From 9fe5397a6a6aff45238c222d355cf21dc85a9b8c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 15 2022 06:36:38 +0000 Subject: import java-1.8.0-openjdk-1.8.0.345.b01-5.el9 --- diff --git a/.gitignore b/.gitignore index 35138ce..ccfc525 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index ce1ddd8..493f497 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -11e3bf44f3c54d25e2018fc7df16c231daf041c5 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz +d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 08b5588..a45c520 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,163 +3,6 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 8u352 (2022-10-18): -=========================================== -Live versions of these release notes can be found at: - * https://bit.ly/openjdk8u352 - * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt - -* Security fixes - - JDK-8282252: Improve BigInteger/Decimal validation - - JDK-8285662: Better permission resolution - - JDK-8286511: Improve macro allocation - - JDK-8286519: Better memory handling - - JDK-8286526, CVE-2022-21619: Improve NTLM support - - JDK-8286533, CVE-2022-21626: Key X509 usages - - JDK-8286910, CVE-2022-21624: Improve JNDI lookups - - JDK-8286918, CVE-2022-21628: Better HttpServer service - - JDK-8288508: Enhance ECDSA usage -* Other changes - - JDK-7131823: bug in GIFImageReader - - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate - - JDK-8028265: Add legacy tz tests to OpenJDK - - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000] - - JDK-8049228: Improve multithreaded scalability of InetAddress cache - - JDK-8071507: (ref) Clear phantom reference as soft and weak references do - - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation - - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9 - - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script - - JDK-8139668: Generate README-build.html from markdown - - JDK-8143847: Remove REF_CLEANER reference category - - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl - - JDK-8150669: C1 intrinsic for Class.isPrimitive - - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows - - JDK-8173339: AArch64: Fix minimum stack size computations - - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load - - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing - - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored - - JDK-8183107: PKCS11 regression regarding checkKeySize - - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property - - JDK-8194873: right ALT key hotkeys no longer work in Swing components - - JDK-8201793: (ref) Reference object should not support cloning - - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() - - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. - - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit - - JDK-8235218: Minimal VM is broken after JDK-8173361 - - JDK-8235385: Crash on aarch64 JDK due to long offset - - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles - - JDK-8254178: Remove .hgignore - - JDK-8254318: Remove .hgtags - - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version - - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) - - JDK-8280963: Incorrect PrintFlags formatting on Windows - - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 - - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee - - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3 - - JDK-8285497: Add system property for Java SE specification maintenance version - - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE - - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11 - - JDK-8287521: Bump update version of OpenJDK: 8u352 - - JDK-8288763: Pack200 extraction failure with invalid size - - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses - - JDK-8290000: Bump macOS GitHub actions to macOS 11 - - JDK-8292579: (tz) Update Timezone Data to 2022c - - JDK-8292688: Support Security properties in security.testlibrary.Proc - -Notes on individual issues: -=========================== - -core-libs/java.lang: - -JDK-8201793: (ref) Reference object should not support cloning -============================================================== -`java.lang.ref.Reference::clone` method always throws -`CloneNotSupportedException`. `Reference` objects cannot be -meaningfully cloned. To create a new Reference object, call the -constructor to create a `Reference` object with the same referent and -reference queue instead. - -JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing -=============================================================================================== -`java.lang.ref.Reference.enqueue` method clears the reference object -before it is added to the registered queue. When the `enqueue` method -is called, the reference object is cleared and `get()` method will -return null in OpenJDK 8u352. - -Typically when a reference object is enqueued, it is expected that the -reference object is cleared explicitly via the `clear` method to avoid -memory leak because its referent is no longer referenced. In other -words the `get` method is expected not to be called in common cases -once the `enqueue`method is called. In the case when the `get` method -from an enqueued reference object and existing code attempts to access -members of the referent, `NullPointerException` may be thrown. Such -code will need to be updated. - -JDK-8071507: (ref) Clear phantom reference as soft and weak references do -========================================================================= -This enhancement changes phantom references to be automatically -cleared by the garbage collector as soft and weak references. - -An object becomes phantom reachable after it has been finalized. This -change may cause the phantom reachable objects to be GC'ed earlier - -previously the referent is kept alive until PhantomReference objects -are GC'ed or cleared by the application. This potential behavioral -change might only impact existing code that would depend on -PhantomReference being enqueued rather than when the referent be freed -from the heap. - -security-libs/javax.net.ssl: - -JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles -================================================================ -The TLSv1.3 implementation is now enabled by default for client roles -in 8u352. It has been enabled by default for server roles since 8u272. - -Note that TLS 1.3 is not directly compatible with previous -versions. Enabling it on the client may introduce compatibility issues -on either the server or the client side. Here are some more details on -potential compatibility issues that you should be aware of: - -* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions - use a duplex-close policy. For applications that depend on the - duplex-close policy, there may be compatibility issues when - upgrading to TLS 1.3. - -* The signature_algorithms_cert extension requires that pre-defined - signature algorithms are used for certificate authentication. In - practice, however, an application may use non-supported signature - algorithms. - -* The DSA signature algorithm is not supported in TLS 1.3. If a server - is configured to only use DSA certificates, it cannot upgrade to TLS - 1.3. - -* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 - and prior versions. If an application hard-codes cipher suites which - are no longer supported, it may not be able to use TLS 1.3 without - modifying the application code. - -* The TLS 1.3 session resumption and key update behaviors are - different from TLS 1.2 and prior versions. The compatibility should - be minimal, but it could be a risk if an application depends on the - handshake details of the TLS protocols. - -The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols -system property: - -java -Djdk.tls.client.protocols="TLSv1.2" ... - -Alternatively, an application can explicitly set the enabled protocols -with the javax.net.ssl APIs e.g. - -sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); - -or: - -SSLParameters params = sslSocket.getSSLParameters(); -params.setProtocols(new String[] {"TLSv1.2"}); -slsSocket.setSSLParameters(params); - New in release OpenJDK 8u345 (2022-08-01): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java index 2967a32..552bd0f 100644 --- a/SOURCES/TestSecurityProperties.java +++ b/SOURCES/TestSecurityProperties.java @@ -1,20 +1,3 @@ -/* TestSecurityProperties -- Ensure system security properties can be used to - enable the crypto policies. - Copyright (C) 2022 Red Hat, Inc. - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . -*/ import java.io.File; import java.io.FileInputStream; import java.security.Security; diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java deleted file mode 100644 index 7b2f09b..0000000 --- a/SOURCES/TestTranslations.java +++ /dev/null @@ -1,140 +0,0 @@ -/* TestTranslations -- Ensure translations are available for new timezones - Copyright (C) 2022 Red Hat, Inc. - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. - -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . -*/ - -import java.text.DateFormatSymbols; - -import java.time.ZoneId; -import java.time.format.TextStyle; - -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.Map; -import java.util.Locale; -import java.util.Objects; -import java.util.TimeZone; - -public class TestTranslations { - - private static Map KYIV; - - static { - Map map = new HashMap(); - map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET", - "Eastern European Summer Time", "GMT+03:00", "EEST", - "Eastern European Time", "GMT+02:00", "EET"}); - map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET", - "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST", - "Heure d'Europe de l'Est", "UTC+02:00", "EET"}); - map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ", - "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", - "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); - KYIV = Collections.unmodifiableMap(map); - } - - - public static void main(String[] args) { - if (args.length < 1) { - System.err.println("Test must be started with the name of the locale provider."); - System.exit(1); - } - - String localeProvider = args[0]; - System.out.println("Checking sanity of full zone string set..."); - boolean invalid = Arrays.stream(Locale.getAvailableLocales()) - .peek(l -> System.out.println("Locale: " + l)) - .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) - .flatMap(zs -> Arrays.stream(zs)) - .flatMap(names -> Arrays.stream(names)) - .filter(name -> Objects.isNull(name) || name.isEmpty()) - .findAny() - .isPresent(); - if (invalid) { - System.err.println("Zone string for a locale returned null or empty string"); - System.exit(2); - } - - for (Locale l : KYIV.keySet()) { - String[] expected = KYIV.get(l); - for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { - String expectedShortStd = null; - String expectedShortDST = null; - String expectedShortGen = null; - - System.out.printf("Checking locale %s for %s...\n", l, id); - - if ("JRE".equals(localeProvider)) { - expectedShortStd = expected[2]; - expectedShortDST = expected[5]; - expectedShortGen = expected[8]; - } else if ("CLDR".equals(localeProvider)) { - expectedShortStd = expected[1]; - expectedShortDST = expected[4]; - expectedShortGen = expected[7]; - } else { - System.err.printf("Invalid locale provider %s\n", localeProvider); - System.exit(3); - } - System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", - localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); - - String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); - String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); - String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); - String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); - String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); - String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); - - if (!expected[0].equals(longStd)) { - System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", - id, l, longStd, expected[0]); - System.exit(4); - } - - if (!expectedShortStd.equals(shortStd)) { - System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", - id, l, shortStd, expectedShortStd); - System.exit(5); - } - - if (!expected[3].equals(longDST)) { - System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", - id, l, longDST, expected[3]); - System.exit(6); - } - - if (!expectedShortDST.equals(shortDST)) { - System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", - id, l, shortDST, expectedShortDST); - System.exit(7); - } - - if (!expected[6].equals(longGen)) { - System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", - id, l, longGen, expected[6]); - System.exit(8); - } - - if (!expectedShortGen.equals(shortGen)) { - System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", - id, l, shortGen, expectedShortGen); - System.exit(9); - } - } - } - } -} diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch deleted file mode 100644 index 58ab6e5..0000000 --- a/SOURCES/fips-8u-6d1aade0648.patch +++ /dev/null @@ -1,2007 +0,0 @@ -diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac -index 151e5a109f8..a8761b500e0 100644 ---- a/common/autoconf/configure.ac -+++ b/common/autoconf/configure.ac -@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE - LIB_SETUP_ALSA - LIB_SETUP_FONTCONFIG - LIB_SETUP_MISC_LIBS -+LIB_SETUP_SYSCONF_LIBS - LIB_SETUP_STATIC_LINK_LIBSTDCPP - LIB_SETUP_ON_WINDOWS - -diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index 71fabf4dbb3..17f4f50673d 100644 ---- a/common/autoconf/generated-configure.sh -+++ b/common/autoconf/generated-configure.sh -@@ -651,6 +651,9 @@ LLVM_CONFIG - LIBFFI_LIBS - LIBFFI_CFLAGS - STATIC_CXX_SETTING -+USE_SYSCONF_NSS -+NSS_LIBS -+NSS_CFLAGS - LIBDL - LIBM - LIBZIP_CAN_USE_MMAP -@@ -1111,6 +1114,7 @@ with_fontconfig - with_fontconfig_include - with_giflib - with_zlib -+enable_sysconf_nss - with_stdc__lib - with_msvcr_dll - with_msvcp_dll -@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS - FREETYPE_LIBS - ALSA_CFLAGS - ALSA_LIBS -+NSS_CFLAGS -+NSS_LIBS - LIBFFI_CFLAGS - LIBFFI_LIBS - CCACHE' -@@ -1871,6 +1877,8 @@ Optional Features: - disable bundling of the freetype library with the - build result [enabled on Windows or when using - --with-freetype, disabled otherwise] -+ --enable-sysconf-nss build the System Configurator (libsysconf) using the -+ system NSS library if available [disabled] - --enable-sjavac use sjavac to do fast incremental compiles - [disabled] - --disable-precompiled-headers -@@ -2115,6 +2123,8 @@ Some influential environment variables: - linker flags for FREETYPE, overriding pkg-config - ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config - ALSA_LIBS linker flags for ALSA, overriding pkg-config -+ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config -+ NSS_LIBS linker flags for NSS, overriding pkg-config - LIBFFI_CFLAGS - C compiler flags for LIBFFI, overriding pkg-config - LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config -@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - - } # ac_fn_c_check_header_compile -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ test -x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. -@@ -4049,6 +4105,11 @@ fi - - - -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+ -+ - # - # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -@@ -49304,6 +49365,157 @@ fi - LIBS="$save_LIBS" - - -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 -+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ # Check whether --enable-sysconf-nss was given. -+if test "${enable_sysconf_nss+set}" = set; then : -+ enableval=$enable_sysconf_nss; -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ -+else -+ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ -+fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 -+$as_echo "$sysconf_nss" >&6; } -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ -+pkg_failed=no -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 -+$as_echo_n "checking for NSS... " >&6; } -+ -+if test -n "$NSS_CFLAGS"; then -+ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+if test -n "$NSS_LIBS"; then -+ pkg_cv_NSS_LIBS="$NSS_LIBS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+ -+ -+ -+if test $pkg_failed = yes; then -+ -+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then -+ _pkg_short_errors_supported=yes -+else -+ _pkg_short_errors_supported=no -+fi -+ if test $_pkg_short_errors_supported = yes; then -+ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` -+ else -+ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` -+ fi -+ # Put the nasty error message in config.log where it belongs -+ echo "$NSS_PKG_ERRORS" >&5 -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ NSS_FOUND=no -+elif test $pkg_failed = untried; then -+ NSS_FOUND=no -+else -+ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS -+ NSS_LIBS=$pkg_cv_NSS_LIBS -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+ NSS_FOUND=yes -+fi -+ if test "x${NSS_FOUND}" = "xyes"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 -+$as_echo_n "checking for system FIPS support in NSS... " >&6; } -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main () -+{ -+SECMOD_GetSystemFIPSEnabled() -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ ac_ext=cpp -+ac_cpp='$CXXCPP $CPPFLAGS' -+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -+ -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 -+ fi -+ fi -+ -+ -+ - ############################################################################### - # - # statically link libstdc++ before C++ ABI is stablized on Linux unless -diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 -index 6efae578ea9..0080846255b 100644 ---- a/common/autoconf/libraries.m4 -+++ b/common/autoconf/libraries.m4 -@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS], - BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) - fi - ]) -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in -index 506cf617087..7241593b1a4 100644 ---- a/common/autoconf/spec.gmk.in -+++ b/common/autoconf/spec.gmk.in -@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@ - ALSA_LIBS:=@ALSA_LIBS@ - ALSA_CFLAGS:=@ALSA_CFLAGS@ - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - PACKAGE_PATH=@PACKAGE_PATH@ - - # Source file for cacerts -diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl -index 3b79a526f56..d2a0e39b206 100644 ---- a/common/bin/compare_exceptions.sh.incl -+++ b/common/bin/compare_exceptions.sh.incl -@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/i386/libsplashscreen.so - ./jre/lib/i386/libsunec.so - ./jre/lib/i386/libsunwjdga.so -+./jre/lib/i386/libsystemconf.so - ./jre/lib/i386/libt2k.so - ./jre/lib/i386/libunpack.so - ./jre/lib/i386/libverify.so -@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/amd64/libsplashscreen.so - ./jre/lib/amd64/libsunec.so - ./jre/lib/amd64/libsunwjdga.so -+//jre/lib/amd64/libsystemconf.so - ./jre/lib/amd64/libt2k.so - ./jre/lib/amd64/libunpack.so - ./jre/lib/amd64/libverify.so -@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/sparc/libsplashscreen.so - ./jre/lib/sparc/libsunec.so - ./jre/lib/sparc/libsunwjdga.so -+./jre/lib/sparc/libsystemconf.so - ./jre/lib/sparc/libt2k.so - ./jre/lib/sparc/libunpack.so - ./jre/lib/sparc/libverify.so -@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/sparcv9/libsplashscreen.so - ./jre/lib/sparcv9/libsunec.so - ./jre/lib/sparcv9/libsunwjdga.so -+./jre/lib/sparcv9/libsystemconf.so - ./jre/lib/sparcv9/libt2k.so - ./jre/lib/sparcv9/libunpack.so - ./jre/lib/sparcv9/libverify.so -diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml -index d2beed0b93a..3b6aef98d9a 100644 ---- a/common/nb_native/nbproject/configurations.xml -+++ b/common/nb_native/nbproject/configurations.xml -@@ -53,6 +53,9 @@ - jvmtiEnterTrace.cpp - - -+ -+ systemconf.c -+ - - - -@@ -12772,6 +12775,11 @@ - tool="0" - flavor2="0"> - -+ -+ - Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -62,6 +72,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -78,6 +101,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -93,6 +117,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -187,6 +212,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..a24a0445db2 ---- /dev/null -+++ b/jdk/src/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,248 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws IOException { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..5c30a8b29c7 ---- /dev/null -+++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.misc; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java -index f065a2c685d..0dafe6f59cf 100644 ---- a/jdk/src/share/classes/sun/misc/SharedSecrets.java -+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java -@@ -31,6 +31,7 @@ import java.io.Console; - import java.io.FileDescriptor; - import java.io.ObjectInputStream; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - import java.security.AccessController; -@@ -63,6 +64,7 @@ public class SharedSecrets { - private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; - private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; - private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static JavaUtilJarAccess javaUtilJarAccess() { - if (javaUtilJarAccess == null) { -@@ -248,4 +250,15 @@ public class SharedSecrets { - } - return javaxCryptoSealedObjectAccess; - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ unsafe.ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..14d19450390 ---- /dev/null -+++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,290 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = P11ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -index fedcd7743ef..f9d70863bd1 100644 ---- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback; - import javax.security.auth.callback.PasswordCallback; - import javax.security.auth.callback.TextOutputCallback; - -+import sun.misc.SharedSecrets; -+ - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - -@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException -diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 2e42d1d9fb0..1b7eed1c656 100644 ---- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -145,18 +146,41 @@ public class PKCS11 { - this.pkcs11ModulePath = pkcs11ModulePath; - } - -+ /* -+ * Compatibility wrapper to allow this method to work as before -+ * when FIPS mode support is not active. -+ */ -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { -+ return getInstance(pkcs11ModulePath, functionList, -+ pInitArgs, omitInitialize, null); -+ } -+ - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } -diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -index ffee2c1603b..98119479823 100644 ---- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -+++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -@@ -33,8 +33,13 @@ import java.security.KeyStore.*; - - import javax.net.ssl.*; - -+import sun.misc.SharedSecrets; -+ - abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - X509ExtendedKeyManager keyManager; - boolean isInitialized; - -@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - KeyStoreException, NoSuchAlgorithmException, - UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { -- if (ks.getProvider() != SunJSSE.cryptoProvider) { -+ if (ks.getProvider() != SunJSSE.cryptoProvider && -+ !plainKeySupportEnabled) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } -@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - keyManager = new X509KeyManagerImpl( - Collections.emptyList()); - } else { -- if (SunJSSE.isFIPS() && -- (ks.getProvider() != SunJSSE.cryptoProvider)) { -+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) -+ && !plainKeySupportEnabled) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); -diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -index 820e10164fc..6fe2c29389f 100644 ---- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.cert.*; - import java.util.*; - import javax.net.ssl.*; -+import sun.misc.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static { - if (SunJSSE.isFIPS()) { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- ); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); - -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, -@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -index 2845dc37938..52337a7b6cf 100644 ---- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -+++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; - - import java.security.