diff --git a/.gitignore b/.gitignore
index ccfc525..35138ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 493f497..ce1ddd8 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz
+11e3bf44f3c54d25e2018fc7df16c231daf041c5 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index a45c520..08b5588 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,163 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u352 (2022-10-18):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk8u352
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
+
+* Security fixes
+ - JDK-8282252: Improve BigInteger/Decimal validation
+ - JDK-8285662: Better permission resolution
+ - JDK-8286511: Improve macro allocation
+ - JDK-8286519: Better memory handling
+ - JDK-8286526, CVE-2022-21619: Improve NTLM support
+ - JDK-8286533, CVE-2022-21626: Key X509 usages
+ - JDK-8286910, CVE-2022-21624: Improve JNDI lookups
+ - JDK-8286918, CVE-2022-21628: Better HttpServer service
+ - JDK-8288508: Enhance ECDSA usage
+* Other changes
+ - JDK-7131823: bug in GIFImageReader
+ - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
+ - JDK-8028265: Add legacy tz tests to OpenJDK
+ - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
+ - JDK-8049228: Improve multithreaded scalability of InetAddress cache
+ - JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+ - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
+ - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
+ - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
+ - JDK-8139668: Generate README-build.html from markdown
+ - JDK-8143847: Remove REF_CLEANER reference category
+ - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl
+ - JDK-8150669: C1 intrinsic for Class.isPrimitive
+ - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
+ - JDK-8173339: AArch64: Fix minimum stack size computations
+ - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
+ - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+ - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
+ - JDK-8183107: PKCS11 regression regarding checkKeySize
+ - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
+ - JDK-8194873: right ALT key hotkeys no longer work in Swing components
+ - JDK-8201793: (ref) Reference object should not support cloning
+ - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
+ - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
+ - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
+ - JDK-8235218: Minimal VM is broken after JDK-8173361
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
+ - JDK-8254178: Remove .hgignore
+ - JDK-8254318: Remove .hgtags
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
+ - JDK-8280963: Incorrect PrintFlags formatting on Windows
+ - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+ - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+ - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
+ - JDK-8285497: Add system property for Java SE specification maintenance version
+ - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
+ - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
+ - JDK-8287521: Bump update version of OpenJDK: 8u352
+ - JDK-8288763: Pack200 extraction failure with invalid size
+ - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
+ - JDK-8290000: Bump macOS GitHub actions to macOS 11
+ - JDK-8292579: (tz) Update Timezone Data to 2022c
+ - JDK-8292688: Support Security properties in security.testlibrary.Proc
+
+Notes on individual issues:
+===========================
+
+core-libs/java.lang:
+
+JDK-8201793: (ref) Reference object should not support cloning
+==============================================================
+`java.lang.ref.Reference::clone` method always throws
+`CloneNotSupportedException`. `Reference` objects cannot be
+meaningfully cloned. To create a new Reference object, call the
+constructor to create a `Reference` object with the same referent and
+reference queue instead.
+
+JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
+===============================================================================================
+`java.lang.ref.Reference.enqueue` method clears the reference object
+before it is added to the registered queue. When the `enqueue` method
+is called, the reference object is cleared and `get()` method will
+return null in OpenJDK 8u352.
+
+Typically when a reference object is enqueued, it is expected that the
+reference object is cleared explicitly via the `clear` method to avoid
+memory leak because its referent is no longer referenced. In other
+words the `get` method is expected not to be called in common cases
+once the `enqueue`method is called. In the case when the `get` method
+from an enqueued reference object and existing code attempts to access
+members of the referent, `NullPointerException` may be thrown. Such
+code will need to be updated.
+
+JDK-8071507: (ref) Clear phantom reference as soft and weak references do
+=========================================================================
+This enhancement changes phantom references to be automatically
+cleared by the garbage collector as soft and weak references.
+
+An object becomes phantom reachable after it has been finalized. This
+change may cause the phantom reachable objects to be GC'ed earlier -
+previously the referent is kept alive until PhantomReference objects
+are GC'ed or cleared by the application. This potential behavioral
+change might only impact existing code that would depend on
+PhantomReference being enqueued rather than when the referent be freed
+from the heap.
+
+security-libs/javax.net.ssl:
+
+JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
+================================================================
+The TLSv1.3 implementation is now enabled by default for client roles
+in 8u352. It has been enabled by default for server roles since 8u272.
+
+Note that TLS 1.3 is not directly compatible with previous
+versions. Enabling it on the client may introduce compatibility issues
+on either the server or the client side. Here are some more details on
+potential compatibility issues that you should be aware of:
+
+* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
+ use a duplex-close policy. For applications that depend on the
+ duplex-close policy, there may be compatibility issues when
+ upgrading to TLS 1.3.
+
+* The signature_algorithms_cert extension requires that pre-defined
+ signature algorithms are used for certificate authentication. In
+ practice, however, an application may use non-supported signature
+ algorithms.
+
+* The DSA signature algorithm is not supported in TLS 1.3. If a server
+ is configured to only use DSA certificates, it cannot upgrade to TLS
+ 1.3.
+
+* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
+ and prior versions. If an application hard-codes cipher suites which
+ are no longer supported, it may not be able to use TLS 1.3 without
+ modifying the application code.
+
+* The TLS 1.3 session resumption and key update behaviors are
+ different from TLS 1.2 and prior versions. The compatibility should
+ be minimal, but it could be a risk if an application depends on the
+ handshake details of the TLS protocols.
+
+The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
+system property:
+
+java -Djdk.tls.client.protocols="TLSv1.2" ...
+
+Alternatively, an application can explicitly set the enabled protocols
+with the javax.net.ssl APIs e.g.
+
+sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
+
+or:
+
+SSLParameters params = sslSocket.getSSLParameters();
+params.setProtocols(new String[] {"TLSv1.2"});
+slsSocket.setSSLParameters(params);
+
New in release OpenJDK 8u345 (2022-08-01):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 552bd0f..2967a32 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -1,3 +1,20 @@
+/* TestSecurityProperties -- Ensure system security properties can be used to
+ enable the crypto policies.
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java
new file mode 100644
index 0000000..7b2f09b
--- /dev/null
+++ b/SOURCES/TestTranslations.java
@@ -0,0 +1,140 @@
+/* TestTranslations -- Ensure translations are available for new timezones
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.text.DateFormatSymbols;
+
+import java.time.ZoneId;
+import java.time.format.TextStyle;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.TimeZone;
+
+public class TestTranslations {
+
+ private static Map<Locale,String[]> KYIV;
+
+ static {
+ Map<Locale,String[]> map = new HashMap<Locale,String[]>();
+ map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
+ "Eastern European Summer Time", "GMT+03:00", "EEST",
+ "Eastern European Time", "GMT+02:00", "EET"});
+ map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
+ "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
+ "Heure d'Europe de l'Est", "UTC+02:00", "EET"});
+ map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
+ "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
+ "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
+ KYIV = Collections.unmodifiableMap(map);
+ }
+
+
+ public static void main(String[] args) {
+ if (args.length < 1) {
+ System.err.println("Test must be started with the name of the locale provider.");
+ System.exit(1);
+ }
+
+ String localeProvider = args[0];
+ System.out.println("Checking sanity of full zone string set...");
+ boolean invalid = Arrays.stream(Locale.getAvailableLocales())
+ .peek(l -> System.out.println("Locale: " + l))
+ .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
+ .flatMap(zs -> Arrays.stream(zs))
+ .flatMap(names -> Arrays.stream(names))
+ .filter(name -> Objects.isNull(name) || name.isEmpty())
+ .findAny()
+ .isPresent();
+ if (invalid) {
+ System.err.println("Zone string for a locale returned null or empty string");
+ System.exit(2);
+ }
+
+ for (Locale l : KYIV.keySet()) {
+ String[] expected = KYIV.get(l);
+ for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) {
+ String expectedShortStd = null;
+ String expectedShortDST = null;
+ String expectedShortGen = null;
+
+ System.out.printf("Checking locale %s for %s...\n", l, id);
+
+ if ("JRE".equals(localeProvider)) {
+ expectedShortStd = expected[2];
+ expectedShortDST = expected[5];
+ expectedShortGen = expected[8];
+ } else if ("CLDR".equals(localeProvider)) {
+ expectedShortStd = expected[1];
+ expectedShortDST = expected[4];
+ expectedShortGen = expected[7];
+ } else {
+ System.err.printf("Invalid locale provider %s\n", localeProvider);
+ System.exit(3);
+ }
+ System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
+ localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
+
+ String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
+ String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
+ String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
+ String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
+ String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
+ String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
+
+ if (!expected[0].equals(longStd)) {
+ System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
+ id, l, longStd, expected[0]);
+ System.exit(4);
+ }
+
+ if (!expectedShortStd.equals(shortStd)) {
+ System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
+ id, l, shortStd, expectedShortStd);
+ System.exit(5);
+ }
+
+ if (!expected[3].equals(longDST)) {
+ System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
+ id, l, longDST, expected[3]);
+ System.exit(6);
+ }
+
+ if (!expectedShortDST.equals(shortDST)) {
+ System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
+ id, l, shortDST, expectedShortDST);
+ System.exit(7);
+ }
+
+ if (!expected[6].equals(longGen)) {
+ System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
+ id, l, longGen, expected[6]);
+ System.exit(8);
+ }
+
+ if (!expectedShortGen.equals(shortGen)) {
+ System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
+ id, l, shortGen, expectedShortGen);
+ System.exit(9);
+ }
+ }
+ }
+ }
+}
diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch
new file mode 100644
index 0000000..58ab6e5
--- /dev/null
+++ b/SOURCES/fips-8u-6d1aade0648.patch
@@ -0,0 +1,2007 @@
+diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
+index 151e5a109f8..a8761b500e0 100644
+--- a/common/autoconf/configure.ac
++++ b/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+
+diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
+index 71fabf4dbb3..17f4f50673d 100644
+--- a/common/autoconf/generated-configure.sh
++++ b/common/autoconf/generated-configure.sh
+@@ -651,6 +651,9 @@ LLVM_CONFIG
+ LIBFFI_LIBS
+ LIBFFI_CFLAGS
+ STATIC_CXX_SETTING
++USE_SYSCONF_NSS
++NSS_LIBS
++NSS_CFLAGS
+ LIBDL
+ LIBM
+ LIBZIP_CAN_USE_MMAP
+@@ -1111,6 +1114,7 @@ with_fontconfig
+ with_fontconfig_include
+ with_giflib
+ with_zlib
++enable_sysconf_nss
+ with_stdc__lib
+ with_msvcr_dll
+ with_msvcp_dll
+@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
+ FREETYPE_LIBS
+ ALSA_CFLAGS
+ ALSA_LIBS
++NSS_CFLAGS
++NSS_LIBS
+ LIBFFI_CFLAGS
+ LIBFFI_LIBS
+ CCACHE'
+@@ -1871,6 +1877,8 @@ Optional Features:
+ disable bundling of the freetype library with the
+ build result [enabled on Windows or when using
+ --with-freetype, disabled otherwise]
++ --enable-sysconf-nss build the System Configurator (libsysconf) using the
++ system NSS library if available [disabled]
+ --enable-sjavac use sjavac to do fast incremental compiles
+ [disabled]
+ --disable-precompiled-headers
+@@ -2115,6 +2123,8 @@ Some influential environment variables:
+ linker flags for FREETYPE, overriding pkg-config
+ ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
+ ALSA_LIBS linker flags for ALSA, overriding pkg-config
++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config
++ NSS_LIBS linker flags for NSS, overriding pkg-config
+ LIBFFI_CFLAGS
+ C compiler flags for LIBFFI, overriding pkg-config
+ LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
+@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+ } # ac_fn_c_check_header_compile
++
++# ac_fn_c_try_link LINENO
++# -----------------------
++# Try to link conftest.$ac_ext, and return whether this succeeded.
