps/377 - -Change the Z Garbage Collector from an experimental feature into a -product feature. - -ZGC: Concurrent Thread-Stack Processing +Code Snippets in Java API Documentation ======================================= -https://openjdk.java.net/jeps/376 +https://openjdk.org/jeps/413 -Move ZGC thread-stack processing from safepoints to a concurrent -phase. - -Elastic Metaspace -================= -https://openjdk.java.net/jeps/387 - -Return unused HotSpot class-metadata (i.e., metaspace) memory to the -operating system more promptly, reduce metaspace footprint, and -simplify the metaspace code in order to reduce maintenance costs. - -Ports -===== - -Alpine Linux Port -================= -https://openjdk.java.net/jeps/386 - -Port the JDK to Alpine Linux, and to other Linux distributions that -use musl as their primary C library, on both the x64 and AArch64 -architectures, - -Windows/AArch64 Port -==================== -https://openjdk.java.net/jeps/388 - -Port the JDK to Windows/AArch64. - -New macOS Rendering Pipeline -============================ -https://openjdk.java.net/jeps/382 - -Implement a Java 2D internal rendering pipeline for macOS using the -Apple Metal API as alternative to the existing pipeline, which uses -the deprecated Apple OpenGL API. - -macOS/AArch64 Port -================== -https://openjdk.java.net/jeps/391 - -Port the JDK to macOS/AArch64. +Introduce an @snippet tag for JavaDoc's Standard Doclet, to simplify +the inclusion of example source code in API documentation. DEPRECATIONS ============ -Deprecate the ParallelScavenge + SerialOld GC Combination -========================================================= -https://openjdk.java.net/jeps/366 - -Deprecate the combination of the Parallel Scavenge and Serial Old -garbage collection algorithms. - -Deprecate and Disable Biased Locking -==================================== -https://openjdk.java.net/jeps/374 - -Disable biased locking by default, and deprecate all related -command-line options. - -Warnings for Value-Based Classes -================================ -https://openjdk.java.net/jeps/390 - -Designate the primitive wrapper classes as value-based and deprecate -their constructors for removal, prompting new deprecation -warnings. Provide warnings about improper attempts to synchronize on -instances of any value-based classes in the Java Platform. - -Deprecate the Applet API for Removal -==================================== -https://openjdk.java.net/jeps/398 - -Deprecate the Applet API for removal. It is essentially irrelevant -since all web-browser vendors have either removed support for Java -browser plug-ins or announced plans to do so. - -Deprecate the Security Manager for Removal -========================================== -https://openjdk.java.net/jeps/411 - -Deprecate the Security Manager for removal in a future release. The -Security Manager dates from Java 1.0. It has not been the primary -means of securing client-side Java code for many years, and it has -rarely been used to secure server-side code. To move Java forward, we -intend to deprecate the Security Manager for removal in concert with -the legacy Applet API (see above). . - -REMOVALS -======== - -Remove the Concurrent Mark Sweep (CMS) Garbage Collector -======================================================== -https://openjdk.java.net/jeps/363 - -Remove the Concurrent Mark Sweep (CMS) garbage collector. - -Remove the Pack200 Tools and API -================================ -https://openjdk.java.net/jeps/336 -https://openjdk.java.net/jeps/367 - -Remove the `pack200` and `unpack200` tools, and the `Pack200` API in -the `java.util.jar` package. These tools and API were deprecated for -removal in OpenJDK 11 with the express intent to remove them in a -future release. - -Remove the Nashorn JavaScript Engine -==================================== -https://openjdk.java.net/jeps/372 - -Remove the Nashorn JavaScript script engine and APIs, and the `jjs` -tool. The engine, the APIs, and the tool were deprecated for removal -in OpenJDK 11 with the express intent to remove them in a future -release. - -Remove the Solaris and SPARC Ports +Deprecate Finalization for Removal ================================== -https://openjdk.java.net/jeps/362 -https://openjdk.java.net/jeps/381 +https://openjdk.org/jeps/421 -Remove the source code and build support for the Solaris/SPARC, -Solaris/x64, and Linux/SPARC ports. These ports were deprecated for -removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381). - -Remove RMI Activation -===================== -https://openjdk.java.net/jeps/385 -https://openjdk.java.net/jeps/407 -https://docs.oracle.com/en/java/javase/14/docs/specs/rmi/activation.html - -Remove the Remote Method Invocation (RMI) Activation mechanism, while -preserving the rest of RMI. RMI Activation is an obsolete part of RMI -that has been optional since OpenJDK 8 and was deprecated in OpenJDK -15. - -Remove the Experimental AOT and JIT Compiler -============================================ -https://openjdk.java.net/jeps/410 - -Remove the experimental Java-based ahead-of-time (AOT) and -just-in-time (JIT) compiler. This compiler has seen little use since -its introduction and the effort required to maintain it is -significant. Retain the experimental Java-level JVM compiler -interface (JVMCI) so that developers can continue to use -externally-built versions of the compiler for JIT compilation. +Deprecate finalization for removal in a future release. Finalization +remains enabled by default for now, but can be disabled to facilitate +early testing. In a future release it will be disabled by default, and +in a later release it will be removed. Maintainers of libraries and +applications that