*; - -+import sun.misc.SharedSecrets; -+ - /** - * The JSSE provider. - * -@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context"); - put("SSLContext.TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context"); -- put("SSLContext.TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context"); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ put("SSLContext.TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context"); -+ } - put("SSLContext.TLS", - "sun.security.ssl.SSLContextImpl$TLSContext"); - if (isfips == false) { -diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index 7a93d4e6b59..681a24b905d 100644 ---- a/jdk/src/share/lib/security/java.security-aix -+++ b/jdk/src/share/lib/security/java.security-aix -@@ -287,6 +287,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index 145a84f94cf..789c19a8cba 100644 ---- a/jdk/src/share/lib/security/java.security-linux -+++ b/jdk/src/share/lib/security/java.security-linux -@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider - security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI - security.provider.9=sun.security.smartcardio.SunPCSC - -+# -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg -+fips.provider.2=sun.security.provider.Sun -+fips.provider.3=sun.security.ec.SunEC -+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS -+ - # - # Sun Provider SecureRandom seed source. - # -@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false - # - keystore.type=jks - -+# -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ - # - # Controls compatibility mode for the JKS keystore type. - # -@@ -287,6 +300,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index 35fa140d7a5..d4da666af3b 100644 ---- a/jdk/src/share/lib/security/java.security-macosx -+++ b/jdk/src/share/lib/security/java.security-macosx -@@ -290,6 +290,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index f79ba37ddb9..300132384a1 100644 ---- a/jdk/src/share/lib/security/java.security-solaris -+++ b/jdk/src/share/lib/security/java.security-solaris -@@ -288,6 +288,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index d70503ce95f..64db5a5cd1e 100644 ---- a/jdk/src/share/lib/security/java.security-windows -+++ b/jdk/src/share/lib/security/java.security-windows -@@ -290,6 +290,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/jdk/src/solaris/native/java/security/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-8e8bbf0ff74.patch new file mode 100644 index 0000000..2379d45 --- /dev/null +++ b/SOURCES/fips-8u-8e8bbf0ff74.patch @@ -0,0 +1,2007 @@ +diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac +index 151e5a109f8..a8761b500e0 100644 +--- a/common/autoconf/configure.ac ++++ b/common/autoconf/configure.ac +@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE + LIB_SETUP_ALSA + LIB_SETUP_FONTCONFIG + LIB_SETUP_MISC_LIBS ++LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_STATIC_LINK_LIBSTDCPP + LIB_SETUP_ON_WINDOWS + +diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh +index e77ce854dc5..ec6e9b27ca5 100644 +--- a/common/autoconf/generated-configure.sh ++++ b/common/autoconf/generated-configure.sh +@@ -651,6 +651,9 @@ LLVM_CONFIG + LIBFFI_LIBS + LIBFFI_CFLAGS + STATIC_CXX_SETTING ++USE_SYSCONF_NSS ++NSS_LIBS ++NSS_CFLAGS + LIBDL + LIBM + LIBZIP_CAN_USE_MMAP +@@ -1111,6 +1114,7 @@ with_fontconfig + with_fontconfig_include + with_giflib + with_zlib ++enable_sysconf_nss + with_stdc__lib + with_msvcr_dll + with_msvcp_dll +@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS + FREETYPE_LIBS + ALSA_CFLAGS + ALSA_LIBS ++NSS_CFLAGS ++NSS_LIBS + LIBFFI_CFLAGS + LIBFFI_LIBS + CCACHE' +@@ -1871,6 +1877,8 @@ Optional Features: + disable bundling of the freetype library with the + build result [enabled on Windows or when using + --with-freetype, disabled otherwise] ++ --enable-sysconf-nss build the System Configurator (libsysconf) using the ++ system NSS library if available [disabled] + --enable-sjavac use sjavac to do fast incremental compiles + [disabled] + --disable-precompiled-headers +@@ -2115,6 +2123,8 @@ Some influential environment variables: + linker flags for FREETYPE, overriding pkg-config + ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config + ALSA_LIBS linker flags for ALSA, overriding pkg-config ++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config ++ NSS_LIBS linker flags for NSS, overriding pkg-config + LIBFFI_CFLAGS + C compiler flags for LIBFFI, overriding pkg-config + LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config +@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + + } # ac_fn_c_check_header_compile ++ ++# ac_fn_c_try_link LINENO ++# ----------------------- ++# Try to link conftest.$ac_ext, and return whether this succeeded. ++ac_fn_c_try_link () ++{ ++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack ++ rm -f conftest.$ac_objext conftest$ac_exeext ++ if { { ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" ++$as_echo "$ac_try_echo"; } >&5 ++ (eval "$ac_link") 2>conftest.err ++ ac_status=$? ++ if test -s conftest.err; then ++ grep -v '^ *+' conftest.err >conftest.er1 ++ cat conftest.er1 >&5 ++ mv -f conftest.er1 conftest.err ++ fi ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ test -x conftest$ac_exeext ++ }; then : ++ ac_retval=0 ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_retval=1 ++fi ++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information ++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would ++ # interfere with the next link command; also delete a directory that is ++ # left behind by Apple's compiler. We do this before executing the actions. ++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo ++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno ++ as_fn_set_status $ac_retval ++ ++} # ac_fn_c_try_link + cat >config.log <<_ACEOF + This file contains any messages produced by compilers while + running configure, to aid debugging if configure makes a mistake. +@@ -4049,6 +4105,11 @@ fi + + + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++ ++ + # + # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. + # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +@@ -49290,6 +49351,157 @@ fi + LIBS="$save_LIBS" + + ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 ++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ # Check whether --enable-sysconf-nss was given. ++if test "${enable_sysconf_nss+set}" = set; then : ++ enableval=$enable_sysconf_nss; ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ++else ++ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ++fi ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 ++$as_echo "$sysconf_nss" >&6; } ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ ++pkg_failed=no ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 ++$as_echo_n "checking for NSS... " >&6; } ++ ++if test -n "$NSS_CFLAGS"; then ++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++if test -n "$NSS_LIBS"; then ++ pkg_cv_NSS_LIBS="$NSS_LIBS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++ ++ ++ ++if test $pkg_failed = yes; then ++ ++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then ++ _pkg_short_errors_supported=yes ++else ++ _pkg_short_errors_supported=no ++fi ++ if test $_pkg_short_errors_supported = yes; then ++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` ++ else ++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` ++ fi ++ # Put the nasty error message in config.log where it belongs ++ echo "$NSS_PKG_ERRORS" >&5 ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ NSS_FOUND=no ++elif test $pkg_failed = untried; then ++ NSS_FOUND=no ++else ++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS ++ NSS_LIBS=$pkg_cv_NSS_LIBS ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ NSS_FOUND=yes ++fi ++ if test "x${NSS_FOUND}" = "xyes"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 ++$as_echo_n "checking for system FIPS support in NSS... " >&6; } ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ ac_ext=c ++ac_cpp='$CPP $CPPFLAGS' ++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ++ac_compiler_gnu=$ac_cv_c_compiler_gnu ++ ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++#include ++int ++main () ++{ ++SECMOD_GetSystemFIPSEnabled() ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO"; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 ++fi ++rm -f core conftest.err conftest.$ac_objext \ ++ conftest$ac_exeext conftest.$ac_ext ++ ac_ext=cpp ++ac_cpp='$CXXCPP $CPPFLAGS' ++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu ++ ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 ++ fi ++ fi ++ ++ ++ + ############################################################################### + # + # statically link libstdc++ before C++ ABI is stablized on Linux unless +diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 +index 6efae578ea9..0080846255b 100644 +--- a/common/autoconf/libraries.m4 ++++ b/common/autoconf/libraries.m4 +@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS], + BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) + fi + ]) ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in +index 506cf617087..7241593b1a4 100644 +--- a/common/autoconf/spec.gmk.in ++++ b/common/autoconf/spec.gmk.in +@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@ + ALSA_LIBS:=@ALSA_LIBS@ + ALSA_CFLAGS:=@ALSA_CFLAGS@ + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + PACKAGE_PATH=@PACKAGE_PATH@ + + # Source file for cacerts +diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl +index 3b79a526f56..d2a0e39b206 100644 +--- a/common/bin/compare_exceptions.sh.incl ++++ b/common/bin/compare_exceptions.sh.incl +@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/i386/libsplashscreen.so + ./jre/lib/i386/libsunec.so + ./jre/lib/i386/libsunwjdga.so ++./jre/lib/i386/libsystemconf.so + ./jre/lib/i386/libt2k.so + ./jre/lib/i386/libunpack.so + ./jre/lib/i386/libverify.so +@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/amd64/libsplashscreen.so + ./jre/lib/amd64/libsunec.so + ./jre/lib/amd64/libsunwjdga.so ++//jre/lib/amd64/libsystemconf.so + ./jre/lib/amd64/libt2k.so + ./jre/lib/amd64/libunpack.so + ./jre/lib/amd64/libverify.so +@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/sparc/libsplashscreen.so + ./jre/lib/sparc/libsunec.so + ./jre/lib/sparc/libsunwjdga.so ++./jre/lib/sparc/libsystemconf.so + ./jre/lib/sparc/libt2k.so + ./jre/lib/sparc/libunpack.so + ./jre/lib/sparc/libverify.so +@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/sparcv9/libsplashscreen.so + ./jre/lib/sparcv9/libsunec.so + ./jre/lib/sparcv9/libsunwjdga.so ++./jre/lib/sparcv9/libsystemconf.so + ./jre/lib/sparcv9/libt2k.so + ./jre/lib/sparcv9/libunpack.so + ./jre/lib/sparcv9/libverify.so +diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml +index d2beed0b93a..3b6aef98d9a 100644 +--- a/common/nb_native/nbproject/configurations.xml ++++ b/common/nb_native/nbproject/configurations.xml +@@ -53,6 +53,9 @@ + jvmtiEnterTrace.cpp +
+ ++ ++ systemconf.c ++ + + + +@@ -12772,6 +12775,11 @@ + tool="0" + flavor2="0"> + ++ ++ + Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -62,6 +72,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -78,6 +101,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -93,6 +117,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -187,6 +212,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..a24a0445db2 +--- /dev/null ++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,248 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean systemSecPropsLoaded = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ systemSecPropsLoaded = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return systemSecPropsLoaded; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws IOException { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..5c30a8b29c7 +--- /dev/null ++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java +index f065a2c685d..0dafe6f59cf 100644 +--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java ++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java +@@ -31,6 +31,7 @@ import java.io.Console; + import java.io.FileDescriptor; + import java.io.ObjectInputStream; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + import java.security.AccessController; +@@ -63,6 +64,7 @@ public class SharedSecrets { + private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; + private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -248,4 +250,15 @@ public class SharedSecrets { + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..14d19450390 +--- /dev/null ++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = P11ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +index fedcd7743ef..f9d70863bd1 100644 +--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import sun.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + +@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 2e42d1d9fb0..1b7eed1c656 100644 +--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -145,18 +146,41 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } +diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603b..98119479823 100644 +--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import sun.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +index cd0e9e98df9..fba760187c0 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import sun.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS12, + ProtocolVersion.TLS11, +diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +index 2845dc37938..52337a7b6cf 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java ++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; + + import java.security.