diff --git a/.gitignore b/.gitignore index ccfc525..35138ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 493f497..ce1ddd8 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz +11e3bf44f3c54d25e2018fc7df16c231daf041c5 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u352-b08-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index a45c520..08b5588 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,163 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u352 (2022-10-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u352 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt + +* Security fixes + - JDK-8282252: Improve BigInteger/Decimal validation + - JDK-8285662: Better permission resolution + - JDK-8286511: Improve macro allocation + - JDK-8286519: Better memory handling + - JDK-8286526, CVE-2022-21619: Improve NTLM support + - JDK-8286533, CVE-2022-21626: Key X509 usages + - JDK-8286910, CVE-2022-21624: Improve JNDI lookups + - JDK-8286918, CVE-2022-21628: Better HttpServer service + - JDK-8288508: Enhance ECDSA usage +* Other changes + - JDK-7131823: bug in GIFImageReader + - JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate + - JDK-8028265: Add legacy tz tests to OpenJDK + - JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000] + - JDK-8049228: Improve multithreaded scalability of InetAddress cache + - JDK-8071507: (ref) Clear phantom reference as soft and weak references do + - JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation + - JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9 + - JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script + - JDK-8139668: Generate README-build.html from markdown + - JDK-8143847: Remove REF_CLEANER reference category + - JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl + - JDK-8150669: C1 intrinsic for Class.isPrimitive + - JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows + - JDK-8173339: AArch64: Fix minimum stack size computations + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing + - JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored + - JDK-8183107: PKCS11 regression regarding checkKeySize + - JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property + - JDK-8194873: right ALT key hotkeys no longer work in Swing components + - JDK-8201793: (ref) Reference object should not support cloning + - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount() + - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures. + - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235385: Crash on aarch64 JDK due to long offset + - JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles + - JDK-8254178: Remove .hgignore + - JDK-8254318: Remove .hgtags + - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version + - JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*) + - JDK-8280963: Incorrect PrintFlags formatting on Windows + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3 + - JDK-8285497: Add system property for Java SE specification maintenance version + - JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE + - JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11 + - JDK-8287521: Bump update version of OpenJDK: 8u352 + - JDK-8288763: Pack200 extraction failure with invalid size + - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8292688: Support Security properties in security.testlibrary.Proc + +Notes on individual issues: +=========================== + +core-libs/java.lang: + +JDK-8201793: (ref) Reference object should not support cloning +============================================================== +`java.lang.ref.Reference::clone` method always throws +`CloneNotSupportedException`. `Reference` objects cannot be +meaningfully cloned. To create a new Reference object, call the +constructor to create a `Reference` object with the same referent and +reference queue instead. + +JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing +=============================================================================================== +`java.lang.ref.Reference.enqueue` method clears the reference object +before it is added to the registered queue. When the `enqueue` method +is called, the reference object is cleared and `get()` method will +return null in OpenJDK 8u352. + +Typically when a reference object is enqueued, it is expected that the +reference object is cleared explicitly via the `clear` method to avoid +memory leak because its referent is no longer referenced. In other +words the `get` method is expected not to be called in common cases +once the `enqueue`method is called. In the case when the `get` method +from an enqueued reference object and existing code attempts to access +members of the referent, `NullPointerException` may be thrown. Such +code will need to be updated. + +JDK-8071507: (ref) Clear phantom reference as soft and weak references do +========================================================================= +This enhancement changes phantom references to be automatically +cleared by the garbage collector as soft and weak references. + +An object becomes phantom reachable after it has been finalized. This +change may cause the phantom reachable objects to be GC'ed earlier - +previously the referent is kept alive until PhantomReference objects +are GC'ed or cleared by the application. This potential behavioral +change might only impact existing code that would depend on +PhantomReference being enqueued