rely upon finalization should consider migrating to +other resource management techniques such as the try-with-resources +statement and cleaners. diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 515d472..d6a7f8d 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -37,6 +37,8 @@ set -e OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz +# Corresponding IcedTea version +ICEDTEA_VERSION=13.0 if [ "x$1" = "xhelp" ] ; then echo -e "Behaviour may be specified by setting the following variables:\n" @@ -126,11 +128,10 @@ pushd "${FILE_NAME_ROOT}" echo "Syncing EC list with NSS" if [ "x$PR3823" = "x" ] ; then - # originally for 8: - # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag - # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) + # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch + # Do not push it or publish it echo "PR3823 not found. Downloading..." - wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch + wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3823.patch echo "Applying ${PWD}/pr3823.patch" patch -Np1 < pr3823.patch rm pr3823.patch @@ -142,6 +143,14 @@ pushd "${FILE_NAME_ROOT}" popd fi + # Generate .src-rev so build has knowledge of the revision the tarball was created from + mkdir build + pushd build + sh ${PWD}/../openjdk/configure + make store-source-revision + popd + rm -rf build + echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then SWITCH=cJf @@ -152,5 +161,3 @@ pushd "${FILE_NAME_ROOT}" mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. popd echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." - - diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index 01ae52b..4fc69de 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -311,7 +311,7 @@ %global featurever 18 %global interimver 0 %global updatever 1 -%global patchver 0 +%global patchver 1 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was # GA'ed in March 2022 => 22.3 @@ -370,8 +370,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 10 -%global rpmrelease 8 +%global buildver 2 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1125,7 +1125,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -Requires: tzdata-java >= 2015d +# 2022a required as of JDK-8283350 in 18.0.1.1 +Requires: tzdata-java >= 2022a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1410,7 +1411,8 @@ BuildRequires: java-latest-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -BuildRequires: tzdata-java >= 2015d +# 2022a required as of JDK-8283350 in 18.0.1.1 +BuildRequires: tzdata-java >= 2022a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -2151,6 +2153,9 @@ for suffix in %{build_loop} ; do # Check debug symbols were built into the dynamic libraries debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + # Print release information + cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release + # build cycles done # end of release / debug cycle loop @@ -2582,6 +2587,14 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jul 11 2022 Andrew Hughes - 1:18.0.1.1.2-1.rolling +- Update to jdk-18.0.1.1 interim release +- Update release notes to actually reflect OpenJDK 18 and subsequent releases 18.0.1 & 18.0.1.1 +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 + * Sat Jul 09 2022 Jayashree Huttanagoudar - 1:18.0.1.0.10-8.rolling - Fix issue where CheckVendor.java test erroneously passes when it should fail. - Add proper quoting so '&' is not treated as a special character by the shell. diff --git a/openjdk_news.sh b/openjdk_news.sh new file mode 100755 index 0000000..560b356 --- /dev/null +++ b/openjdk_news.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# Copyright (C) 2022 Red Hat, Inc. +# Written by Andrew John Hughes , 2012-2022 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +OLD_RELEASE=$1 +NEW_RELEASE=$2 +SUBDIR=$3 +REPO=$4 +SCRIPT_DIR=$(dirname ${0}) + +if test "x${SUBDIR}" = "x"; then + echo "No subdirectory specified; using ."; + SUBDIR="."; +fi + +if test "x$REPO" = "x"; then + echo "No repository specified; using ${PWD}" + REPO=${PWD} +fi + +if test x${TMPDIR} = x; then + TMPDIR=/tmp; +fi + +echo "Repository: ${REPO}" + +if [ -e ${REPO}/.git ] ; then + TYPE=git; +elif [ -e ${REPO}/.hg ] ; then + TYPE=hg; +else + echo "No Mercurial or Git repository detected."; + exit 1; +fi + +if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then + echo "ERROR: Need to specify old and new release"; + exit 2; +fi + +echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO" +rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes +for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO}); +do + if test "x$TYPE" = "xhg"; then + hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ + egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \ + sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2; + hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ + egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3; + else + git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \ + sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2; + touch ${TMPDIR}/fixes3 ; # unused + fi +done + +sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes +rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 + +echo "In ${TMPDIR}/fixes:" +cat ${TMPDIR}/fixes diff --git a/sources b/sources index 94b9ab3..0d24fba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk18u-jdk-18.0.1+10.tar.xz) = 9d4cc24675019f0078540874f0feb884c1f6513886272f2c1f86384c4a882f1b8d7fa6c653ae5f493757203c91b445e0da6559082ba5ef2f53eab27b43e6bea1 +SHA512 (openjdk-jdk18u-jdk-18.0.1.1+2.tar.xz) = 183ff4b1c4b501edd2c2a436a093f9d99ec0df86046ca3ac26d7f44981d72d3036baa1f8b6036288edb6c6fc637468a80e9ea55dffdc1d18b61a237660e103b3