*; + ++import sun.misc.SharedSecrets; ++ + /** + * The JSSE provider. + * +@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context"); + put("SSLContext.TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context"); +- put("SSLContext.TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ put("SSLContext.TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ } + put("SSLContext.TLS", + "sun.security.ssl.SSLContextImpl$TLSContext"); + if (isfips == false) { +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index d3d64b3facd..bfe0c593adb 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -287,6 +287,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index db610d4bfbb..9d1c8fe8a8e 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider + security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.9=sun.security.smartcardio.SunPCSC + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg ++fips.provider.2=sun.security.provider.Sun ++fips.provider.3=sun.security.ec.SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ + # + # Sun Provider SecureRandom seed source. + # +@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=jks + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for the JKS keystore type. + # +@@ -287,6 +300,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index a919ba3d5cd..19047c61097 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -290,6 +290,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index 86265ba5fb6..7eda556ae13 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -288,6 +288,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index 9b4bda23cbe..dfa1a669aa9 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -290,6 +290,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c +new file mode 100644 +index 00000000000..8dcb7d9073f +--- /dev/null ++++ b/jdk/src/solaris/native/java/security/systemconf.c +@@ -0,0 +1,224 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} diff --git a/SOURCES/jdk8294357-tzdata2022d.patch b/SOURCES/jdk8294357-tzdata2022d.patch deleted file mode 100644 index 7356928..0000000 --- a/SOURCES/jdk8294357-tzdata2022d.patch +++ /dev/null @@ -1,506 +0,0 @@ -commit 8589b1229cffb9a0ab00baf62ce2d4376d31b055 -Author: Andrew John Hughes -Date: Fri Oct 14 22:55:39 2022 +0100 - - Backport f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b - -diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION -index decb8716b22..889d0e6dad7 100644 ---- a/jdk/make/data/tzdata/VERSION -+++ b/jdk/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022c -+tzdata2022d -diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia -index 6cb6d2c57cf..1dc7d34f88e 100644 ---- a/jdk/make/data/tzdata/asia -+++ b/jdk/make/data/tzdata/asia -@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # The winter time in 2015 started on October 23 at 01:00. - # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY - # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 --# --# From Paul Eggert (2019-04-10): --# For now, guess spring-ahead transitions are at 00:00 on the Saturday --# preceding March's last Sunday (i.e., Sat>=24). - - # From P Chan (2021-10-18): - # http://wafa.ps/Pages/Details/34701 -@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # From Heba Hamad (2022-03-10): - # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. - -+# From Heba Hamad (2022-08-30): -+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by -+# 60 minutes backwards. Also the state of Palestine adopted the summer -+# and winter time for the years: 2023,2024,2025,2026 ... -+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf -+# (2022-08-31): ... the Saturday before the last Sunday in March and October -+# at 2:00 AM ,for the years from 2023 to 2026. -+# (2022-09-05): https://mtit.pna.ps/Site/New/1453 -+# -+# From Paul Eggert (2022-08-31): -+# For now, assume that this rule will also be used after 2026. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EgyptAsia 1957 only - May 10 0:00 1:00 S - Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - -@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - - Rule Palestine 2014 only - Oct 24 0:00 0 - - Rule Palestine 2015 only - Mar 28 0:00 1:00 S - Rule Palestine 2015 only - Oct 23 1:00 0 - --Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S --Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - -+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S -+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - - Rule Palestine 2019 only - Mar 29 0:00 1:00 S --Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - --Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S -+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - -+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S - Rule Palestine 2020 only - Oct 24 1:00 0 - --Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - --Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S -+Rule Palestine 2021 only - Oct 29 1:00 0 - -+Rule Palestine 2022 only - Mar 27 0:00 1:00 S -+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - -+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Gaza 2:17:52 - LMT 1900 Oct -diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward -index d4a29e8cf29..7765d99aedf 100644 ---- a/jdk/make/data/tzdata/backward -+++ b/jdk/make/data/tzdata/backward -@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe -index f7eb7a387aa..9e0a538f86d 100644 ---- a/jdk/make/data/tzdata/europe -+++ b/jdk/make/data/tzdata/europe -@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 - # From Alexander Krivenyshev (2014-03-17): - # time change at 2:00 (2am) on March 30, 2014 - # https://vz.ru/news/2014/3/17/677464.html --# From Paul Eggert (2014-03-30): --# Simferopol and Sevastopol reportedly changed their central town clocks --# late the previous day, but this appears to have been ceremonial --# and the discrepancies are small enough to not worry about. -+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): -+# The clocks at the railway station in Simferopol were put forward from 22:00 -+# to 24:00 the previous day in a "symbolic ceremony"; however, per -+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings -+# time switch at 2am" on Sunday. -+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html -+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329 -+# https://www.bbc.com/news/av/world-europe-26806583 - 2:00 EU EE%sT 2014 Mar 30 2:00 - 4:00 - MSK 2014 Oct 26 2:00s - 3:00 - MSK -@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # US colleague David Cochrane) are still trying to get more - # information upon these local deviations from Kiev rules. - # --# From Paul Eggert (2022-02-08): --# For now, assume that Ukraine's other three zones followed the same rules, -+# From Paul Eggert (2022-08-27): -+# For now, assume that Ukraine's zones all followed the same rules, - # except that Crimea switched to Moscow time in 1994 as described elsewhere. - - # From Igor Karpov, who works for the Ukrainian Ministry of Justice, -@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # * Ukrainian Government's Resolution of 20.03.1992, No. 139. - # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm - --# From Paul Eggert (2022-04-12): --# As is usual in tzdb, Ukrainian zones use the most common English spellings. --# In particular, tzdb's name Europe/Kyiv uses the most common spelling in --# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, --# "Kyiv" is now more common due to widespread reporting of the current conflict. --# Conversely, tzdb continues to use the names Europe/Uzhgorod and --# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is --# certainly wrong as a transliteration of the Czech "Praha". --# English-language spelling of Ukrainian names is in flux, and --# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more --# common in English; in the meantime, do not change these --# English spellings as that means less disruption for our users. -- - # Zone NAME STDOFF RULES FORMAT [UNTIL] --# This represents most of Ukraine. See above for the spelling of "Kyiv". - Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time - 2:00 - EET 1930 Jun 21 -@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:00 1:00 EEST 1991 Sep 29 3:00 - 2:00 C-Eur EE%sT 1996 May 13 - 2:00 EU EE%sT --# Transcarpathia used CET 1990/1991. --# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but --# "Uzhgorod" is more common in English. --Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct -- 1:00 - CET 1940 -- 1:00 C-Eur CE%sT 1944 Oct -- 1:00 1:00 CEST 1944 Oct 26 -- 1:00 - CET 1945 Jun 29 -- 3:00 Russia MSK/MSD 1990 -- 3:00 - MSK 1990 Jul 1 2:00 -- 1:00 - CET 1991 Mar 31 3:00 -- 2:00 - EET 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT --# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. --# "Zaporizhzhia" is the transliteration of the Ukrainian name, but --# "Zaporozh'ye" is more common in English. Use the common English --# spelling, except omit the apostrophe as it is not allowed in --# portable Posix file names. --Zone Europe/Zaporozhye 2:20:40 - LMT 1880 -- 2:20 - +0220 1924 May 2 -- 2:00 - EET 1930 Jun 21 -- 3:00 - MSK 1941 Aug 25 -- 1:00 C-Eur CE%sT 1943 Oct 25 -- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 -- 2:00 E-Eur EE%sT 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT - - # Vatican City - # See Europe/Rome. -diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica -index 13ec081c7e0..3c0e0e2061c 100644 ---- a/jdk/make/data/tzdata/southamerica -+++ b/jdk/make/data/tzdata/southamerica -@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 - # for America/Santiago will start on midnight of September 11th; - # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) - # will keep UTC -3 "indefinitely"... This is because on September 4th --# we will have a voting whether to approve a new Constitution.... --# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/ -+# we will have a voting whether to approve a new Constitution. -+# -+# From Eduardo Romero Urra (2022-08-17): -+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf -+# -+# From Paul Eggert (2022-08-17): -+# Although the presidential decree stops at fall 2026, assume that -+# similar DST rules will continue thereafter. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Chile 1927 1931 - Sep 1 0:00 1:00 - -diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab -index 51b65fa273c..ee025196e50 100644 ---- a/jdk/make/data/tzdata/zone.tab -+++ b/jdk/make/data/tzdata/zone.tab -@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti - TW +2503+12130 Asia/Taipei - TZ -0648+03917 Africa/Dar_es_Salaam - UA +5026+03031 Europe/Kyiv Ukraine (most areas) --UA +4837+02218 Europe/Uzhgorod Transcarpathia --UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk - UG +0019+03225 Africa/Kampala - UM +2813-17722 Pacific/Midway Midway Islands - UM +1917+16637 Pacific/Wake Wake Island -diff --git a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java -index 43bddd5859a..4b84cda3067 100644 ---- a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java -+++ b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java -@@ -573,12 +573,8 @@ public final class ZoneInfoFile { - // we can then pass in the dom = -1, dow > 0 into ZoneInfo - // - // hacking, assume the >=24 is the result of ZRB optimization for -- // "last", it works for now. From tzdata2020d this hacking -- // will not work for Asia/Gaza and Asia/Hebron which follow -- // Palestine DST rules. -- if (dom < 0 || dom >= 24 && -- !(zoneId.equals("Asia/Gaza") || -- zoneId.equals("Asia/Hebron"))) { -+ // "last", it works for now. -+ if (dom < 0 || dom >= 24) { - params[1] = -1; - params[2] = toCalendarDOW[dow]; - } else { -@@ -600,7 +596,6 @@ public final class ZoneInfoFile { - params[7] = 0; - } else { - // hacking: see comment above -- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e - if (dom < 0 || dom >= 24) { - params[6] = -1; - params[7] = toCalendarDOW[dow]; -diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION -index c32bee39fba..71470168456 100644 ---- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION -+++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022c -+tzdata2022d -diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt -index a5e6428a3f5..e3ce742f887 100644 ---- a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt -+++ b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt -@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt -index fc148537f1f..b3823958ae4 100644 ---- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -163,11 +163,9 @@ Europe/Simferopol MSK - Europe/Sofia EET EEST - Europe/Tallinn EET EEST - Europe/Tirane CET CEST --Europe/Uzhgorod EET EEST - Europe/Vienna CET CEST - Europe/Vilnius EET EEST - Europe/Warsaw CET CEST --Europe/Zaporozhye EET EEST - Europe/Zurich CET CEST - HST HST - MET MET MEST -diff --git a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java -index 3aad69f8118..c682531d4bd 100644 ---- a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java -+++ b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java -@@ -173,10 +173,19 @@ public class TestZoneInfo310 { - * Temporary ignoring the failing TimeZones which are having zone - * rules defined till year 2037 and/or above and have negative DST - * save time in IANA tzdata. This bug is tracked via JDK-8223388. -+ * -+ * Tehran/Iran rule has rules beyond 2037, in which javazic assumes -+ * to be the last year. Thus javazic's rule is based on year 2037 -+ * (Mar 20th/Sep 20th are the cutover dates), while the real rule -+ * has year 2087 where Mar 21st/Sep 21st are the cutover dates. - */ -- if (zid.equals("Africa/Casablanca") || zid.equals("Africa/El_Aaiun") -- || zid.equals("Asia/Tehran") || zid.equals("Iran")) { -- continue; -+ if (zid.equals("Africa/Casablanca") || // uses "Morocco" rule -+ zid.equals("Africa/El_Aaiun") || // uses "Morocco" rule -+ zid.equals("Asia/Tehran") || // last rule mismatch -+ zid.equals("Asia/Gaza") || // uses "Palestine" rule -+ zid.equals("Asia/Hebron") || // uses "Palestine" rule -+ zid.equals("Iran")) { // last rule mismatch -+ continue; - } - if (! zi.equalsTo(ziOLD)) { - System.out.println(zi.diffsTo(ziOLD)); -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION -index decb8716b22..889d0e6dad7 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION -+++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022c -+tzdata2022d -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia -index 6cb6d2c57cf..1dc7d34f88e 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/asia -+++ b/jdk/test/sun/util/calendar/zi/tzdata/asia -@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # The winter time in 2015 started on October 23 at 01:00. - # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY - # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 --# --# From Paul Eggert (2019-04-10): --# For now, guess spring-ahead transitions are at 00:00 on the Saturday --# preceding March's last Sunday (i.e., Sat>=24). - - # From P Chan (2021-10-18): - # http://wafa.ps/Pages/Details/34701 -@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # From Heba Hamad (2022-03-10): - # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. - -+# From Heba Hamad (2022-08-30): -+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by -+# 60 minutes backwards. Also the state of Palestine adopted the summer -+# and winter time for the years: 2023,2024,2025,2026 ... -+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf -+# (2022-08-31): ... the Saturday before the last Sunday in March and October -+# at 2:00 AM ,for the years from 2023 to 2026. -+# (2022-09-05): https://mtit.pna.ps/Site/New/1453 -+# -+# From Paul Eggert (2022-08-31): -+# For now, assume that this rule will also be used after 2026. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EgyptAsia 1957 only - May 10 0:00 1:00 S - Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - -@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - - Rule Palestine 2014 only - Oct 24 0:00 0 - - Rule Palestine 2015 only - Mar 28 0:00 1:00 S - Rule Palestine 2015 only - Oct 23 1:00 0 - --Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S --Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - -+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S -+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - - Rule Palestine 2019 only - Mar 29 0:00 1:00 S --Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - --Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S -+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - -+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S - Rule Palestine 2020 only - Oct 24 1:00 0 - --Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - --Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S -+Rule Palestine 2021 only - Oct 29 1:00 0 - -+Rule Palestine 2022 only - Mar 27 0:00 1:00 S -+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - -+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Gaza 2:17:52 - LMT 1900 Oct -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward -index d4a29e8cf29..7765d99aedf 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/backward -+++ b/jdk/test/sun/util/calendar/zi/tzdata/backward -@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe -index f7eb7a387aa..9e0a538f86d 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/europe -+++ b/jdk/test/sun/util/calendar/zi/tzdata/europe -@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 - # From Alexander Krivenyshev (2014-03-17): - # time change at 2:00 (2am) on March 30, 2014 - # https://vz.ru/news/2014/3/17/677464.html --# From Paul Eggert (2014-03-30): --# Simferopol and Sevastopol reportedly changed their central town clocks --# late the previous day, but this appears to have been ceremonial --# and the discrepancies are small enough to not worry about. -+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): -+# The clocks at the railway station in Simferopol were put forward from 22:00 -+# to 24:00 the previous day in a "symbolic ceremony"; however, per -+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings -+# time switch at 2am" on Sunday. -+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html -+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329 -+# https://www.bbc.com/news/av/world-europe-26806583 - 2:00 EU EE%sT 2014 Mar 30 2:00 - 4:00 - MSK 2014 Oct 26 2:00s - 3:00 - MSK -@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # US colleague David Cochrane) are still trying to get more - # information upon these local deviations from Kiev rules. - # --# From Paul Eggert (2022-02-08): --# For now, assume that Ukraine's other three zones followed the same rules, -+# From Paul Eggert (2022-08-27): -+# For now, assume that Ukraine's zones all followed the same rules, - # except that Crimea switched to Moscow time in 1994 as described elsewhere. - - # From Igor Karpov, who works for the Ukrainian Ministry of Justice, -@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # * Ukrainian Government's Resolution of 20.03.1992, No. 139. - # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm - --# From Paul Eggert (2022-04-12): --# As is usual in tzdb, Ukrainian zones use the most common English spellings. --# In particular, tzdb's name Europe/Kyiv uses the most common spelling in --# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, --# "Kyiv" is now more common due to widespread reporting of the current conflict. --# Conversely, tzdb continues to use the names Europe/Uzhgorod and --# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is --# certainly wrong as a transliteration of the Czech "Praha". --# English-language spelling of Ukrainian names is in flux, and --# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more --# common in English; in the meantime, do not change these --# English spellings as that means less disruption for our users. -- - # Zone NAME STDOFF RULES FORMAT [UNTIL] --# This represents most of Ukraine. See above for the spelling of "Kyiv". - Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time - 2:00 - EET 1930 Jun 21 -@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:00 1:00 EEST 1991 Sep 29 3:00 - 2:00 C-Eur EE%sT 1996 May 13 - 2:00 EU EE%sT --# Transcarpathia used CET 1990/1991. --# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but --# "Uzhgorod" is more common in English. --Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct -- 1:00 - CET 1940 -- 1:00 C-Eur CE%sT 1944 Oct -- 1:00 1:00 CEST 1944 Oct 26 -- 1:00 - CET 1945 Jun 29 -- 3:00 Russia MSK/MSD 1990 -- 3:00 - MSK 1990 Jul 1 2:00 -- 1:00 - CET 1991 Mar 31 3:00 -- 2:00 - EET 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT --# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. --# "Zaporizhzhia" is the transliteration of the Ukrainian name, but --# "Zaporozh'ye" is more common in English. Use the common English --# spelling, except omit the apostrophe as it is not allowed in --# portable Posix file names. --Zone Europe/Zaporozhye 2:20:40 - LMT 1880 -- 2:20 - +0220 1924 May 2 -- 2:00 - EET 1930 Jun 21 -- 3:00 - MSK 1941 Aug 25 -- 1:00 C-Eur CE%sT 1943 Oct 25 -- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 -- 2:00 E-Eur EE%sT 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT - - # Vatican City - # See Europe/Rome. -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica -index 13ec081c7e0..3c0e0e2061c 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica -+++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica -@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 - # for America/Santiago will start on midnight of September 11th; - # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) - # will keep UTC -3 "indefinitely"... This is because on September 4th --# we will have a voting whether to approve a new Constitution.... --# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/ -+# we will have a voting whether to approve a new Constitution. -+# -+# From Eduardo Romero Urra (2022-08-17): -+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf -+# -+# From Paul Eggert (2022-08-17): -+# Although the presidential decree stops at fall 2026, assume that -+# similar DST rules will continue thereafter. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Chile 1927 1931 - Sep 1 0:00 1:00 - -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab -index 51b65fa273c..ee025196e50 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab -+++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab -@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti - TW +2503+12130 Asia/Taipei - TZ -0648+03917 Africa/Dar_es_Salaam - UA +5026+03031 Europe/Kyiv Ukraine (most areas) --UA +4837+02218 Europe/Uzhgorod Transcarpathia --UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk - UG +0019+03225 Africa/Kampala - UM +2813-17722 Pacific/Midway Midway Islands - UM +1917+16637 Pacific/Wake Wake Island diff --git a/SOURCES/jdk8295173-tzdata2022e.patch b/SOURCES/jdk8295173-tzdata2022e.patch deleted file mode 100644 index a7d23ef..0000000 --- a/SOURCES/jdk8295173-tzdata2022e.patch +++ /dev/null @@ -1,813 +0,0 @@ -commit 44ea8322b2f62e3d8139a78923e3bf017e535989 -Author: Andrew John Hughes -Date: Sun Oct 16 03:02:37 2022 +0100 - - Backport 21407dec0156301871a83328615e4d975c4287c4 - -diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION -index 889d0e6dad7..b8cb36e69f4 100644 ---- a/jdk/make/data/tzdata/VERSION -+++ b/jdk/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022d -+tzdata2022e -diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia -index 1dc7d34f88e..f1771e42a71 100644 ---- a/jdk/make/data/tzdata/asia -+++ b/jdk/make/data/tzdata/asia -@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u - # From the Arabic version, it seems to say it would be at midnight - # (assume 24:00) on the last Thursday in February, starting from 2022. - -+# From Issam Al-Zuwairi (2022-10-05): -+# The Council of Ministers in Jordan decided Wednesday 5th October 2022, -+# that daylight saving time (DST) will be throughout the year.... -+# -+# From Brian Inglis (2022-10-06): -+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news -+# -+# From Paul Eggert (2022-10-05): -+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Jordan 1973 only - Jun 6 0:00 1:00 S - Rule Jordan 1973 1975 - Oct 1 0:00 0 - -@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - - Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - - Rule Jordan 2013 only - Dec 20 0:00 0 - - Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S --Rule Jordan 2014 max - Oct lastFri 0:00s 0 - --Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S -+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - -+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Amman 2:23:44 - LMT 1931 -- 2:00 Jordan EE%sT -+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s -+ 3:00 - +03 - - - # Kazakhstan -@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - - # Our brief summary: - # https://www.timeanddate.com/news/time/syria-dst-2012.html - --# From Arthur David Olson (2012-03-27): --# Assume last Friday in March going forward XXX. -+# From Steffen Thorsen (2022-10-05): -+# Syria is adopting year-round DST, starting this autumn.... -+# From https://www.enabbaladi.net/archives/607812 -+# "This [the decision] came after the weekly government meeting today, -+# Tuesday 4 October ..." -+# -+# From Paul Eggert (2022-10-05): -+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. - - Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S - Rule Syria 2008 only - Nov 1 0:00 0 - - Rule Syria 2009 only - Mar lastFri 0:00 1:00 S - Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S --Rule Syria 2012 max - Mar lastFri 0:00 1:00 S --Rule Syria 2009 max - Oct lastFri 0:00 0 - -+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S -+Rule Syria 2009 2022 - Oct lastFri 0:00 0 - - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq -- 2:00 Syria EE%sT -+ 2:00 Syria EE%sT 2022 Oct 28 0:00 -+ 3:00 - +03 - - # Tajikistan - # From Shanks & Pottenger. -diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe -index 9e0a538f86d..930cede4cf4 100644 ---- a/jdk/make/data/tzdata/europe -+++ b/jdk/make/data/tzdata/europe -@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u - 0:00 Spain WE%sT 1940 Mar 16 23:00 - 1:00 Spain CE%sT 1979 - 1:00 EU CE%sT --Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 -+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u - 0:00 - WET 1918 May 6 23:00 - 0:00 1:00 WEST 1918 Oct 7 23:00 - 0:00 - WET 1924 -diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica -index 114cef14cce..ce4ee74582c 100644 ---- a/jdk/make/data/tzdata/northamerica -+++ b/jdk/make/data/tzdata/northamerica -@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D - Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S - Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 -+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Chicago C%sT 1936 Mar 1 2:00 - -5:00 - EST 1936 Nov 15 2:00 -@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 - -6:00 Chicago C%sT 1967 - -6:00 US C%sT - # Oliver County, ND switched from mountain to central time on 1992-10-25. --Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 -+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1992 Oct 25 2:00 - -6:00 US C%sT - # Morton County, ND, switched from mountain to central time on -@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 - # Jones, Mellette, and Todd Counties in South Dakota; - # but in practice these other counties were already observing central time. - # See . --Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 -+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2003 Oct 26 2:00 - -6:00 US C%sT - -@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 - # largest city in Mercer County). Google Maps places Beulah's city hall - # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". - --Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 -+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2010 Nov 7 2:00 - -6:00 US C%sT - -@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S - Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D - Rule Denver 1965 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 -+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1920 - -7:00 Denver M%sT 1942 - -7:00 US M%sT 1946 -@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D - Rule CA 1950 1961 - Sep lastSun 2:00 0 S - Rule CA 1962 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 -+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1946 - -8:00 CA P%sT 1967 - -8:00 US P%sT -@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 - # Go with the Arizona State Library instead. - - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 -+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1944 Jan 1 0:01 - -7:00 - MST 1944 Apr 1 0:01 - -7:00 US M%sT 1944 Oct 1 0:01 -@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston - # switched four weeks late in 1974. - # - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 -+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1923 May 13 2:00 - -7:00 US M%sT 1974 - -7:00 - MST 1974 Feb 3 2:00 -@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D - Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S - Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 -+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Indianapolis C%sT 1942 - -6:00 US C%sT 1946 -@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S - Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D - Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 -+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1951 - -6:00 Marengo C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S - Rule Vincennes 1961 only - Sep lastSun 2:00 0 S - Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 -+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Vincennes C%sT 1964 Apr 26 2:00 - -5:00 - EST 1969 -@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S - Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D - Rule Perry 1961 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 -+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Perry C%sT 1964 Apr 26 2:00 - -5:00 - EST 1967 Oct 29 2:00 -@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S - Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D - Rule Pike 1961 1964 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 -+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1955 - -6:00 Pike C%sT 1965 Apr 25 2:00 - -5:00 - EST 1966 Oct 30 2:00 -@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S - Rule Starke 1957 1958 - Sep lastSun 2:00 0 S - Rule Starke 1959 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 -+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1947 - -6:00 Starke C%sT 1962 Apr 29 2:00 - -5:00 - EST 1963 Oct 27 2:00 -@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S - Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S - Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 -+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Pulaski C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 - # - # Switzerland County, Indiana, did not observe DST from 1973 through 2005. - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 -+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1954 Apr 25 2:00 - -5:00 - EST 1969 - -5:00 US E%sT 1973 -@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D - Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S - Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 -+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1921 - -6:00 Louisville C%sT 1942 - -6:00 US C%sT 1946 -@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 - # Federal Register 65, 160 (2000-08-17), pp 50154-50158. - # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm - # --Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 -+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 - CST 1968 - -6:00 US C%sT 2000 Oct 29 2:00 -@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 - # longitude they are located at. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -+Rule Mexico 1931 only - May 1 23:00 1:00 D -+Rule Mexico 1931 only - Oct 1 0:00 0 S - Rule Mexico 1939 only - Feb 5 0:00 1:00 D - Rule Mexico 1939 only - Jun 25 0:00 0 S - Rule Mexico 1940 only - Dec 9 0:00 1:00 D -@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D - Rule Mexico 2002 max - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - # Quintana Roo; represented by Cancún --Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 -+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 Mexico E%sT 1998 Aug 2 2:00 - -6:00 Mexico C%sT 2015 Feb 1 2:00 - -5:00 - EST - # Campeche, Yucatán; represented by Mérida --Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 -+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 - EST 1982 Dec 2 - -6:00 Mexico C%sT -@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 - # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, - # 2016-03-12 - # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza --Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 -+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT 2010 - -6:00 US C%sT - # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) --Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 -+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT - # Central Mexico --Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 -+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 Mexico C%sT 2001 Sep 30 2:00 - -6:00 - CST 2002 Feb 20 - -6:00 Mexico C%sT -@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 - # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, - # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. - # (See the 2016-03-12 El Universal source mentioned above.) --Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 -+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT 2010 - -7:00 US M%sT - # Chihuahua (away from US border) --Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 -+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT - # Sonora --Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 -+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 - # Use "Bahia_Banderas" to keep the name to fourteen characters. - - # Mazatlán --Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 -+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 - -7:00 Mexico M%sT - - # Bahía de Banderas --Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 -+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 - -6:00 Mexico C%sT - - # Baja California --Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 -+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1924 - -8:00 - PST 1927 Jun 10 23:00 - -7:00 - MST 1930 Nov 15 -diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION -index 71470168456..0cad939008f 100644 ---- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION -+++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022d -+tzdata2022e -diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt -index b3823958ae4..2f2786f1c69 100644 ---- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -97,9 +97,7 @@ America/Winnipeg CST CDT - America/Yakutat AKST AKDT - America/Yellowknife MST MDT - Antarctica/Macquarie AEST AEDT --Asia/Amman EET EEST - Asia/Beirut EET EEST --Asia/Damascus EET EEST - Asia/Famagusta EET EEST - Asia/Gaza EET EEST - Asia/Hebron EET EEST -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION -index 889d0e6dad7..b8cb36e69f4 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION -+++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022d -+tzdata2022e -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia -index 1dc7d34f88e..f1771e42a71 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/asia -+++ b/jdk/test/sun/util/calendar/zi/tzdata/asia -@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u - # From the Arabic version, it seems to say it would be at midnight - # (assume 24:00) on the last Thursday in February, starting from 2022. - -+# From Issam Al-Zuwairi (2022-10-05): -+# The Council of Ministers in Jordan decided Wednesday 5th October 2022, -+# that daylight saving time (DST) will be throughout the year.... -+# -+# From Brian Inglis (2022-10-06): -+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news -+# -+# From Paul Eggert (2022-10-05): -+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Jordan 1973 only - Jun 6 0:00 1:00 S - Rule Jordan 1973 1975 - Oct 1 0:00 0 - -@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - - Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - - Rule Jordan 2013 only - Dec 20 0:00 0 - - Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S --Rule Jordan 2014 max - Oct lastFri 0:00s 0 - --Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S -+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - -+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Amman 2:23:44 - LMT 1931 -- 2:00 Jordan EE%sT -+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s -+ 3:00 - +03 - - - # Kazakhstan -@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - - # Our brief summary: - # https://www.timeanddate.com/news/time/syria-dst-2012.html - --# From Arthur David Olson (2012-03-27): --# Assume last Friday in March going forward XXX. -+# From Steffen Thorsen (2022-10-05): -+# Syria is adopting year-round DST, starting this autumn.... -+# From https://www.enabbaladi.net/archives/607812 -+# "This [the decision] came after the weekly government meeting today, -+# Tuesday 4 October ..." -+# -+# From Paul Eggert (2022-10-05): -+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. - - Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S - Rule Syria 2008 only - Nov 1 0:00 0 - - Rule Syria 2009 only - Mar lastFri 0:00 1:00 S - Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S --Rule Syria 2012 max - Mar lastFri 0:00 1:00 S --Rule Syria 2009 max - Oct lastFri 0:00 0 - -+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S -+Rule Syria 2009 2022 - Oct lastFri 0:00 0 - - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq -- 2:00 Syria EE%sT -+ 2:00 Syria EE%sT 2022 Oct 28 0:00 -+ 3:00 - +03 - - # Tajikistan - # From Shanks & Pottenger. -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe -index 9e0a538f86d..930cede4cf4 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/europe -+++ b/jdk/test/sun/util/calendar/zi/tzdata/europe -@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u - 0:00 Spain WE%sT 1940 Mar 16 23:00 - 1:00 Spain CE%sT 1979 - 1:00 EU CE%sT --Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 -+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u - 0:00 - WET 1918 May 6 23:00 - 0:00 1:00 WEST 1918 Oct 7 23:00 - 0:00 - WET 1924 -diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica -index 114cef14cce..ce4ee74582c 100644 ---- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica -+++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica -@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D - Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S - Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 -+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Chicago C%sT 1936 Mar 1 2:00 - -5:00 - EST 1936 Nov 15 2:00 -@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 - -6:00 Chicago C%sT 1967 - -6:00 US C%sT - # Oliver County, ND switched from mountain to central time on 1992-10-25. --Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 -+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1992 Oct 25 2:00 - -6:00 US C%sT - # Morton County, ND, switched from mountain to central time on -@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 - # Jones, Mellette, and Todd Counties in South Dakota; - # but in practice these other counties were already observing central time. - # See . --Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 -+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2003 Oct 26 2:00 - -6:00 US C%sT - -@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 - # largest city in Mercer County). Google Maps places Beulah's city hall - # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". - --Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 -+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2010 Nov 7 2:00 - -6:00 US C%sT - -@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S - Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D - Rule Denver 1965 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 -+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1920 - -7:00 Denver M%sT 1942 - -7:00 US M%sT 1946 -@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D - Rule CA 1950 1961 - Sep lastSun 2:00 0 S - Rule CA 1962 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 -+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1946 - -8:00 CA P%sT 1967 - -8:00 US P%sT -@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 - # Go with the Arizona State Library instead. - - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 -+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1944 Jan 1 0:01 - -7:00 - MST 1944 Apr 1 0:01 - -7:00 US M%sT 1944 Oct 1 0:01 -@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston - # switched four weeks late in 1974. - # - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 -+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1923 May 13 2:00 - -7:00 US M%sT 1974 - -7:00 - MST 1974 Feb 3 2:00 -@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D - Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S - Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 -+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Indianapolis C%sT 1942 - -6:00 US C%sT 1946 -@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S - Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D - Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 -+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1951 - -6:00 Marengo C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S - Rule Vincennes 1961 only - Sep lastSun 2:00 0 S - Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 -+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Vincennes C%sT 1964 Apr 26 2:00 - -5:00 - EST 1969 -@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S - Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D - Rule Perry 1961 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 -+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Perry C%sT 1964 Apr 26 2:00 - -5:00 - EST 1967 Oct 29 2:00 -@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S - Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D - Rule Pike 1961 1964 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 -+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1955 - -6:00 Pike C%sT 1965 Apr 25 2:00 - -5:00 - EST 1966 Oct 30 2:00 -@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S - Rule Starke 1957 1958 - Sep lastSun 2:00 0 S - Rule Starke 1959 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 -+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1947 - -6:00 Starke C%sT 1962 Apr 29 2:00 - -5:00 - EST 1963 Oct 27 2:00 -@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S - Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S - Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 -+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Pulaski C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 - # - # Switzerland County, Indiana, did not observe DST from 1973 through 2005. - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 -+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1954 Apr 25 2:00 - -5:00 - EST 1969 - -5:00 US E%sT 1973 -@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D - Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S - Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 -+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1921 - -6:00 Louisville C%sT 1942 - -6:00 US C%sT 1946 -@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 - # Federal Register 65, 160 (2000-08-17), pp 50154-50158. - # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm - # --Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 -+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 - CST 1968 - -6:00 US C%sT 2000 Oct 29 2:00 -@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 - # longitude they are located at. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -+Rule Mexico 1931 only - May 1 23:00 1:00 D -+Rule Mexico 1931 only - Oct 1 0:00 0 S - Rule Mexico 1939 only - Feb 5 0:00 1:00 D - Rule Mexico 1939 only - Jun 25 0:00 0 S - Rule Mexico 1940 only - Dec 9 0:00 1:00 D -@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D - Rule Mexico 2002 max - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - # Quintana Roo; represented by Cancún --Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 -+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 Mexico E%sT 1998 Aug 2 2:00 - -6:00 Mexico C%sT 2015 Feb 1 2:00 - -5:00 - EST - # Campeche, Yucatán; represented by Mérida --Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 -+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 - EST 1982 Dec 2 - -6:00 Mexico C%sT -@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 - # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, - # 2016-03-12 - # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza --Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 -+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT 2010 - -6:00 US C%sT - # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) --Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 -+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT - # Central Mexico --Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 -+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 Mexico C%sT 2001 Sep 30 2:00 - -6:00 - CST 2002 Feb 20 - -6:00 Mexico C%sT -@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 - # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, - # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. - # (See the 2016-03-12 El Universal source mentioned above.) --Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 -+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT 2010 - -7:00 US M%sT - # Chihuahua (away from US border) --Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 -+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT - # Sonora --Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 -+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 - # Use "Bahia_Banderas" to keep the name to fourteen characters. - - # Mazatlán --Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 -+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 - -7:00 Mexico M%sT - - # Bahía de Banderas --Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 -+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 - -6:00 Mexico C%sT - - # Baja California --Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 -+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1924 - -8:00 - PST 1927 Jun 10 23:00 - -7:00 - MST 1930 Nov 15 diff --git a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch b/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch deleted file mode 100644 index a42688d..0000000 --- a/SOURCES/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1459487045 -3600 -# Fri Apr 01 06:04:05 2016 +0100 -# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b -# Parent 6b81fd2227d14226f2121f2d51b464536925686e -PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) -PR3575: System cacerts database handling should not affect jssecacerts - -diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -@@ -72,7 +72,7 @@ - * The preference of the default trusted KeyStore is: - * javax.net.ssl.trustStore - * jssecacerts -- * cacerts -+ * cacerts (system and local) - */ - private static final class TrustStoreDescriptor { - private static final String fileSep = File.separator; -@@ -83,6 +83,10 @@ - defaultStorePath + fileSep + "cacerts"; - private static final String jsseDefaultStore = - defaultStorePath + fileSep + "jssecacerts"; -+ /* Check system cacerts DB: /etc/pki/java/cacerts */ -+ private static final String systemStore = -+ fileSep + "etc" + fileSep + "pki" + -+ fileSep + "java" + fileSep + "cacerts"; - - // the trust store name - private final String storeName; -@@ -146,7 +150,8 @@ - long temporaryTime = 0L; - if (!"NONE".equals(storePropName)) { - String[] fileNames = -- new String[] {storePropName, defaultStore}; -+ new String[] {storePropName, -+ systemStore, defaultStore}; - for (String fileName : fileNames) { - File f = new File(fileName); - if (f.isFile() && f.canRead()) { -diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ---- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -@@ -108,9 +108,14 @@ - throws Exception - { - String sep = File.separator; -- File file = new File(System.getProperty("java.home") + sep -- + "lib" + sep + "security" + sep -- + "cacerts"); -+ /* Check system cacerts DB first; /etc/pki/java/cacerts */ -+ File file = new File(sep + "etc" + sep + "pki" + sep -+ + "java" + sep + "cacerts"); -+ if (!file.exists()) { -+ file = new File(System.getProperty("java.home") + sep -+ + "lib" + sep + "security" + sep -+ + "cacerts"); -+ } - if (!file.exists()) { - return null; - } diff --git a/SOURCES/pr2888-rh2055274-support_system_cacerts.patch b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch new file mode 100644 index 0000000..1b88f2a --- /dev/null +++ b/SOURCES/pr2888-rh2055274-support_system_cacerts.patch @@ -0,0 +1,263 @@ +diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +index e7b4763db53..e8ec8467e6a 100644 +--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import sun.security.action.*; ++import sun.security.tools.KeyStoreUtil; + import sun.security.validator.TrustStoreUtil; + + /** +@@ -68,7 +69,7 @@ final class TrustStoreManager { + * The preference of the default trusted KeyStore is: + * javax.net.ssl.trustStore + * jssecacerts +- * cacerts ++ * cacerts (system and local) + */ + private static final class TrustStoreDescriptor { + private static final String fileSep = File.separator; +@@ -76,7 +77,7 @@ final class TrustStoreManager { + GetPropertyAction.privilegedGetProperty("java.home") + + fileSep + "lib" + fileSep + "security"; + private static final String defaultStore = +- defaultStorePath + fileSep + "cacerts"; ++ KeyStoreUtil.getCacertsKeyStoreFile().getPath(); + private static final String jsseDefaultStore = + defaultStorePath + fileSep + "jssecacerts"; + +@@ -139,6 +140,10 @@ final class TrustStoreManager { + String storePropPassword = System.getProperty( + "javax.net.ssl.trustStorePassword", ""); + ++ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { ++ SSLLogger.fine("Default store: " + defaultStore); ++ } ++ + String temporaryName = ""; + File temporaryFile = null; + long temporaryTime = 0L; +@@ -146,21 +151,22 @@ final class TrustStoreManager { + String[] fileNames = + new String[] {storePropName, defaultStore}; + for (String fileName : fileNames) { +- File f = new File(fileName); +- if (f.isFile() && f.canRead()) { +- temporaryName = fileName;; +- temporaryFile = f; +- temporaryTime = f.lastModified(); +- +- break; +- } +- +- // Not break, the file is inaccessible. +- if (SSLLogger.isOn && ++ if (fileName != null && !"".equals(fileName)) { ++ File f = new File(fileName); ++ if (f.isFile() && f.canRead()) { ++ temporaryName = fileName;; ++ temporaryFile = f; ++ temporaryTime = f.lastModified(); ++ ++ break; ++ } ++ // Not break, the file is inaccessible. ++ if (SSLLogger.isOn && + SSLLogger.isOn("trustmanager")) { +- SSLLogger.fine( +- "Inaccessible trust store: " + +- storePropName); ++ SSLLogger.fine( ++ "Inaccessible trust store: " + ++ fileName); ++ } + } + } + } else { +diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +index fcc77786da1..f554f83a8b4 100644 +--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +@@ -33,7 +33,10 @@ import java.io.InputStreamReader; + + import java.net.URL; + ++import java.security.AccessController; + import java.security.KeyStore; ++import java.security.PrivilegedAction; ++import java.security.Security; + + import java.security.cert.X509Certificate; + import java.text.Collator; +@@ -54,6 +57,33 @@ public class KeyStoreUtil { + + private static final String JKS = "jks"; + ++ private static final String PROP_NAME = "security.systemCACerts"; ++ ++ /** ++ * Returns the value of the security property propName, which can be overridden ++ * by a system property of the same name ++ * ++ * @param propName the name of the system or security property ++ * @return the value of the system or security property ++ */ ++ @SuppressWarnings("removal") ++ public static String privilegedGetOverridable(String propName) { ++ if (System.getSecurityManager() == null) { ++ return getOverridableProperty(propName); ++ } else { ++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName)); ++ } ++ } ++ ++ private static String getOverridableProperty(String propName) { ++ String val = System.getProperty(propName); ++ if (val == null) { ++ return Security.getProperty(propName); ++ } else { ++ return val; ++ } ++ } ++ + /** + * Returns true if the certificate is self-signed, false otherwise. + */ +@@ -96,20 +126,38 @@ public class KeyStoreUtil { + } + } + ++ /** ++ * Returns the path to the cacerts DB ++ */ ++ public static File getCacertsKeyStoreFile() ++ { ++ String sep = File.separator; ++ File file = null; ++ /* Check system cacerts DB first, preferring system property over security property */ ++ String systemDB = privilegedGetOverridable(PROP_NAME); ++ if (systemDB != null && !"".equals(systemDB)) { ++ file = new File(systemDB); ++ } ++ if (file == null || !file.exists()) { ++ file = new File(System.getProperty("java.home") + sep ++ + "lib" + sep + "security" + sep ++ + "cacerts"); ++ } ++ if (file.exists()) { ++ return file; ++ } ++ return null; ++ } ++ + /** + * Returns the keystore with the configured CA certificates. + */ + public static KeyStore getCacertsKeyStore() + throws Exception + { +- String sep = File.separator; +- File file = new File(System.getProperty("java.home") + sep +- + "lib" + sep + "security" + sep +- + "cacerts"); +- if (!file.exists()) { +- return null; +- } + KeyStore caks = null; ++ File file = getCacertsKeyStoreFile(); ++ if (file == null) { return null; } + try (FileInputStream fis = new FileInputStream(file)) { + caks = KeyStore.getInstance(JKS); + caks.load(fis, null); +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index bfe0c593adb..093bc09bf95 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -294,6 +294,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index 9d1c8fe8a8e..16c9281cc1f 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -307,6 +307,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index 19047c61097..43e034cdeaf 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -297,6 +297,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index 7eda556ae13..325937e97fb 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -295,6 +295,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index dfa1a669aa9..92ef777e065 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -297,6 +297,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 348ef3b..febb3c4 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -26,6 +26,8 @@ %bcond_with artifacts # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so %if %{with fresh_libjvm} @@ -34,6 +36,16 @@ %global build_hotspot_first 0 %endif +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global jpeg_lib |libjavajpeg[.]so.