rather than when the referent be freed +from the heap. + +security-libs/javax.net.ssl: + +JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles +================================================================ +The TLSv1.3 implementation is now enabled by default for client roles +in 8u352. It has been enabled by default for server roles since 8u272. + +Note that TLS 1.3 is not directly compatible with previous +versions. Enabling it on the client may introduce compatibility issues +on either the server or the client side. Here are some more details on +potential compatibility issues that you should be aware of: + +* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions + use a duplex-close policy. For applications that depend on the + duplex-close policy, there may be compatibility issues when + upgrading to TLS 1.3. + +* The signature_algorithms_cert extension requires that pre-defined + signature algorithms are used for certificate authentication. In + practice, however, an application may use non-supported signature + algorithms. + +* The DSA signature algorithm is not supported in TLS 1.3. If a server + is configured to only use DSA certificates, it cannot upgrade to TLS + 1.3. + +* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 + and prior versions. If an application hard-codes cipher suites which + are no longer supported, it may not be able to use TLS 1.3 without + modifying the application code. + +* The TLS 1.3 session resumption and key update behaviors are + different from TLS 1.2 and prior versions. The compatibility should + be minimal, but it could be a risk if an application depends on the + handshake details of the TLS protocols. + +The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols +system property: + +java -Djdk.tls.client.protocols="TLSv1.2" ... + +Alternatively, an application can explicitly set the enabled protocols +with the javax.net.ssl APIs e.g. + +sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); + +or: + +SSLParameters params = sslSocket.getSSLParameters(); +params.setProtocols(new String[] {"TLSv1.2"}); +slsSocket.setSSLParameters(params); + New in release OpenJDK 8u345 (2022-08-01): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java index 552bd0f..2967a32 100644 --- a/SOURCES/TestSecurityProperties.java +++ b/SOURCES/TestSecurityProperties.java @@ -1,3 +1,20 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ import java.io.File; import java.io.FileInputStream; import java.security.Security; diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java new file mode 100644 index 0000000..7b2f09b --- /dev/null +++ b/SOURCES/TestTranslations.java @@ -0,0 +1,140 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Locale; +import java.util.Objects; +import java.util.TimeZone; + +public class TestTranslations { + + private static Map KYIV; + + static { + Map map = new HashMap(); + map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET", + "Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST", + "Heure d'Europe de l'Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + } + + + public static void main(String[] args) { + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + String localeProvider = args[0]; + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + for (Locale l : KYIV.keySet()) { + String[] expected = KYIV.get(l); + for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long generic display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } + } + } + } +} diff --git a/SOURCES/fips-8u-6d1aade0648.patch b/SOURCES/fips-8u-6d1aade0648.patch new file mode 100644 index 0000000..58ab6e5 --- /dev/null +++ b/SOURCES/fips-8u-6d1aade0648.patch @@ -0,0 +1,2007 @@ +diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac +index 151e5a109f8..a8761b500e0 100644 +--- a/common/autoconf/configure.ac ++++ b/common/autoconf/configure.ac +@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE + LIB_SETUP_ALSA + LIB_SETUP_FONTCONFIG + LIB_SETUP_MISC_LIBS ++LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_STATIC_LINK_LIBSTDCPP + LIB_SETUP_ON_WINDOWS + +diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh +index 71fabf4dbb3..17f4f50673d 100644 +--- a/common/autoconf/generated-configure.sh ++++ b/common/autoconf/generated-configure.sh +@@ -651,6 +651,9 @@ LLVM_CONFIG + LIBFFI_LIBS + LIBFFI_CFLAGS + STATIC_CXX_SETTING ++USE_SYSCONF_NSS ++NSS_LIBS ++NSS_CFLAGS + LIBDL + LIBM + LIBZIP_CAN_USE_MMAP +@@ -1111,6 +1114,7 @@ with_fontconfig + with_fontconfig_include + with_giflib + with_zlib ++enable_sysconf_nss + with_stdc__lib + with_msvcr_dll + with_msvcp_dll +@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS + FREETYPE_LIBS + ALSA_CFLAGS + ALSA_LIBS ++NSS_CFLAGS ++NSS_LIBS + LIBFFI_CFLAGS + LIBFFI_LIBS + CCACHE' +@@ -1871,6 +1877,8 @@ Optional Features: + disable bundling of the freetype library with the + build result [enabled on Windows or when using + --with-freetype, disabled otherwise] ++ --enable-sysconf-nss build the System Configurator (libsysconf) using the ++ system NSS library if available [disabled] + --enable-sjavac use sjavac to do fast incremental compiles + [disabled] + --disable-precompiled-headers +@@ -2115,6 +2123,8 @@ Some influential environment variables: + linker flags for FREETYPE, overriding pkg-config + ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config + ALSA_LIBS linker flags for ALSA, overriding pkg-config ++ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config ++ NSS_LIBS linker flags for NSS, overriding pkg-config + LIBFFI_CFLAGS + C compiler flags for LIBFFI, overriding pkg-config + LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config +@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + + } # ac_fn_c_check_header_compile ++ ++# ac_fn_c_try_link LINENO ++# ----------------------- ++# Try to link conftest.