++ac_fn_c_try_link ()
++{
++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++ rm -f conftest.$ac_objext conftest$ac_exeext
++ if { { ac_try="$ac_link"
++case "(($ac_try" in
++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++ *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
++$as_echo "$ac_try_echo"; } >&5
++ (eval "$ac_link") 2>conftest.err
++ ac_status=$?
++ if test -s conftest.err; then
++ grep -v '^ *+' conftest.err >conftest.er1
++ cat conftest.er1 >&5
++ mv -f conftest.er1 conftest.err
++ fi
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; } && {
++ test -z "$ac_c_werror_flag" ||
++ test ! -s conftest.err
++ } && test -s conftest$ac_exeext && {
++ test "$cross_compiling" = yes ||
++ test -x conftest$ac_exeext
++ }; then :
++ ac_retval=0
++else
++ $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ ac_retval=1
++fi
++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
++ # interfere with the next link command; also delete a directory that is
++ # left behind by Apple's compiler. We do this before executing the actions.
++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++ as_fn_set_status $ac_retval
++
++} # ac_fn_c_try_link
+ cat >config.log <<_ACEOF
+ This file contains any messages produced by compilers while
+ running configure, to aid debugging if configure makes a mistake.
+@@ -4049,6 +4105,11 @@ fi
+
+
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++
++
+ #
+ # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+@@ -49304,6 +49365,157 @@ fi
+ LIBS="$save_LIBS"
+
+
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5
++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ # Check whether --enable-sysconf-nss was given.
++if test "${enable_sysconf_nss+set}" = set; then :
++ enableval=$enable_sysconf_nss;
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++
++else
++
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++
++fi
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5
++$as_echo "$sysconf_nss" >&6; }
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++
++pkg_failed=no
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5
++$as_echo_n "checking for NSS... " >&6; }
++
++if test -n "$NSS_CFLAGS"; then
++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++if test -n "$NSS_LIBS"; then
++ pkg_cv_NSS_LIBS="$NSS_LIBS"
++ elif test -n "$PKG_CONFIG"; then
++ if test -n "$PKG_CONFIG" && \
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
++ ac_status=$?
++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++ test $ac_status = 0; }; then
++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`
++else
++ pkg_failed=yes
++fi
++ else
++ pkg_failed=untried
++fi
++
++
++
++if test $pkg_failed = yes; then
++
++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
++ _pkg_short_errors_supported=yes
++else
++ _pkg_short_errors_supported=no
++fi
++ if test $_pkg_short_errors_supported = yes; then
++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`
++ else
++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`
++ fi
++ # Put the nasty error message in config.log where it belongs
++ echo "$NSS_PKG_ERRORS" >&5
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ NSS_FOUND=no
++elif test $pkg_failed = untried; then
++ NSS_FOUND=no
++else
++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS
++ NSS_LIBS=$pkg_cv_NSS_LIBS
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++ NSS_FOUND=yes
++fi
++ if test "x${NSS_FOUND}" = "xyes"; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5
++$as_echo_n "checking for system FIPS support in NSS... " >&6; }
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ ac_ext=c
++ac_cpp='$CPP $CPPFLAGS'
++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_c_compiler_gnu
++
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++#include <nss3/pk11pub.h>
++int
++main ()
++{
++SECMOD_GetSystemFIPSEnabled()
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++ ac_ext=cpp
++ac_cpp='$CXXCPP $CPPFLAGS'
++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
++
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5
++ fi
++ fi
++
++
++
+ ###############################################################################
+ #
+ # statically link libstdc++ before C++ ABI is stablized on Linux unless
+diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
+index 6efae578ea9..0080846255b 100644
+--- a/common/autoconf/libraries.m4
++++ b/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
+ BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+ fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
+index 506cf617087..7241593b1a4 100644
+--- a/common/autoconf/spec.gmk.in
++++ b/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+
+ # Source file for cacerts
+diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
+index 3b79a526f56..d2a0e39b206 100644
+--- a/common/bin/compare_exceptions.sh.incl
++++ b/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
+index d2beed0b93a..3b6aef98d9a 100644
+--- a/common/nb_native/nbproject/configurations.xml
++++ b/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+ <in>jvmtiEnterTrace.cpp</in>
+ </df>
+ </df>
++ <df name="libsystemconf">
++ <in>systemconf.c</in>
++ </df>
+ </df>
+ </df>
+ <df name="jdk">
+@@ -12772,6 +12775,11 @@
+ tool="0"
+ flavor2="0">
+ </item>
++ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
++ ex="false"
++ tool="0"
++ flavor2="0">
++ </item>
+ <item path="../../jdk/src/share/native/java/util/TimeZone.c"
+ ex="false"
+ tool="0"
+diff --git a/jdk/make/lib/SecurityLibraries.gmk b/jdk/make/lib/SecurityLibraries.gmk
+index b0b85d80448..47a41d7518d 100644
+--- a/jdk/make/lib/SecurityLibraries.gmk
++++ b/jdk/make/lib/SecurityLibraries.gmk
+@@ -289,3 +289,34 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)
+
+ endif
+ endif
++
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
++ LIBRARY := systemconf, \
++ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
++ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
++ LANG := C, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
++ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
++ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
++
++ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
++endif
++
+diff --git a/jdk/make/mapfiles/libsystemconf/mapfile-vers b/jdk/make/mapfiles/libsystemconf/mapfile-vers
+new file mode 100644
+index 00000000000..a65ceb3b78c
+--- /dev/null
++++ b/jdk/make/mapfiles/libsystemconf/mapfile-vers
+@@ -0,0 +1,35 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++# Define public interface.
++
++SUNWprivate_1.1 {
++ global:
++ DEF_JNI_OnLoad;
++ DEF_JNI_OnUnLoad;
++ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
++ local:
++ *;
++};
+diff --git a/jdk/src/share/classes/java/security/Security.java b/jdk/src/share/classes/java/security/Security.java
+index 0db09da7061..813b907db3e 100644
+--- a/jdk/src/share/classes/java/security/Security.java
++++ b/jdk/src/share/classes/java/security/Security.java
+@@ -30,6 +30,8 @@ import java.util.*;
+ import java.util.concurrent.ConcurrentHashMap;
+ import java.io.*;
+ import java.net.URL;
++import sun.misc.SharedSecrets;
++import sun.misc.JavaSecuritySystemConfiguratorAccess;
+ import sun.security.util.Debug;
+ import sun.security.util.PropertyExpander;
+
+@@ -43,11 +45,19 @@ import sun.security.jca.*;
+ * implementation-specific location, which is typically the properties file
+ * {@code lib/security/java.security} in the Java installation directory.
+ *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+ * @author Benjamin Renaud
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -62,6 +72,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -78,6 +101,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -93,6 +117,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -187,6 +212,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..a24a0445db2
+--- /dev/null
++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction<Void>() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry<Object, Object> e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
++ loadedProps = true;
++ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
++ } else {
++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
++ /**
++ * Determines whether FIPS mode should be enabled.
++ *
++ * OpenJDK FIPS mode will be enabled only if the system is in
++ * FIPS mode.
++ *
++ * Calls to this method only occur if the system property
++ * com.redhat.fips is not set to false.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
++ *
++ * @return true if the system is in FIPS mode
++ */
++ private static boolean enableFips() throws IOException {
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ boolean fipsEnabled = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + fipsEnabled);
++ }
++ return fipsEnabled;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+new file mode 100644
+index 00000000000..5c30a8b29c7
+--- /dev/null
++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -0,0 +1,31 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
++}
+diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index f065a2c685d..0dafe6f59cf 100644
+--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ import java.security.AccessController;
+@@ -63,6 +64,7 @@ public class SharedSecrets {
+ private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
+ private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -248,4 +250,15 @@ public class SharedSecrets {
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 00000000000..14d19450390
+--- /dev/null
++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = P11ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+index fedcd7743ef..f9d70863bd1 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback;
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+
+@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
+diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 2e42d1d9fb0..1b7eed1c656 100644
+--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -145,18 +146,41 @@ public class PKCS11 {
+ this.pkcs11ModulePath = pkcs11ModulePath;
+ }
+
++ /*
++ * Compatibility wrapper to allow this method to work as before
++ * when FIPS mode support is not active.
++ */
++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
++ boolean omitInitialize) throws IOException, PKCS11Exception {
++ return getInstance(pkcs11ModulePath, functionList,
++ pInitArgs, omitInitialize, null);
++ }
++
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
+diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603b..98119479823 100644
+--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import sun.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.<Builder>emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+index 820e10164fc..6fe2c29389f 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+@@ -31,6 +31,7 @@ import java.security.*;
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import sun.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+index 2845dc37938..52337a7b6cf 100644
+--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
+@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+
+ import java.security.*;
+
++import sun.misc.SharedSecrets;
++
+ /**
+ * The JSSE provider.