* +%else +%global system_libs 0 +%global link_type bundled +%global jpeg_lib |libjpeg[.]so.* +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -158,11 +170,15 @@ # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %global bootstrap_targets images %global release_targets images docs-zip @@ -281,13 +297,17 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 # Define current Git revision for the FIPS support patches -%global fipsver 6d1aade0648 +%global fipsver 8e8bbf0ff74 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} +# Settings for local security configuration +%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os} +%global cacerts_file /etc/pki/java/cacerts + # Define vendor information used by OpenJDK %global oj_vendor Red Hat, Inc. %global oj_vendor_url "https://www.redhat.com/" @@ -311,7 +331,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u352-b08 +%global openjdk_revision jdk8u345-b01 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -327,7 +347,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 5 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -371,7 +391,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* +%global _privatelibs libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*%{jpeg_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -813,6 +833,7 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts +%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream %dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/lib @@ -895,7 +916,11 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so +%if %{system_libs} %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so +%else +%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so +%endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so @@ -937,6 +962,7 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/management/* %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/* @@ -1210,17 +1236,19 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release} Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem -# 2022d required as of JDK-8294357 -# Should be bumped to 2022e once available (JDK-8295173) -Requires: tzdata-java >= 2022d +# Require zoneinfo data provided by tzdata-java subpackage. +# 2022a required as of JDK-8283350 in 8u342 +Requires: tzdata-java >= 2022a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs +%endif # for printing support Requires: cups-libs # for system security properties @@ -1389,15 +1417,13 @@ Source16: CheckVendor.java # nss fips configuration file Source17: nss.fips.cfg.in -# Ensure translations are available for new timezones -Source18: TestTranslations.java - Source20: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. Source100: config.guess Source101: config.sub + ############################################ # # RPM/distribution specific patches @@ -1455,7 +1481,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_ Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts -Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds +# Must be applied after FIPS patch as it also changes java.security +Patch539: pr2888-rh2055274-support_system_cacerts.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch # JDK-8218811: replace open by os::open in hotspot coding @@ -1514,17 +1542,13 @@ Patch581: jdk8257794-remove_broken_assert.patch ############################################# # -# Patches appearing in 8u362 +# Patches appearing in 8u282 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8294357: (tz) Update Timezone Data to 2022d -Patch2002: jdk8294357-tzdata2022d.patch -# JDK-8295173: (tz) Update Timezone Data to 2022e -Patch2003: jdk8295173-tzdata2022e.patch ############################################# # @@ -1570,12 +1594,8 @@ BuildRequires: desktop-file-utils BuildRequires: elfutils-devel BuildRequires: fontconfig-devel BuildRequires: freetype-devel -BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXext-devel @@ -1598,9 +1618,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022d required as of JDK-8294357 -# Should be bumped to 2022e once available (JDK-8295173) -BuildRequires: tzdata-java >= 2022d +# 2022a required as of JDK-8283350 in 8u342 +BuildRequires: tzdata-java >= 2022a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1608,6 +1627,24 @@ BuildRequires: gcc >= 4.8.3-8 BuildRequires: systemtap-sdt-devel %endif +%if %{system_libs} +BuildRequires: giflib-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h +Provides: bundled(lcms2) = 2.10.0 +# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in jdk/src/share/native/sun/awt/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} @@ -1860,14 +1897,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/ # OpenJDK patches +%if %{system_libs} # Remove libraries that are linked sh %{SOURCE12} +%endif # System library fixes +%if %{system_libs} %patch201 %patch202 %patch203 %patch204 +%endif %patch5 @@ -1900,13 +1941,11 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 -# tzdata updates targetted for 8u362 -%patch2002 -p1 -%patch2003 -p1 +# cacerts patch; must follow FIPS patch as it also alters java.security +%patch539 -p1 popd # RPM-only fixes -%patch539 %patch600 %patch1003 @@ -1970,7 +2009,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +# Setup security policy +sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} + %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2008,11 +2051,18 @@ function buildjdk() { local buildjdk=${2} local maketargets="${3}" local debuglevel=${4} + local link_opt=${5} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} # Variable used in hs_err hook on build failures local top_builddir_abs_path=$(pwd)/${outputdir} + if [ "x${link_opt}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" @@ -2041,12 +2091,14 @@ function buildjdk() { --with-debug-level=${debuglevel} \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ - --with-libjpeg=system \ - --with-giflib=system \ - --with-libpng=system \ - --with-lcms=system \ - --with-stdc++lib=dynamic \ + --with-zlib=${link_opt} \ + --with-giflib=${link_opt} \ +%if %{with system_libs} + --with-libjpeg=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ +%endif + --with-stdc++lib=${libc_link_opt} \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-asflags="$EXTRA_ASFLAGS" \ @@ -2115,8 +2167,13 @@ function installjdk() { ${imagepath}/jre/lib/security/java.security # Use system-wide tzdata - rm ${imagepath}/jre/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + mv ${imagepath}/jre/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/jre/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv %{cacerts_file} ${imagepath}/jre/lib/security # add alt-java man page pushd ${imagepath} @@ -2152,6 +2209,7 @@ builddir=%{buildoutputdir -- $suffix} bootbuilddir=boot${builddir} installdir=%{installoutputdir -- $suffix} bootinstalldir=boot${installdir} +link_opt="%{link_type}" # Debug builds don't need same targets as release for # build speed-up. We also avoid bootstrapping these @@ -2165,13 +2223,13 @@ else fi if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} installjdk ${bootbuilddir} ${bootinstalldir} - buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} installjdk ${builddir} ${installdir} %{!?with_artifacts:rm -rf ${bootinstalldir}} else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} installjdk ${builddir} ${installdir} fi @@ -2212,14 +2270,11 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif + # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} -# Check translations are available for new timezones -$JAVA_HOME/bin/javac -d . %{SOURCE18} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE - # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -2335,13 +2390,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien done %endif - # Remove empty cacerts database - rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts - # Install cacerts symlink needed by some apps which hardcode the path - pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security - ln -sf /etc/pki/java/cacerts . - popd - # Install versioned symlinks pushd $RPM_BUILD_ROOT%{_jvmdir} ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix} @@ -2671,32 +2719,45 @@ cjc.mainProgram(args) %endif %changelog -* Sun Oct 16 2022 Andrew Hughes - 1:1.8.0.352.b08-2 -- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 -- Add test to ensure timezones can be translated -- Related: rhbz#2133695 - -* Fri Oct 14 2022 Andrew Hughes - 1:1.8.0.352.b08-1 -- Update to shenandoah-jdk8u352-b08 (GA) -- Update release notes for shenandoah-8u352-b08. -- Rebase FIPS patch against 8u352-b07 -- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * -- Resolves: rhbz#2133695 - -* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-1 +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5 +- Allow the default keystore to be configured using security.systemCACerts +- Use of the property can now be disabled using -Dsecurity.systemCACerts= +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Resolves: rhbz#2077006 + +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4 +- Switch to static builds, reducing system dependencies and making build more portable +- Resolves: rhbz#2121273 + +* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-3 +- Disable copy-jdk-configs for Flatpak builds +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102727 + +* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-2 - Update to shenandoah-jdk8u345-b01 (GA) - Update release notes for 8u345-b01. -- Resolves: rhbz#2115463 +- Resolves: rhbz#2112405 + +* Sun Jul 24 2022 Andrew Hughes - 1:1.8.0.342.b07-2 +- Update to shenandoah-jdk8u342-b07 (GA) +- Update release notes for 8u342-b07. +- Switch to GA mode for final release. +- Resolves: rhbz#2106509 -* Mon Jul 18 2022 Andrew Hughes - 1:1.8.0.342.b07-1 -- Update to shenandoah-jdk8u342-b07 -- Update release notes for shenandoah-8u342-b07. +* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.342.b06-0.1.ea +- Update to shenandoah-jdk8u342-b06 (EA) +- Update release notes for shenandoah-8u342-b06. +- Switch to EA mode for 8u342 pre-release builds. - Print release file during build, which should now include a correct SOURCE value from .src-rev - Update tarball script with IcedTea GitHub URL and .src-rev generation - Use "git apply" with patches in the tarball script to allow binary diffs - Remove redundant "REPOS" variable from tarball script - Include script to generate bug list for release notes - Update tzdata requirement to 2022a to match JDK-8283350 +- Resolves: rhbz#2083322 + +* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.332.b09-3 - Rebase FIPS patches from fips branch and simplify by using a single patch from that repository - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage - * RH2090378: Revert to disabling system security properties and FIPS mode support together @@ -2706,19 +2767,29 @@ cjc.mainProgram(args) - Improve security properties test to check both enabled and disabled behaviour - Run security properties test with property debugging on - Explicitly require crypto-policies during build and runtime for system security properties -- Resolves: rhbz#2099916 -- Resolves: rhbz#2107958 -- Resolves: rhbz#2084776 -- Resolves: rhbz#2106508 +- Resolves: rhbz#2099801 +- Resolves: rhbz#2100678 * Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:1.8.0.332.b09-2 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode -- Resolves: rhbz#2107956 +- Resolves: rhbz#2102435 * Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b09-1 - Update to shenandoah-jdk8u332-b09 (GA) - Update release notes for 8u332-b09. -- Resolves: rhbz#2074649 +- Switch to GA mode for final release. +- Resolves: rhbz#2074650 + +* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.1.ea +- Update to shenandoah-jdk8u332-b06 (EA) +- Update release notes for shenandoah-8u332-b06. +- Resolves: rhbz#2050457 + +* Sun Apr 17 2022 Andrew Hughes - 1:1.8.0.332.b01-0.1.ea +- Update to shenandoah-jdk8u332-b01 (EA) +- Update release notes for shenandoah-8u332-b01. +- Switch to EA mode. +- Related: rhbz#2050457 * Mon Feb 28 2022 Andrew Hughes - 1:1.8.0.322.b06-9 - Remove 'java --version' test as this is not supported on java-1.8.0-openjdk