$ac_ext, and return whether this succeeded. ++ac_fn_c_try_link () ++{ ++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack ++ rm -f conftest.$ac_objext conftest$ac_exeext ++ if { { ac_try="$ac_link" ++case "(($ac_try" in ++ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; ++ *) ac_try_echo=$ac_try;; ++esac ++eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" ++$as_echo "$ac_try_echo"; } >&5 ++ (eval "$ac_link") 2>conftest.err ++ ac_status=$? ++ if test -s conftest.err; then ++ grep -v '^ *+' conftest.err >conftest.er1 ++ cat conftest.er1 >&5 ++ mv -f conftest.er1 conftest.err ++ fi ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; } && { ++ test -z "$ac_c_werror_flag" || ++ test ! -s conftest.err ++ } && test -s conftest$ac_exeext && { ++ test "$cross_compiling" = yes || ++ test -x conftest$ac_exeext ++ }; then : ++ ac_retval=0 ++else ++ $as_echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ ac_retval=1 ++fi ++ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information ++ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would ++ # interfere with the next link command; also delete a directory that is ++ # left behind by Apple's compiler. We do this before executing the actions. ++ rm -rf conftest.dSYM conftest_ipa8_conftest.oo ++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno ++ as_fn_set_status $ac_retval ++ ++} # ac_fn_c_try_link + cat >config.log <<_ACEOF + This file contains any messages produced by compilers while + running configure, to aid debugging if configure makes a mistake. +@@ -4049,6 +4105,11 @@ fi + + + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++ ++ + # + # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. + # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +@@ -49304,6 +49365,157 @@ fi + LIBS="$save_LIBS" + + ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 ++$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ # Check whether --enable-sysconf-nss was given. ++if test "${enable_sysconf_nss+set}" = set; then : ++ enableval=$enable_sysconf_nss; ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ++else ++ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ++fi ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 ++$as_echo "$sysconf_nss" >&6; } ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ ++pkg_failed=no ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 ++$as_echo_n "checking for NSS... " >&6; } ++ ++if test -n "$NSS_CFLAGS"; then ++ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++if test -n "$NSS_LIBS"; then ++ pkg_cv_NSS_LIBS="$NSS_LIBS" ++ elif test -n "$PKG_CONFIG"; then ++ if test -n "$PKG_CONFIG" && \ ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; then ++ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` ++else ++ pkg_failed=yes ++fi ++ else ++ pkg_failed=untried ++fi ++ ++ ++ ++if test $pkg_failed = yes; then ++ ++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then ++ _pkg_short_errors_supported=yes ++else ++ _pkg_short_errors_supported=no ++fi ++ if test $_pkg_short_errors_supported = yes; then ++ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` ++ else ++ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` ++ fi ++ # Put the nasty error message in config.log where it belongs ++ echo "$NSS_PKG_ERRORS" >&5 ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ NSS_FOUND=no ++elif test $pkg_failed = untried; then ++ NSS_FOUND=no ++else ++ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS ++ NSS_LIBS=$pkg_cv_NSS_LIBS ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++ NSS_FOUND=yes ++fi ++ if test "x${NSS_FOUND}" = "xyes"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 ++$as_echo_n "checking for system FIPS support in NSS... " >&6; } ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ ac_ext=c ++ac_cpp='$CPP $CPPFLAGS' ++ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ++ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ++ac_compiler_gnu=$ac_cv_c_compiler_gnu ++ ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++#include ++int ++main () ++{ ++SECMOD_GetSystemFIPSEnabled() ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO"; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 ++fi ++rm -f core conftest.err conftest.$ac_objext \ ++ conftest$ac_exeext conftest.