+ *
+@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider {
+ "sun.security.ssl.SSLContextImpl$TLS11Context");
+ put("SSLContext.TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context");
+- put("SSLContext.TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context");
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ put("SSLContext.TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context");
++ }
+ put("SSLContext.TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext");
+ if (isfips == false) {
+diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
+index 7a93d4e6b59..681a24b905d 100644
+--- a/jdk/src/share/lib/security/java.security-aix
++++ b/jdk/src/share/lib/security/java.security-aix
+@@ -287,6 +287,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
+index 145a84f94cf..789c19a8cba 100644
+--- a/jdk/src/share/lib/security/java.security-linux
++++ b/jdk/src/share/lib/security/java.security-linux
+@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
+ security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.9=sun.security.smartcardio.SunPCSC
+
++#
++# Security providers used when FIPS mode support is active
++#
++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
++fips.provider.2=sun.security.provider.Sun
++fips.provider.3=sun.security.ec.SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
+ #
+ # Sun Provider SecureRandom seed source.
+ #
+@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false
+ #
+ keystore.type=jks
+
++#
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
+ #
+ # Controls compatibility mode for the JKS keystore type.
+ #
+@@ -287,6 +300,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
+index 35fa140d7a5..d4da666af3b 100644
+--- a/jdk/src/share/lib/security/java.security-macosx
++++ b/jdk/src/share/lib/security/java.security-macosx
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
+index f79ba37ddb9..300132384a1 100644
+--- a/jdk/src/share/lib/security/java.security-solaris
++++ b/jdk/src/share/lib/security/java.security-solaris
+@@ -288,6 +288,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
+index d70503ce95f..64db5a5cd1e 100644
+--- a/jdk/src/share/lib/security/java.security-windows
++++ b/jdk/src/share/lib/security/java.security-windows
+@@ -290,6 +290,13 @@ package.definition=sun.,\
+ #
+ security.overridePropertiesFile=true
+
++#
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=false
++
+ #
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+index 00000000000..8dcb7d9073f
+--- /dev/null
++++ b/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,224 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <jni.h>
++#include <jni_util.h>
++#include "jvm_md.h"
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#else
++#include <dlfcn.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-8e8bbf0ff74.patch
deleted file mode 100644
index 2379d45..0000000
--- a/SOURCES/fips-8u-8e8bbf0ff74.patch
+++ /dev/null
@@ -1,2007 +0,0 @@
-diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
-index 151e5a109f8..a8761b500e0 100644
---- a/common/autoconf/configure.ac
-+++ b/common/autoconf/configure.ac
-@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
- LIB_SETUP_ALSA
- LIB_SETUP_FONTCONFIG
- LIB_SETUP_MISC_LIBS
-+LIB_SETUP_SYSCONF_LIBS
- LIB_SETUP_STATIC_LINK_LIBSTDCPP
- LIB_SETUP_ON_WINDOWS
-
-diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
-index e77ce854dc5..ec6e9b27ca5 100644
---- a/common/autoconf/generated-configure.sh
-+++ b/common/autoconf/generated-configure.sh
-@@ -651,6 +651,9 @@ LLVM_CONFIG
- LIBFFI_LIBS
- LIBFFI_CFLAGS
- STATIC_CXX_SETTING
-+USE_SYSCONF_NSS
-+NSS_LIBS
-+NSS_CFLAGS
- LIBDL
- LIBM
- LIBZIP_CAN_USE_MMAP
-@@ -1111,6 +1114,7 @@ with_fontconfig
- with_fontconfig_include
- with_giflib
- with_zlib
-+enable_sysconf_nss
- with_stdc__lib
- with_msvcr_dll
- with_msvcp_dll
-@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
- FREETYPE_LIBS
- ALSA_CFLAGS
- ALSA_LIBS
-+NSS_CFLAGS
-+NSS_LIBS
- LIBFFI_CFLAGS
- LIBFFI_LIBS
- CCACHE'
-@@ -1871,6 +1877,8 @@ Optional Features:
- disable bundling of the freetype library with the
- build result [enabled on Windows or when using
- --with-freetype, disabled otherwise]
-+ --enable-sysconf-nss build the System Configurator (libsysconf) using the
-+ system NSS library if available [disabled]
- --enable-sjavac use sjavac to do fast incremental compiles
- [disabled]
- --disable-precompiled-headers
-@@ -2115,6 +2123,8 @@ Some influential environment variables:
- linker flags for FREETYPE, overriding pkg-config
- ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
- ALSA_LIBS linker flags for ALSA, overriding pkg-config
-+ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config
-+ NSS_LIBS linker flags for NSS, overriding pkg-config
- LIBFFI_CFLAGS
- C compiler flags for LIBFFI, overriding pkg-config
- LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
-@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
- eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-
- } # ac_fn_c_check_header_compile
-+
-+# ac_fn_c_try_link LINENO
-+# -----------------------
-+# Try to link conftest.$ac_ext, and return whether this succeeded.
-+ac_fn_c_try_link ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ rm -f conftest.$ac_objext conftest$ac_exeext
-+ if { { ac_try="$ac_link"
-+case "(($ac_try" in
-+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-+ *) ac_try_echo=$ac_try;;
-+esac
-+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-+$as_echo "$ac_try_echo"; } >&5
-+ (eval "$ac_link") 2>conftest.err
-+ ac_status=$?
-+ if test -s conftest.err; then
-+ grep -v '^ *+' conftest.err >conftest.er1
-+ cat conftest.er1 >&5
-+ mv -f conftest.er1 conftest.err
-+ fi
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; } && {
-+ test -z "$ac_c_werror_flag" ||
-+ test ! -s conftest.err
-+ } && test -s conftest$ac_exeext && {
-+ test "$cross_compiling" = yes ||
-+ test -x conftest$ac_exeext
-+ }; then :
-+ ac_retval=0
-+else
-+ $as_echo "$as_me: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac_ext >&5
-+
-+ ac_retval=1
-+fi
-+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
-+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
-+ # interfere with the next link command; also delete a directory that is
-+ # left behind by Apple's compiler. We do this before executing the actions.
-+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
-+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-+ as_fn_set_status $ac_retval
-+
-+} # ac_fn_c_try_link
- cat >config.log <<_ACEOF
- This file contains any messages produced by compilers while
- running configure, to aid debugging if configure makes a mistake.
-@@ -4049,6 +4105,11 @@ fi
-
-
-
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+
-+
- #
- # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
- # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-@@ -49290,6 +49351,157 @@ fi
- LIBS="$save_LIBS"
-
-
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5
-+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; }
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ # Check whether --enable-sysconf-nss was given.
-+if test "${enable_sysconf_nss+set}" = set; then :
-+ enableval=$enable_sysconf_nss;
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+
-+else
-+
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+
-+fi
-+
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5
-+$as_echo "$sysconf_nss" >&6; }
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+
-+pkg_failed=no
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5
-+$as_echo_n "checking for NSS... " >&6; }
-+
-+if test -n "$NSS_CFLAGS"; then
-+ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS"
-+ elif test -n "$PKG_CONFIG"; then
-+ if test -n "$PKG_CONFIG" && \
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
-+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then
-+ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null`
-+else
-+ pkg_failed=yes
-+fi
-+ else
-+ pkg_failed=untried
-+fi
-+if test -n "$NSS_LIBS"; then
-+ pkg_cv_NSS_LIBS="$NSS_LIBS"
-+ elif test -n "$PKG_CONFIG"; then
-+ if test -n "$PKG_CONFIG" && \
-+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5
-+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5
-+ ac_status=$?
-+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+ test $ac_status = 0; }; then
-+ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null`
-+else
-+ pkg_failed=yes
-+fi
-+ else
-+ pkg_failed=untried
-+fi
-+
-+
-+
-+if test $pkg_failed = yes; then
-+
-+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-+ _pkg_short_errors_supported=yes
-+else
-+ _pkg_short_errors_supported=no
-+fi
-+ if test $_pkg_short_errors_supported = yes; then
-+ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1`
-+ else
-+ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1`
-+ fi
-+ # Put the nasty error message in config.log where it belongs
-+ echo "$NSS_PKG_ERRORS" >&5
-+
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+ NSS_FOUND=no
-+elif test $pkg_failed = untried; then
-+ NSS_FOUND=no
-+else
-+ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS
-+ NSS_LIBS=$pkg_cv_NSS_LIBS
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+ NSS_FOUND=yes
-+fi
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5
-+$as_echo_n "checking for system FIPS support in NSS... " >&6; }
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <nss3/pk11pub.h>
-+int
-+main ()
-+{
-+SECMOD_GetSystemFIPSEnabled()
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_link "$LINENO"; then :
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+else
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5
-+fi
-+rm -f core conftest.err conftest.$ac_objext \
-+ conftest$ac_exeext conftest.$ac_ext
-+ ac_ext=cpp
-+ac_cpp='$CXXCPP $CPPFLAGS'
-+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-+
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5
-+ fi
-+ fi
-+
-+
-+
- ###############################################################################
- #
- # statically link libstdc++ before C++ ABI is stablized on Linux unless
-diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
-index 6efae578ea9..0080846255b 100644
---- a/common/autoconf/libraries.m4
-+++ b/common/autoconf/libraries.m4
-@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
- BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
- fi
- ])
-+
-+################################################################################
-+# Setup system configuration libraries
-+################################################################################
-+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
-+[
-+ ###############################################################################
-+ #
-+ # Check for the NSS library
-+ #
-+
-+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
-+
-+ # default is not available
-+ DEFAULT_SYSCONF_NSS=no
-+
-+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
-+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ sysconf_nss=yes
-+ ;;
-+ *)
-+ sysconf_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
-+ ])
-+ AC_MSG_RESULT([$sysconf_nss])
-+
-+ USE_SYSCONF_NSS=false
-+ if test "x${sysconf_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_FOUND}" = "xyes"; then
-+ AC_MSG_CHECKING([for system FIPS support in NSS])
-+ saved_libs="${LIBS}"
-+ saved_cflags="${CFLAGS}"
-+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
-+ LIBS="${LIBS} ${NSS_LIBS}"
-+ AC_LANG_PUSH([C])
-+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
-+ [[SECMOD_GetSystemFIPSEnabled()]])],
-+ [AC_MSG_RESULT([yes])],
-+ [AC_MSG_RESULT([no])
-+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
-+ AC_LANG_POP([C])
-+ CFLAGS="${saved_cflags}"
-+ LIBS="${saved_libs}"
-+ USE_SYSCONF_NSS=true
-+ else
-+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
-+ dnl in nss3/pk11pub.h.