$ac_ext ++ ac_ext=cpp ++ac_cpp='$CXXCPP $CPPFLAGS' ++ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ++ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ++ac_compiler_gnu=$ac_cv_cxx_compiler_gnu ++ ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 ++ fi ++ fi ++ ++ ++ + ############################################################################### + # + # statically link libstdc++ before C++ ABI is stablized on Linux unless +diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 +index 6efae578ea9..0080846255b 100644 +--- a/common/autoconf/libraries.m4 ++++ b/common/autoconf/libraries.m4 +@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS], + BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) + fi + ]) ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in +index 506cf617087..7241593b1a4 100644 +--- a/common/autoconf/spec.gmk.in ++++ b/common/autoconf/spec.gmk.in +@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@ + ALSA_LIBS:=@ALSA_LIBS@ + ALSA_CFLAGS:=@ALSA_CFLAGS@ + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + PACKAGE_PATH=@PACKAGE_PATH@ + + # Source file for cacerts +diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl +index 3b79a526f56..d2a0e39b206 100644 +--- a/common/bin/compare_exceptions.sh.incl ++++ b/common/bin/compare_exceptions.sh.incl +@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/i386/libsplashscreen.so + ./jre/lib/i386/libsunec.so + ./jre/lib/i386/libsunwjdga.so ++./jre/lib/i386/libsystemconf.so + ./jre/lib/i386/libt2k.so + ./jre/lib/i386/libunpack.so + ./jre/lib/i386/libverify.so +@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/amd64/libsplashscreen.so + ./jre/lib/amd64/libsunec.so + ./jre/lib/amd64/libsunwjdga.so ++//jre/lib/amd64/libsystemconf.so + ./jre/lib/amd64/libt2k.so + ./jre/lib/amd64/libunpack.so + ./jre/lib/amd64/libverify.so +@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/sparc/libsplashscreen.so + ./jre/lib/sparc/libsunec.so + ./jre/lib/sparc/libsunwjdga.so ++./jre/lib/sparc/libsystemconf.so + ./jre/lib/sparc/libt2k.so + ./jre/lib/sparc/libunpack.so + ./jre/lib/sparc/libverify.so +@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" + ./jre/lib/sparcv9/libsplashscreen.so + ./jre/lib/sparcv9/libsunec.so + ./jre/lib/sparcv9/libsunwjdga.so ++./jre/lib/sparcv9/libsystemconf.so + ./jre/lib/sparcv9/libt2k.so + ./jre/lib/sparcv9/libunpack.so + ./jre/lib/sparcv9/libverify.so +diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml +index d2beed0b93a..3b6aef98d9a 100644 +--- a/common/nb_native/nbproject/configurations.xml ++++ b/common/nb_native/nbproject/configurations.xml +@@ -53,6 +53,9 @@ + jvmtiEnterTrace.cpp + + ++ ++ systemconf.c ++ + + + +@@ -12772,6 +12775,11 @@ + tool="0" + flavor2="0"> + ++ ++ + Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -62,6 +72,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -78,6 +101,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -93,6 +117,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -187,6 +212,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..a24a0445db2 +--- /dev/null ++++ b/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,248 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean systemSecPropsLoaded = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ systemSecPropsLoaded = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return systemSecPropsLoaded; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws IOException { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..5c30a8b29c7 +--- /dev/null ++++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java +index f065a2c685d..0dafe6f59cf 100644 +--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java ++++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java +@@ -31,6 +31,7 @@ import java.io.Console; + import java.io.FileDescriptor; + import java.io.ObjectInputStream; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + import java.security.AccessController; +@@ -63,6 +64,7 @@ public class SharedSecrets { + private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; + private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -248,4 +250,15 @@ public class SharedSecrets { + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..14d19450390 +--- /dev/null ++++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = P11ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +index fedcd7743ef..f9d70863bd1 100644 +--- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import sun.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + +@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 2e42d1d9fb0..1b7eed1c656 100644 +--- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -145,18 +146,41 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } +diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603b..98119479823 100644 +--- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import sun.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +index 820e10164fc..6fe2c29389f 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import sun.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +index 2845dc37938..52337a7b6cf 100644 +--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java ++++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; + + import java.security.*; + ++import sun.misc.SharedSecrets; ++ + /** + * The JSSE provider. + * +@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context"); + put("SSLContext.TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context"); +- put("SSLContext.TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ put("SSLContext.TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context"); ++ } + put("SSLContext.TLS", + "sun.security.ssl.SSLContextImpl$TLSContext"); + if (isfips == false) { +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index 7a93d4e6b59..681a24b905d 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -287,6 +287,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index 145a84f94cf..789c19a8cba 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider + security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.9=sun.security.smartcardio.SunPCSC + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg ++fips.provider.2=sun.security.provider.Sun ++fips.provider.3=sun.security.ec.SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ + # + # Sun Provider SecureRandom seed source. + # +@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=jks + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for the JKS keystore type. + # +@@ -287,6 +300,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index 35fa140d7a5..d4da666af3b 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -290,6 +290,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index f79ba37ddb9..300132384a1 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -288,6 +288,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index d70503ce95f..64db5a5cd1e 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -290,6 +290,13 @@ package.definition=sun.