-+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
-+ fi
-+ fi
-+ AC_SUBST(USE_SYSCONF_NSS)
-+])
-diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
-index 506cf617087..7241593b1a4 100644
---- a/common/autoconf/spec.gmk.in
-+++ b/common/autoconf/spec.gmk.in
-@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
- ALSA_LIBS:=@ALSA_LIBS@
- ALSA_CFLAGS:=@ALSA_CFLAGS@
-
-+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- PACKAGE_PATH=@PACKAGE_PATH@
-
- # Source file for cacerts
-diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
-index 3b79a526f56..d2a0e39b206 100644
---- a/common/bin/compare_exceptions.sh.incl
-+++ b/common/bin/compare_exceptions.sh.incl
-@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/i386/libsplashscreen.so
- ./jre/lib/i386/libsunec.so
- ./jre/lib/i386/libsunwjdga.so
-+./jre/lib/i386/libsystemconf.so
- ./jre/lib/i386/libt2k.so
- ./jre/lib/i386/libunpack.so
- ./jre/lib/i386/libverify.so
-@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/amd64/libsplashscreen.so
- ./jre/lib/amd64/libsunec.so
- ./jre/lib/amd64/libsunwjdga.so
-+//jre/lib/amd64/libsystemconf.so
- ./jre/lib/amd64/libt2k.so
- ./jre/lib/amd64/libunpack.so
- ./jre/lib/amd64/libverify.so
-@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/sparc/libsplashscreen.so
- ./jre/lib/sparc/libsunec.so
- ./jre/lib/sparc/libsunwjdga.so
-+./jre/lib/sparc/libsystemconf.so
- ./jre/lib/sparc/libt2k.so
- ./jre/lib/sparc/libunpack.so
- ./jre/lib/sparc/libverify.so
-@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
- ./jre/lib/sparcv9/libsplashscreen.so
- ./jre/lib/sparcv9/libsunec.so
- ./jre/lib/sparcv9/libsunwjdga.so
-+./jre/lib/sparcv9/libsystemconf.so
- ./jre/lib/sparcv9/libt2k.so
- ./jre/lib/sparcv9/libunpack.so
- ./jre/lib/sparcv9/libverify.so
-diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
-index d2beed0b93a..3b6aef98d9a 100644
---- a/common/nb_native/nbproject/configurations.xml
-+++ b/common/nb_native/nbproject/configurations.xml
-@@ -53,6 +53,9 @@
- <in>jvmtiEnterTrace.cpp</in>
- </df>
- </df>
-+ <df name="libsystemconf">
-+ <in>systemconf.c</in>
-+ </df>
- </df>
- </df>
- <df name="jdk">
-@@ -12772,6 +12775,11 @@
- tool="0"
- flavor2="0">
- </item>
-+ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
-+ ex="false"
-+ tool="0"
-+ flavor2="0">
-+ </item>
- <item path="../../jdk/src/share/native/java/util/TimeZone.c"
- ex="false"
- tool="0"
-diff --git a/jdk/make/lib/SecurityLibraries.gmk b/jdk/make/lib/SecurityLibraries.gmk
-index b0b85d80448..47a41d7518d 100644
---- a/jdk/make/lib/SecurityLibraries.gmk
-+++ b/jdk/make/lib/SecurityLibraries.gmk
-@@ -289,3 +289,34 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)
-
- endif
- endif
-+
-+################################################################################
-+# Create the systemconf library
-+
-+LIBSYSTEMCONF_CFLAGS :=
-+LIBSYSTEMCONF_CXXFLAGS :=
-+
-+ifeq ($(USE_SYSCONF_NSS), true)
-+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
-+endif
-+
-+ifeq ($(OPENJDK_BUILD_OS), linux)
-+ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
-+ LIBRARY := systemconf, \
-+ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
-+ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
-+ LANG := C, \
-+ OPTIMIZATION := LOW, \
-+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
-+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
-+ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
-+ LDFLAGS := $(LDFLAGS_JDKLIB) \
-+ $(call SET_SHARED_LIBRARY_ORIGIN), \
-+ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
-+ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
-+ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
-+
-+ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
-+endif
-+
-diff --git a/jdk/make/mapfiles/libsystemconf/mapfile-vers b/jdk/make/mapfiles/libsystemconf/mapfile-vers
-new file mode 100644
-index 00000000000..a65ceb3b78c
---- /dev/null
-+++ b/jdk/make/mapfiles/libsystemconf/mapfile-vers
-@@ -0,0 +1,35 @@
-+#
-+# Copyright (c) 2021, Red Hat, Inc.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation. Oracle designates this
-+# particular file as subject to the "Classpath" exception as provided
-+# by Oracle in the LICENSE file that accompanied this code.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+# Define public interface.
-+
-+SUNWprivate_1.1 {
-+ global:
-+ DEF_JNI_OnLoad;
-+ DEF_JNI_OnUnLoad;
-+ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
-+ local:
-+ *;
-+};
-diff --git a/jdk/src/share/classes/java/security/Security.java b/jdk/src/share/classes/java/security/Security.java
-index 0db09da7061..813b907db3e 100644
---- a/jdk/src/share/classes/java/security/Security.java
-+++ b/jdk/src/share/classes/java/security/Security.java
-@@ -30,6 +30,8 @@ import java.util.*;
- import java.util.concurrent.ConcurrentHashMap;
- import java.io.*;
- import java.net.URL;
-+import sun.misc.SharedSecrets;
-+import sun.misc.JavaSecuritySystemConfiguratorAccess;
- import sun.security.util.Debug;
- import sun.security.util.PropertyExpander;
-
-@@ -43,11 +45,19 @@ import sun.security.jca.*;
- * implementation-specific location, which is typically the properties file
- * {@code lib/security/java.security} in the Java installation directory.
- *
-+ * <p>Additional default values of security properties are read from a
-+ * system-specific location, if available.</p>
-+ *
- * @author Benjamin Renaud
- */
-
- public final class Security {
-
-+ private static final String SYS_PROP_SWITCH =
-+ "java.security.disableSystemPropertiesFile";
-+ private static final String SEC_PROP_SWITCH =
-+ "security.useSystemPropertiesFile";
-+
- /* Are we debugging? -- for developers */
- private static final Debug sdebug =
- Debug.getInstance("properties");
-@@ -62,6 +72,19 @@ public final class Security {
- }
-
- static {
-+ // Initialise here as used by code with system properties disabled
-+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
-+ new JavaSecuritySystemConfiguratorAccess() {
-+ @Override
-+ public boolean isSystemFipsEnabled() {
-+ return SystemConfigurator.isSystemFipsEnabled();
-+ }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
-+ });
-+
- // doPrivileged here because there are multiple
- // things in initialize that might require privs.
- // (the FileInputStream call and the File.exists call,
-@@ -78,6 +101,7 @@ public final class Security {
- props = new Properties();
- boolean loadedProps = false;
- boolean overrideAll = false;
-+ boolean systemSecPropsEnabled = false;
-
- // first load the system properties file
- // to determine the value of security.overridePropertiesFile
-@@ -93,6 +117,7 @@ public final class Security {
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -187,6 +212,61 @@ public final class Security {
- }
- }
-
-+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
-+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
-+ if (sdebug != null) {
-+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
-+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
-+ }
-+ if (!sysUseProps && secUseProps) {
-+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
-+ if (!systemSecPropsEnabled) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System security properties could not be loaded.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) {
-+ sdebug.println("System security property support disabled by user.");
-+ }
-+ }
-+
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps && systemSecPropsEnabled) {
-+ boolean shouldEnable;
-+ String sysProp = System.getProperty("com.redhat.fips");
-+ if (sysProp == null) {
-+ shouldEnable = true;
-+ if (sdebug != null) {
-+ sdebug.println("com.redhat.fips unset, using default value of true");
-+ }
-+ } else {
-+ shouldEnable = Boolean.valueOf(sysProp);
-+ if (sdebug != null) {
-+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
-+ }
-+ }
-+ if (shouldEnable) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
-+ if (sdebug != null) {
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS mode support configured and enabled.");
-+ } else {
-+ sdebug.println("FIPS mode support disabled.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null ) {
-+ sdebug.println("FIPS mode support disabled by user.");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
-+ "system security properties being enabled.");
-+ }
-+ }
- }
-
- /*
-diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
-new file mode 100644
-index 00000000000..a24a0445db2
---- /dev/null
-+++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
-@@ -0,0 +1,248 @@
-+/*
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
-+ *
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package java.security;
-+
-+import java.io.BufferedInputStream;
-+import java.io.FileInputStream;
-+import java.io.IOException;
-+
-+import java.util.Iterator;
-+import java.util.Map.Entry;
-+import java.util.Properties;
-+
-+import sun.security.util.Debug;
-+
-+/**
-+ * Internal class to align OpenJDK with global crypto-policies.
-+ * Called from java.security.Security class initialization,
-+ * during startup.
-+ *
-+ */
-+
-+final class SystemConfigurator {
-+
-+ private static final Debug sdebug =
-+ Debug.getInstance("properties");
-+
-+ private static final String CRYPTO_POLICIES_BASE_DIR =
-+ "/etc/crypto-policies";
-+
-+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
-+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-+
-+ private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-+
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-+
-+ /*
-+ * Invoked when java.security.Security class is initialized, if
-+ * java.security.disableSystemPropertiesFile property is not set and
-+ * security.useSystemPropertiesFile is true.
-+ */
-+ static boolean configureSysProps(Properties props) {
-+ boolean systemSecPropsLoaded = false;
-+
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(
-+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
-+ props.load(bis);
-+ systemSecPropsLoaded = true;
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties from " +
-+ CRYPTO_POLICIES_JAVA_CONFIG);
-+ e.printStackTrace();
-+ }
-+ }
-+ return systemSecPropsLoaded;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-+
-+ try {
-+ if (enableFips()) {
-+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-+ // Remove all security providers
-+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
-+ while (i.hasNext()) {
-+ Entry<Object, Object> e = i.next();
-+ if (((String) e.getKey()).startsWith("security.provider")) {
-+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
-+ i.remove();
-+ }
-+ }
-+ // Add FIPS security providers
-+ String fipsProviderValue = null;
-+ for (int n = 1;
-+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
-+ String fipsProviderKey = "security.provider." + n;
-+ if (sdebug != null) {
-+ sdebug.println("Adding provider " + n + ": " +
-+ fipsProviderKey + "=" + fipsProviderValue);
-+ }
-+ props.put(fipsProviderKey, fipsProviderValue);
-+ }
-+ // Add other security properties
-+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
-+ if (keystoreTypeValue != null) {
-+ String nonFipsKeystoreType = props.getProperty("keystore.type");
-+ props.put("keystore.type", keystoreTypeValue);
-+ if (keystoreTypeValue.equals("PKCS11")) {
-+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
-+ // must be "NONE". See JDK-8238264.
-+ System.setProperty("javax.net.ssl.keyStore", "NONE");
-+ }
-+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
-+ // If no trustStoreType has been set, use the
-+ // previous keystore.type under FIPS mode. In
-+ // a default configuration, the Trust Store will
-+ // be 'cacerts' (JKS type).
-+ System.setProperty("javax.net.ssl.trustStoreType",
-+ nonFipsKeystoreType);
-+ }
-+ if (sdebug != null) {
-+ sdebug.println("FIPS mode default keystore.type = " +
-+ keystoreTypeValue);
-+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
-+ System.getProperty("javax.net.ssl.keyStore", ""));
-+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
-+ System.getProperty("javax.net.ssl.trustStoreType", ""));
-+ }
-+ }
-+ loadedProps = true;
-+ systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
-+ } else {
-+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); }
-+ }
-+ } catch (Exception e) {
-+ if (sdebug != null) {
-+ sdebug.println("unable to load FIPS configuration");
-+ e.printStackTrace();
-+ }
-+ }
-+ return loadedProps;
-+ }
-+
-+ /**
-+ * Returns whether or not global system FIPS alignment is enabled.
-+ *
-+ * Value is always 'false' before java.security.Security class is
-+ * initialized.
-+ *
-+ * Call from out of this package through SharedSecrets:
-+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ * .isSystemFipsEnabled();
-+ *
-+ * @return a boolean value indicating whether or not global
-+ * system FIPS alignment is enabled.
-+ */
-+ static boolean isSystemFipsEnabled() {
-+ return systemFipsEnabled;
-+ }
-+
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
-+ /**
-+ * Determines whether FIPS mode should be enabled.
-+ *
-+ * OpenJDK FIPS mode will be enabled only if the system is in
-+ * FIPS mode.
-+ *
-+ * Calls to this method only occur if the system property
-+ * com.redhat.fips is not set to false.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
-+ *
-+ * @return true if the system is in FIPS mode
-+ */
-+ private static boolean enableFips() throws IOException {
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ boolean fipsEnabled = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + fipsEnabled);
-+ }
-+ return fipsEnabled;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
-+ }
-+}
-diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-new file mode 100644
-index 00000000000..5c30a8b29c7
---- /dev/null
-+++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -0,0 +1,31 @@
-+/*
-+ * Copyright (c) 2020, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.misc;
-+
-+public interface JavaSecuritySystemConfiguratorAccess {
-+ boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
-+}
-diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
-index f065a2c685d..0dafe6f59cf 100644
---- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
-+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
-@@ -31,6 +31,7 @@ import java.io.Console;
- import java.io.FileDescriptor;
- import java.io.ObjectInputStream;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- import java.security.AccessController;
-@@ -63,6 +64,7 @@ public class SharedSecrets {
- private static JavaObjectInputStreamReadString javaObjectInputStreamReadString;
- private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
- private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
-+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
-
- public static JavaUtilJarAccess javaUtilJarAccess() {
- if (javaUtilJarAccess == null) {
-@@ -248,4 +250,15 @@ public class SharedSecrets {
- }
- return javaxCryptoSealedObjectAccess;
- }
-+
-+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
-+ javaSecuritySystemConfiguratorAccess = jssca;
-+ }
-+
-+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
-+ return javaSecuritySystemConfiguratorAccess;
-+ }
- }
-diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 00000000000..14d19450390
---- /dev/null
-+++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = P11ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-index fedcd7743ef..f9d70863bd1 100644
---- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback;
- import javax.security.auth.callback.PasswordCallback;
- import javax.security.auth.callback.TextOutputCallback;
-
-+import sun.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
-
-@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
-diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 2e42d1d9fb0..1b7eed1c656 100644
---- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -145,18 +146,41 @@ public class PKCS11 {
- this.pkcs11ModulePath = pkcs11ModulePath;
- }
-
-+ /*
-+ * Compatibility wrapper to allow this method to work as before
-+ * when FIPS mode support is not active.
-+ */
-+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+ boolean omitInitialize) throws IOException, PKCS11Exception {
-+ return getInstance(pkcs11ModulePath, functionList,
-+ pInitArgs, omitInitialize, null);
-+ }
-+
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
-diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603b..98119479823 100644
---- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import sun.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.<Builder>emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-index cd0e9e98df9..fba760187c0 100644
---- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-@@ -31,6 +31,7 @@ import java.security.*;
- import java.security.cert.*;
- import java.util.*;
- import javax.net.ssl.*;
-+import sun.misc.SharedSecrets;
- import sun.security.action.GetPropertyAction;
- import sun.security.provider.certpath.AlgorithmChecker;
- import sun.security.validator.Validator;
-@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-
- static {
- if (SunJSSE.isFIPS()) {
-- supportedProtocols = Arrays.asList(
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- );
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-
-- serverDefaultProtocols = getAvailableProtocols(
-- new ProtocolVersion[] {
-- ProtocolVersion.TLS13,
-- ProtocolVersion.TLS12,
-- ProtocolVersion.TLS11,
-- ProtocolVersion.TLS10
-- });
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ } else {
-+ supportedProtocols = Arrays.asList(
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ );
-+
-+ serverDefaultProtocols = getAvailableProtocols(
-+ new ProtocolVersion[] {
-+ ProtocolVersion.TLS13,
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ });
-+ }
- } else {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
-@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-
- static ProtocolVersion[] getSupportedProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
-@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi {
-
- static ProtocolVersion[] getProtocols() {
- if (SunJSSE.isFIPS()) {
-+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ return new ProtocolVersion[] {
-+ ProtocolVersion.TLS12,
-+ ProtocolVersion.TLS11,
-+ ProtocolVersion.TLS10
-+ };
-+ }
- return new ProtocolVersion[]{
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
-diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-index 2845dc37938..52337a7b6cf 100644
---- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-+++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
-
- import java.security.*;
-
-+import sun.misc.SharedSecrets;
-+
- /**
- * The JSSE provider.
- *
-@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider {
- "sun.security.ssl.SSLContextImpl$TLS11Context");
- put("SSLContext.TLSv1.2",
- "sun.security.ssl.SSLContextImpl$TLS12Context");
-- put("SSLContext.TLSv1.3",
-- "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
-+ .isSystemFipsEnabled()) {
-+ // RH1860986: TLSv1.3 key derivation not supported with
-+ // the Security Providers available in system FIPS mode.
-+ put("SSLContext.TLSv1.3",
-+ "sun.security.ssl.SSLContextImpl$TLS13Context");
-+ }
- put("SSLContext.TLS",
- "sun.security.ssl.SSLContextImpl$TLSContext");
- if (isfips == false) {
-diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
-index d3d64b3facd..bfe0c593adb 100644
---- a/jdk/src/share/lib/security/java.security-aix
-+++ b/jdk/src/share/lib/security/java.security-aix
-@@ -287,6 +287,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
-index db610d4bfbb..9d1c8fe8a8e 100644
---- a/jdk/src/share/lib/security/java.security-linux
-+++ b/jdk/src/share/lib/security/java.security-linux
-@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
- security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
- security.provider.9=sun.security.smartcardio.SunPCSC
-
-+#
-+# Security providers used when FIPS mode support is active
-+#
-+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
-+fips.provider.2=sun.security.provider.Sun
-+fips.provider.3=sun.security.ec.SunEC
-+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
-+
- #
- # Sun Provider SecureRandom seed source.
- #
-@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false
- #
- keystore.type=jks
-
-+#
-+# Default keystore type used when global crypto-policies are set to FIPS.
-+#
-+fips.keystore.type=PKCS11
-+
- #
- # Controls compatibility mode for the JKS keystore type.
- #
-@@ -287,6 +300,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
-index a919ba3d5cd..19047c61097 100644
---- a/jdk/src/share/lib/security/java.security-macosx
-+++ b/jdk/src/share/lib/security/java.security-macosx
-@@ -290,6 +290,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
-index 86265ba5fb6..7eda556ae13 100644
---- a/jdk/src/share/lib/security/java.security-solaris
-+++ b/jdk/src/share/lib/security/java.security-solaris
-@@ -288,6 +288,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
-index 9b4bda23cbe..dfa1a669aa9 100644
---- a/jdk/src/share/lib/security/java.security-windows
-+++ b/jdk/src/share/lib/security/java.security-windows
-@@ -290,6 +290,13 @@ package.definition=sun.,\
- #
- security.overridePropertiesFile=true
-
-+#
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=false
-+
- #
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
-diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
-new file mode 100644
-index 00000000000..8dcb7d9073f
---- /dev/null
-+++ b/jdk/src/solaris/native/java/security/systemconf.c
-@@ -0,0 +1,224 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#include <jni.h>
-+#include <jni_util.h>
-+#include "jvm_md.h"
-+#include <stdio.h>
-+
-+#ifdef SYSCONF_NSS
-+#include <nss3/pk11pub.h>
-+#else
-+#include <dlfcn.h>
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define MSG_MAX_SIZE 256
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+ } else {
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+ }
-+}
diff --git a/SOURCES/jdk8294357-tzdata2022d.patch b/SOURCES/jdk8294357-tzdata2022d.patch
new file mode 100644
index 0000000..7356928
--- /dev/null
+++ b/SOURCES/jdk8294357-tzdata2022d.patch
@@ -0,0 +1,506 @@
+commit 8589b1229cffb9a0ab00baf62ce2d4376d31b055
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date: Fri Oct 14 22:55:39 2022 +0100
+
+ Backport f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b
+
+diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/jdk/make/data/tzdata/VERSION
++++ b/jdk/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
+index 6cb6d2c57cf..1dc7d34f88e 100644
+--- a/jdk/make/data/tzdata/asia
++++ b/jdk/make/data/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards. Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+ Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
+@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
+ Rule Palestine 2014 only - Oct 24 0:00 0 -
+ Rule Palestine 2015 only - Mar 28 0:00 1:00 S
+ Rule Palestine 2015 only - Oct 23 1:00 0 -
+-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
+-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
+ Rule Palestine 2019 only - Mar 29 0:00 1:00 S
+-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
+-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
+ Rule Palestine 2020 only - Oct 24 1:00 0 -
+-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
+-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
++Rule Palestine 2021 only - Oct 29 1:00 0 -
++Rule Palestine 2022 only - Mar 27 0:00 1:00 S
++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
+diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/jdk/make/data/tzdata/backward
++++ b/jdk/make/data/tzdata/backward
+@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
+index f7eb7a387aa..9e0a538f86d 100644
+--- a/jdk/make/data/tzdata/europe
++++ b/jdk/make/data/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 2:00 EU EE%sT 2014 Mar 30 2:00
+ 4:00 - MSK 2014 Oct 26 2:00s
+ 3:00 - MSK
+@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-# This represents most of Ukraine. See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
+ 2:00 - EET 1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:00 1:00 EEST 1991 Sep 29 3:00
+ 2:00 C-Eur EE%sT 1996 May 13
+ 2:00 EU EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
+- 1:00 - CET 1940
+- 1:00 C-Eur CE%sT 1944 Oct
+- 1:00 1:00 CEST 1944 Oct 26
+- 1:00 - CET 1945 Jun 29
+- 3:00 Russia MSK/MSD 1990
+- 3:00 - MSK 1990 Jul 1 2:00
+- 1:00 - CET 1991 Mar 31 3:00
+- 2:00 - EET 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English. Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
+- 2:20 - +0220 1924 May 2
+- 2:00 - EET 1930 Jun 21
+- 3:00 - MSK 1941 Aug 25
+- 1:00 C-Eur CE%sT 1943 Oct 25
+- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
+- 2:00 E-Eur EE%sT 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/jdk/make/data/tzdata/southamerica
++++ b/jdk/make/data/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"... This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
+diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/jdk/make/data/tzdata/zone.tab
++++ b/jdk/make/data/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+ UA +5026+03031 Europe/Kyiv Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Transcarpathia
+-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
+diff --git a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+index 43bddd5859a..4b84cda3067 100644
+--- a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
++++ b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java
+@@ -573,12 +573,8 @@ public final class ZoneInfoFile {
+ // we can then pass in the dom = -1, dow > 0 into ZoneInfo
+ //
+ // hacking, assume the >=24 is the result of ZRB optimization for
+- // "last", it works for now. From tzdata2020d this hacking
+- // will not work for Asia/Gaza and Asia/Hebron which follow
+- // Palestine DST rules.
+- if (dom < 0 || dom >= 24 &&
+- !(zoneId.equals("Asia/Gaza") ||
+- zoneId.equals("Asia/Hebron"))) {
++ // "last", it works for now.
++ if (dom < 0 || dom >= 24) {
+ params[1] = -1;
+ params[2] = toCalendarDOW[dow];
+ } else {
+@@ -600,7 +596,6 @@ public final class ZoneInfoFile {
+ params[7] = 0;
+ } else {
+ // hacking: see comment above
+- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e
+ if (dom < 0 || dom >= 24) {
+ params[6] = -1;
+ params[7] = toCalendarDOW[dow];
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+index c32bee39fba..71470168456 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
+index a5e6428a3f5..e3ce742f887 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt
+@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+index fc148537f1f..b3823958ae4 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -163,11 +163,9 @@ Europe/Simferopol MSK
+ Europe/Sofia EET EEST
+ Europe/Tallinn EET EEST
+ Europe/Tirane CET CEST
+-Europe/Uzhgorod EET EEST
+ Europe/Vienna CET CEST
+ Europe/Vilnius EET EEST
+ Europe/Warsaw CET CEST
+-Europe/Zaporozhye EET EEST
+ Europe/Zurich CET CEST
+ HST HST
+ MET MET MEST
+diff --git a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
+index 3aad69f8118..c682531d4bd 100644
+--- a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
++++ b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java
+@@ -173,10 +173,19 @@ public class TestZoneInfo310 {
+ * Temporary ignoring the failing TimeZones which are having zone
+ * rules defined till year 2037 and/or above and have negative DST
+ * save time in IANA tzdata. This bug is tracked via JDK-8223388.
++ *
++ * Tehran/Iran rule has rules beyond 2037, in which javazic assumes
++ * to be the last year. Thus javazic's rule is based on year 2037
++ * (Mar 20th/Sep 20th are the cutover dates), while the real rule
++ * has year 2087 where Mar 21st/Sep 21st are the cutover dates.
+ */
+- if (zid.equals("Africa/Casablanca") || zid.equals("Africa/El_Aaiun")
+- || zid.equals("Asia/Tehran") || zid.equals("Iran")) {
+- continue;
++ if (zid.equals("Africa/Casablanca") || // uses "Morocco" rule
++ zid.equals("Africa/El_Aaiun") || // uses "Morocco" rule
++ zid.equals("Asia/Tehran") || // last rule mismatch
++ zid.equals("Asia/Gaza") || // uses "Palestine" rule
++ zid.equals("Asia/Hebron") || // uses "Palestine" rule
++ zid.equals("Iran")) { // last rule mismatch
++ continue;
+ }
+ if (! zi.equalsTo(ziOLD)) {
+ System.out.println(zi.diffsTo(ziOLD));
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+index decb8716b22..889d0e6dad7 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022c
++tzdata2022d
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
+index 6cb6d2c57cf..1dc7d34f88e 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
+@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # The winter time in 2015 started on October 23 at 01:00.
+ # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY
+ # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583
+-#
+-# From Paul Eggert (2019-04-10):
+-# For now, guess spring-ahead transitions are at 00:00 on the Saturday
+-# preceding March's last Sunday (i.e., Sat>=24).
+
+ # From P Chan (2021-10-18):
+ # http://wafa.ps/Pages/Details/34701
+@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907
+ # From Heba Hamad (2022-03-10):
+ # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM.
+
++# From Heba Hamad (2022-08-30):
++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by
++# 60 minutes backwards. Also the state of Palestine adopted the summer
++# and winter time for the years: 2023,2024,2025,2026 ...
++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf
++# (2022-08-31): ... the Saturday before the last Sunday in March and October
++# at 2:00 AM ,for the years from 2023 to 2026.
++# (2022-09-05): https://mtit.pna.ps/Site/New/1453
++#
++# From Paul Eggert (2022-08-31):
++# For now, assume that this rule will also be used after 2026.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule EgyptAsia 1957 only - May 10 0:00 1:00 S
+ Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 -
+@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 -
+ Rule Palestine 2014 only - Oct 24 0:00 0 -
+ Rule Palestine 2015 only - Mar 28 0:00 1:00 S
+ Rule Palestine 2015 only - Oct 23 1:00 0 -
+-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S
+-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 -
++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S
++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 -
+ Rule Palestine 2019 only - Mar 29 0:00 1:00 S
+-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 -
+-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S
++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 -
++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S
+ Rule Palestine 2020 only - Oct 24 1:00 0 -
+-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 -
+-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S
++Rule Palestine 2021 only - Oct 29 1:00 0 -
++Rule Palestine 2022 only - Mar 27 0:00 1:00 S
++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 -
++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Gaza 2:17:52 - LMT 1900 Oct
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward
+index d4a29e8cf29..7765d99aedf 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/backward
++++ b/jdk/test/sun/util/calendar/zi/tzdata/backward
+@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT
+ Link Europe/London Europe/Belfast
+ Link Europe/Kyiv Europe/Kiev
+ Link Europe/Chisinau Europe/Tiraspol
++Link Europe/Kyiv Europe/Uzhgorod
++Link Europe/Kyiv Europe/Zaporozhye
+ Link Europe/London GB
+ Link Europe/London GB-Eire
+ Link Etc/GMT GMT+0
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
+index f7eb7a387aa..9e0a538f86d 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
+@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880
+ # From Alexander Krivenyshev (2014-03-17):
+ # time change at 2:00 (2am) on March 30, 2014
+ # https://vz.ru/news/2014/3/17/677464.html
+-# From Paul Eggert (2014-03-30):
+-# Simferopol and Sevastopol reportedly changed their central town clocks
+-# late the previous day, but this appears to have been ceremonial
+-# and the discrepancies are small enough to not worry about.
++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30):
++# The clocks at the railway station in Simferopol were put forward from 22:00
++# to 24:00 the previous day in a "symbolic ceremony"; however, per
++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings
++# time switch at 2am" on Sunday.
++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html
++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329
++# https://www.bbc.com/news/av/world-europe-26806583
+ 2:00 EU EE%sT 2014 Mar 30 2:00
+ 4:00 - MSK 2014 Oct 26 2:00s
+ 3:00 - MSK
+@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # US colleague David Cochrane) are still trying to get more
+ # information upon these local deviations from Kiev rules.
+ #
+-# From Paul Eggert (2022-02-08):
+-# For now, assume that Ukraine's other three zones followed the same rules,
++# From Paul Eggert (2022-08-27):
++# For now, assume that Ukraine's zones all followed the same rules,
+ # except that Crimea switched to Moscow time in 1994 as described elsewhere.
+
+ # From Igor Karpov, who works for the Ukrainian Ministry of Justice,
+@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents.
+ # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
+ # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
+
+-# From Paul Eggert (2022-04-12):
+-# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in
+-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev,
+-# "Kyiv" is now more common due to widespread reporting of the current conflict.
+-# Conversely, tzdb continues to use the names Europe/Uzhgorod and
+-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is
+-# certainly wrong as a transliteration of the Czech "Praha".
+-# English-language spelling of Ukrainian names is in flux, and
+-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more
+-# common in English; in the meantime, do not change these
+-# English spellings as that means less disruption for our users.
+-
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-# This represents most of Ukraine. See above for the spelling of "Kyiv".
+ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time
+ 2:00 - EET 1930 Jun 21
+@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880
+ 2:00 1:00 EEST 1991 Sep 29 3:00
+ 2:00 C-Eur EE%sT 1996 May 13
+ 2:00 EU EE%sT
+-# Transcarpathia used CET 1990/1991.
+-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but
+-# "Uzhgorod" is more common in English.
+-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct
+- 1:00 - CET 1940
+- 1:00 C-Eur CE%sT 1944 Oct
+- 1:00 1:00 CEST 1944 Oct 26
+- 1:00 - CET 1945 Jun 29
+- 3:00 Russia MSK/MSD 1990
+- 3:00 - MSK 1990 Jul 1 2:00
+- 1:00 - CET 1991 Mar 31 3:00
+- 2:00 - EET 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
+-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but
+-# "Zaporozh'ye" is more common in English. Use the common English
+-# spelling, except omit the apostrophe as it is not allowed in
+-# portable Posix file names.
+-Zone Europe/Zaporozhye 2:20:40 - LMT 1880
+- 2:20 - +0220 1924 May 2
+- 2:00 - EET 1930 Jun 21
+- 3:00 - MSK 1941 Aug 25
+- 1:00 C-Eur CE%sT 1943 Oct 25
+- 3:00 Russia MSK/MSD 1991 Mar 31 2:00
+- 2:00 E-Eur EE%sT 1992 Mar 20
+- 2:00 C-Eur EE%sT 1996 May 13
+- 2:00 EU EE%sT
+
+ # Vatican City
+ # See Europe/Rome.
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+index 13ec081c7e0..3c0e0e2061c 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica
++++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914
+ # for America/Santiago will start on midnight of September 11th;
+ # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas)
+ # will keep UTC -3 "indefinitely"... This is because on September 4th
+-# we will have a voting whether to approve a new Constitution....
+-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/
++# we will have a voting whether to approve a new Constitution.
++#
++# From Eduardo Romero Urra (2022-08-17):
++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf
++#
++# From Paul Eggert (2022-08-17):
++# Although the presidential decree stops at fall 2026, assume that
++# similar DST rules will continue thereafter.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Chile 1927 1931 - Sep 1 0:00 1:00 -
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+index 51b65fa273c..ee025196e50 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
++++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti
+ TW +2503+12130 Asia/Taipei
+ TZ -0648+03917 Africa/Dar_es_Salaam
+ UA +5026+03031 Europe/Kyiv Ukraine (most areas)
+-UA +4837+02218 Europe/Uzhgorod Transcarpathia
+-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk
+ UG +0019+03225 Africa/Kampala
+ UM +2813-17722 Pacific/Midway Midway Islands
+ UM +1917+16637 Pacific/Wake Wake Island
diff --git a/SOURCES/jdk8295173-tzdata2022e.patch b/SOURCES/jdk8295173-tzdata2022e.patch
new file mode 100644
index 0000000..a7d23ef
--- /dev/null
+++ b/SOURCES/jdk8295173-tzdata2022e.patch
@@ -0,0 +1,813 @@
+commit 44ea8322b2f62e3d8139a78923e3bf017e535989
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date: Sun Oct 16 03:02:37 2022 +0100
+
+ Backport 21407dec0156301871a83328615e4d975c4287c4
+
+diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/jdk/make/data/tzdata/VERSION
++++ b/jdk/make/data/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
+index 1dc7d34f88e..f1771e42a71 100644
+--- a/jdk/make/data/tzdata/asia
++++ b/jdk/make/data/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Jordan 1973 only - Jun 6 0:00 1:00 S
+ Rule Jordan 1973 1975 - Oct 1 0:00 0 -
+@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
+ Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
+ Rule Jordan 2013 only - Dec 20 0:00 0 -
+ Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
+-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
+-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Amman 2:23:44 - LMT 1931
+- 2:00 Jordan EE%sT
++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
++ 3:00 - +03
+
+
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+
+ Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
+ Rule Syria 2008 only - Nov 1 0:00 0 -
+ Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
+ Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
+-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
+-Rule Syria 2009 max - Oct lastFri 0:00 0 -
++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
++Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
+- 2:00 Syria EE%sT
++ 2:00 Syria EE%sT 2022 Oct 28 0:00
++ 3:00 - +03
+
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
+index 9e0a538f86d..930cede4cf4 100644
+--- a/jdk/make/data/tzdata/europe
++++ b/jdk/make/data/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
+ 0:00 Spain WE%sT 1940 Mar 16 23:00
+ 1:00 Spain CE%sT 1979
+ 1:00 EU CE%sT
+-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
+ 0:00 - WET 1918 May 6 23:00
+ 0:00 1:00 WEST 1918 Oct 7 23:00
+ 0:00 - WET 1924
+diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/jdk/make/data/tzdata/northamerica
++++ b/jdk/make/data/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
+ Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
+ Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Chicago C%sT 1936 Mar 1 2:00
+ -5:00 - EST 1936 Nov 15 2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+ -6:00 Chicago C%sT 1967
+ -6:00 US C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1992 Oct 25 2:00
+ -6:00 US C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>.
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2003 Oct 26 2:00
+ -6:00 US C%sT
+
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+ # largest city in Mercer County). Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2010 Nov 7 2:00
+ -6:00 US C%sT
+
+@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
+ Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
+ Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1920
+ -7:00 Denver M%sT 1942
+ -7:00 US M%sT 1946
+@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
+ Rule CA 1950 1961 - Sep lastSun 2:00 0 S
+ Rule CA 1962 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1946
+ -8:00 CA P%sT 1967
+ -8:00 US P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1944 Jan 1 0:01
+ -7:00 - MST 1944 Apr 1 0:01
+ -7:00 US M%sT 1944 Oct 1 0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1923 May 13 2:00
+ -7:00 US M%sT 1974
+ -7:00 - MST 1974 Feb 3 2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
+ Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
+ Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Indianapolis C%sT 1942
+ -6:00 US C%sT 1946
+@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
+ Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
+ Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1951
+ -6:00 Marengo C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
+ Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
+ Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Vincennes C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1969
+@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
+ Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Perry C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1967 Oct 29 2:00
+@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
+ Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1955
+ -6:00 Pike C%sT 1965 Apr 25 2:00
+ -5:00 - EST 1966 Oct 30 2:00
+@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
+ Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1947
+ -6:00 Starke C%sT 1962 Apr 29 2:00
+ -5:00 - EST 1963 Oct 27 2:00
+@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
+ Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Pulaski C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1954 Apr 25 2:00
+ -5:00 - EST 1969
+ -5:00 US E%sT 1973
+@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
+ Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
+ Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1921
+ -6:00 Louisville C%sT 1942
+ -6:00 US C%sT 1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 - CST 1968
+ -6:00 US C%sT 2000 Oct 29 2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ # longitude they are located at.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Mexico 1931 only - May 1 23:00 1:00 D
++Rule Mexico 1931 only - Oct 1 0:00 0 S
+ Rule Mexico 1939 only - Feb 5 0:00 1:00 D
+ Rule Mexico 1939 only - Jun 25 0:00 0 S
+ Rule Mexico 1940 only - Dec 9 0:00 1:00 D
+@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
+ Rule Mexico 2002 max - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 Mexico E%sT 1998 Aug 2 2:00
+ -6:00 Mexico C%sT 2015 Feb 1 2:00
+ -5:00 - EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 - EST 1982 Dec 2
+ -6:00 Mexico C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT 2010
+ -6:00 US C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 Mexico C%sT 2001 Sep 30 2:00
+ -6:00 - CST 2002 Feb 20
+ -6:00 Mexico C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT 2010
+ -7:00 US M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT
+ # Sonora
+-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+
+ # Mazatlán
+-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+ -7:00 Mexico M%sT
+
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+ -6:00 Mexico C%sT
+
+ # Baja California
+-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1924
+ -8:00 - PST 1927 Jun 10 23:00
+ -7:00 - MST 1930 Nov 15
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+index 71470168456..0cad939008f 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION
+@@ -1 +1 @@
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+index b3823958ae4..2f2786f1c69 100644
+--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt
+@@ -97,9 +97,7 @@ America/Winnipeg CST CDT
+ America/Yakutat AKST AKDT
+ America/Yellowknife MST MDT
+ Antarctica/Macquarie AEST AEDT
+-Asia/Amman EET EEST
+ Asia/Beirut EET EEST
+-Asia/Damascus EET EEST
+ Asia/Famagusta EET EEST
+ Asia/Gaza EET EEST
+ Asia/Hebron EET EEST
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+index 889d0e6dad7..b8cb36e69f4 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+@@ -21,4 +21,4 @@
+ # or visit www.oracle.com if you need additional information or have any
+ # questions.
+ #
+-tzdata2022d
++tzdata2022e
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
+index 1dc7d34f88e..f1771e42a71 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
+@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u
+ # From the Arabic version, it seems to say it would be at midnight
+ # (assume 24:00) on the last Thursday in February, starting from 2022.
+
++# From Issam Al-Zuwairi (2022-10-05):
++# The Council of Ministers in Jordan decided Wednesday 5th October 2022,
++# that daylight saving time (DST) will be throughout the year....
++#
++# From Brian Inglis (2022-10-06):
++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news
++#
++# From Paul Eggert (2022-10-05):
++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
++
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
+ Rule Jordan 1973 only - Jun 6 0:00 1:00 S
+ Rule Jordan 1973 1975 - Oct 1 0:00 0 -
+@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 -
+ Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 -
+ Rule Jordan 2013 only - Dec 20 0:00 0 -
+ Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S
+-Rule Jordan 2014 max - Oct lastFri 0:00s 0 -
+-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S
++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 -
++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Amman 2:23:44 - LMT 1931
+- 2:00 Jordan EE%sT
++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s
++ 3:00 - +03
+
+
+ # Kazakhstan
+@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 -
+ # Our brief summary:
+ # https://www.timeanddate.com/news/time/syria-dst-2012.html
+
+-# From Arthur David Olson (2012-03-27):
+-# Assume last Friday in March going forward XXX.
++# From Steffen Thorsen (2022-10-05):
++# Syria is adopting year-round DST, starting this autumn....
++# From https://www.enabbaladi.net/archives/607812
++# "This [the decision] came after the weekly government meeting today,
++# Tuesday 4 October ..."
++#
++# From Paul Eggert (2022-10-05):
++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03
++# (non-DST) at the point where DST would otherwise have ended.
+
+ Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S
+ Rule Syria 2008 only - Nov 1 0:00 0 -
+ Rule Syria 2009 only - Mar lastFri 0:00 1:00 S
+ Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S
+-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S
+-Rule Syria 2009 max - Oct lastFri 0:00 0 -
++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S
++Rule Syria 2009 2022 - Oct lastFri 0:00 0 -
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq
+- 2:00 Syria EE%sT
++ 2:00 Syria EE%sT 2022 Oct 28 0:00
++ 3:00 - +03
+
+ # Tajikistan
+ # From Shanks & Pottenger.
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
+index 9e0a538f86d..930cede4cf4 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
+@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u
+ 0:00 Spain WE%sT 1940 Mar 16 23:00
+ 1:00 Spain CE%sT 1979
+ 1:00 EU CE%sT
+-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44
++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u
+ 0:00 - WET 1918 May 6 23:00
+ 0:00 1:00 WEST 1918 Oct 7 23:00
+ 0:00 - WET 1924
+diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+index 114cef14cce..ce4ee74582c 100644
+--- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica
++++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D
+ Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S
+ Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Chicago C%sT 1936 Mar 1 2:00
+ -5:00 - EST 1936 Nov 15 2:00
+@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24
+ -6:00 Chicago C%sT 1967
+ -6:00 US C%sT
+ # Oliver County, ND switched from mountain to central time on 1992-10-25.
+-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1992 Oct 25 2:00
+ -6:00 US C%sT
+ # Morton County, ND, switched from mountain to central time on
+@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48
+ # Jones, Mellette, and Todd Counties in South Dakota;
+ # but in practice these other counties were already observing central time.
+ # See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>.
+-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2003 Oct 26 2:00
+ -6:00 US C%sT
+
+@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21
+ # largest city in Mercer County). Google Maps places Beulah's city hall
+ # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07".
+
+-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53
++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 2010 Nov 7 2:00
+ -6:00 US C%sT
+
+@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S
+ Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D
+ Rule Denver 1965 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1920
+ -7:00 Denver M%sT 1942
+ -7:00 US M%sT 1946
+@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
+ Rule CA 1950 1961 - Sep lastSun 2:00 0 S
+ Rule CA 1962 1966 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02
++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1946
+ -8:00 CA P%sT 1967
+ -8:00 US P%sT
+@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00
+ # Go with the Arizona State Library instead.
+
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42
++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u
+ -7:00 US M%sT 1944 Jan 1 0:01
+ -7:00 - MST 1944 Apr 1 0:01
+ -7:00 US M%sT 1944 Oct 1 0:01
+@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston
+ # switched four weeks late in 1974.
+ #
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11
++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u
+ -8:00 US P%sT 1923 May 13 2:00
+ -7:00 US M%sT 1974
+ -7:00 - MST 1974 Feb 3 2:00
+@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D
+ Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S
+ Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22
++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1920
+ -6:00 Indianapolis C%sT 1942
+ -6:00 US C%sT 1946
+@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S
+ Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D
+ Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37
++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1951
+ -6:00 Marengo C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S
+ Rule Vincennes 1961 only - Sep lastSun 2:00 0 S
+ Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53
++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Vincennes C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1969
+@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D
+ Rule Perry 1961 1963 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57
++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Perry C%sT 1964 Apr 26 2:00
+ -5:00 - EST 1967 Oct 29 2:00
+@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S
+ Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D
+ Rule Pike 1961 1964 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53
++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1955
+ -6:00 Pike C%sT 1965 Apr 25 2:00
+ -5:00 - EST 1966 Oct 30 2:00
+@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Starke 1957 1958 - Sep lastSun 2:00 0 S
+ Rule Starke 1959 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30
++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1947
+ -6:00 Starke C%sT 1962 Apr 29 2:00
+ -5:00 - EST 1963 Oct 27 2:00
+@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S
+ Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S
+ Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 Pulaski C%sT 1961 Apr 30 2:00
+ -5:00 - EST 1969
+@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35
+ #
+ # Switzerland County, Indiana, did not observe DST from 1973 through 2005.
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44
++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1954 Apr 25 2:00
+ -5:00 - EST 1969
+ -5:00 US E%sT 1973
+@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D
+ Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S
+ Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1921
+ -6:00 Louisville C%sT 1942
+ -6:00 US C%sT 1946
+@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58
+ # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
+ # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
+ #
+-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36
++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u
+ -6:00 US C%sT 1946
+ -6:00 - CST 1968
+ -6:00 US C%sT 2000 Oct 29 2:00
+@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20
+ # longitude they are located at.
+
+ # Rule NAME FROM TO - IN ON AT SAVE LETTER/S
++Rule Mexico 1931 only - May 1 23:00 1:00 D
++Rule Mexico 1931 only - Oct 1 0:00 0 S
+ Rule Mexico 1939 only - Feb 5 0:00 1:00 D
+ Rule Mexico 1939 only - Jun 25 0:00 0 S
+ Rule Mexico 1940 only - Dec 9 0:00 1:00 D
+@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D
+ Rule Mexico 2002 max - Oct lastSun 2:00 0 S
+ # Zone NAME STDOFF RULES FORMAT [UNTIL]
+ # Quintana Roo; represented by Cancún
+-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56
++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 Mexico E%sT 1998 Aug 2 2:00
+ -6:00 Mexico C%sT 2015 Feb 1 2:00
+ -5:00 - EST
+ # Campeche, Yucatán; represented by Mérida
+-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1981 Dec 23
+ -5:00 - EST 1982 Dec 2
+ -6:00 Mexico C%sT
+@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32
+ # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal,
+ # 2016-03-12
+ # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza
+-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00
++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT 2010
+ -6:00 US C%sT
+ # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border)
+-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44
++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u
+ -6:00 - CST 1988
+ -6:00 US C%sT 1989
+ -6:00 Mexico C%sT
+ # Central Mexico
+-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 Mexico C%sT 2001 Sep 30 2:00
+ -6:00 - CST 2002 Feb 20
+ -6:00 Mexico C%sT
+@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24
+ # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe,
+ # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides.
+ # (See the 2016-03-12 El Universal source mentioned above.)
+-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20
++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT 2010
+ -7:00 US M%sT
+ # Chihuahua (away from US border)
+-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40
++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1996
+ -6:00 Mexico C%sT 1998
+ -6:00 - CST 1998 Apr Sun>=1 3:00
+ -7:00 Mexico M%sT
+ # Sonora
+-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08
+ # Use "Bahia_Banderas" to keep the name to fourteen characters.
+
+ # Mazatlán
+-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20
++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+ -7:00 Mexico M%sT
+
+ # Bahía de Banderas
+-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1927 Jun 10 23:00
+ -6:00 - CST 1930 Nov 15
+- -7:00 - MST 1931 May 1 23:00
+- -6:00 - CST 1931 Oct
+- -7:00 - MST 1932 Apr 1
++ -7:00 Mexico M%sT 1932 Apr 1
+ -6:00 - CST 1942 Apr 24
+ -7:00 - MST 1949 Jan 14
+ -8:00 - PST 1970
+@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00
+ -6:00 Mexico C%sT
+
+ # Baja California
+-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56
++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u
+ -7:00 - MST 1924
+ -8:00 - PST 1927 Jun 10 23:00
+ -7:00 - MST 1930 Nov 15
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 8752281..16fbf02 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -281,7 +281,7 @@
# New Version-String scheme-style defines
%global majorver 8
-# Standard JPackage naming and versioning defines.
+# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
@@ -313,7 +313,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u
-%global openjdk_revision jdk8u345-b01
+%global openjdk_revision jdk8u352-b08
%global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
@@ -322,7 +322,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop files
%global icedteaver 3.15.0
# Define current Git revision for the FIPS support patches
-%global fipsver 8e8bbf0ff74
+%global fipsver 6d1aade0648
# e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04
%global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*})
@@ -332,7 +332,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 5
+%global rpmrelease 2
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -1125,9 +1125,9 @@ Provides: java%{?1} = %{epoch}:%{javaver}
Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/
Requires: javapackages-filesystem
-# Require zoneinfo data provided by tzdata-java subpackage.
-# 2022a required as of JDK-8283350 in 8u342
-Requires: tzdata-java >= 2022a
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+Requires: tzdata-java >= 2022d
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1324,6 +1324,9 @@ Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
Source20: repackReproduciblePolycies.sh
# New versions of config files with aarch64 support. This is not upstream yet.
@@ -1450,13 +1453,17 @@ Patch581: jdk8257794-remove_broken_assert.patch
#############################################
#
-# Patches appearing in 8u332
+# Patches appearing in 8u362
#
# This section includes patches which are present
# in the listed OpenJDK 8u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
+# JDK-8294357: (tz) Update Timezone Data to 2022d
+Patch2002: jdk8294357-tzdata2022d.patch
+# JDK-8295173: (tz) Update Timezone Data to 2022e
+Patch2003: jdk8295173-tzdata2022e.patch
#############################################
#
@@ -1525,8 +1532,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2022a required as of JDK-8283350 in 8u342
-BuildRequires: tzdata-java >= 2022a
+# 2022d required as of JDK-8294357
+# Should be bumped to 2022e once available (JDK-8295173)
+BuildRequires: tzdata-java >= 2022d
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1887,6 +1895,9 @@ pushd %{top_level_dir_name}
%patch1000 -p1
# system cacerts support
%patch539 -p1
+# tzdata updates targetted for 8u362
+%patch2002 -p1
+%patch2003 -p1
popd
# RPM-only fixes
@@ -2221,6 +2232,9 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac -d . %{SOURCE18}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
@@ -2691,6 +2705,15 @@ cjc.mainProgram(args)
%endif
%changelog
+* Sun Oct 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-2
+- Update to shenandoah-jdk8u352-b08 (GA)
+- Update release notes for shenandoah-8u352-b08.
+- Rebase FIPS patch against 8u352-b07
+- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
+- Add test to ensure timezones can be translated
+- * This tarball is embargoed until 2022-10-18 @ 1pm PT. *
+- Resolves: rhbz#2133695
+
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-5
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2048542