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c +new file mode 100644 +index 00000000000..8dcb7d9073f +--- /dev/null ++++ b/jdk/src/solaris/native/java/security/systemconf.c +@@ -0,0 +1,224 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} diff --git a/SOURCES/fips-8u-8e8bbf0ff74.patch b/SOURCES/fips-8u-8e8bbf0ff74.patch deleted file mode 100644 index 2379d45..0000000 --- a/SOURCES/fips-8u-8e8bbf0ff74.patch +++ /dev/null @@ -1,2007 +0,0 @@ -diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac -index 151e5a109f8..a8761b500e0 100644 ---- a/common/autoconf/configure.ac -+++ b/common/autoconf/configure.ac -@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE - LIB_SETUP_ALSA - LIB_SETUP_FONTCONFIG - LIB_SETUP_MISC_LIBS -+LIB_SETUP_SYSCONF_LIBS - LIB_SETUP_STATIC_LINK_LIBSTDCPP - LIB_SETUP_ON_WINDOWS - -diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh -index e77ce854dc5..ec6e9b27ca5 100644 ---- a/common/autoconf/generated-configure.sh -+++ b/common/autoconf/generated-configure.sh -@@ -651,6 +651,9 @@ LLVM_CONFIG - LIBFFI_LIBS - LIBFFI_CFLAGS - STATIC_CXX_SETTING -+USE_SYSCONF_NSS -+NSS_LIBS -+NSS_CFLAGS - LIBDL - LIBM - LIBZIP_CAN_USE_MMAP -@@ -1111,6 +1114,7 @@ with_fontconfig - with_fontconfig_include - with_giflib - with_zlib -+enable_sysconf_nss - with_stdc__lib - with_msvcr_dll - with_msvcp_dll -@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS - FREETYPE_LIBS - ALSA_CFLAGS - ALSA_LIBS -+NSS_CFLAGS -+NSS_LIBS - LIBFFI_CFLAGS - LIBFFI_LIBS - CCACHE' -@@ -1871,6 +1877,8 @@ Optional Features: - disable bundling of the freetype library with the - build result [enabled on Windows or when using - --with-freetype, disabled otherwise] -+ --enable-sysconf-nss build the System Configurator (libsysconf) using the -+ system NSS library if available [disabled] - --enable-sjavac use sjavac to do fast incremental compiles - [disabled] - --disable-precompiled-headers -@@ -2115,6 +2123,8 @@ Some influential environment variables: - linker flags for FREETYPE, overriding pkg-config - ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config - ALSA_LIBS linker flags for ALSA, overriding pkg-config -+ NSS_CFLAGS C compiler flags for NSS, overriding pkg-config -+ NSS_LIBS linker flags for NSS, overriding pkg-config - LIBFFI_CFLAGS - C compiler flags for LIBFFI, overriding pkg-config - LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config -@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - - } # ac_fn_c_check_header_compile -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ test -x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. -@@ -4049,6 +4105,11 @@ fi - - - -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+ -+ - # - # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -@@ -49290,6 +49351,157 @@ fi - LIBS="$save_LIBS" - - -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use the system NSS library with the System Configurator (libsysconf)" >&5 -+$as_echo_n "checking whether to use the system NSS library with the System Configurator (libsysconf)... " >&6; } -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ # Check whether --enable-sysconf-nss was given. -+if test "${enable_sysconf_nss+set}" = set; then : -+ enableval=$enable_sysconf_nss; -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ -+else -+ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ -+fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysconf_nss" >&5 -+$as_echo "$sysconf_nss" >&6; } -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ -+pkg_failed=no -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 -+$as_echo_n "checking for NSS... " >&6; } -+ -+if test -n "$NSS_CFLAGS"; then -+ pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+if test -n "$NSS_LIBS"; then -+ pkg_cv_NSS_LIBS="$NSS_LIBS" -+ elif test -n "$PKG_CONFIG"; then -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss >= 3.53\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors "nss >= 3.53") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss >= 3.53" 2>/dev/null` -+else -+ pkg_failed=yes -+fi -+ else -+ pkg_failed=untried -+fi -+ -+ -+ -+if test $pkg_failed = yes; then -+ -+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then -+ _pkg_short_errors_supported=yes -+else -+ _pkg_short_errors_supported=no -+fi -+ if test $_pkg_short_errors_supported = yes; then -+ NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "nss >= 3.53" 2>&1` -+ else -+ NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors "nss >= 3.53" 2>&1` -+ fi -+ # Put the nasty error message in config.log where it belongs -+ echo "$NSS_PKG_ERRORS" >&5 -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ NSS_FOUND=no -+elif test $pkg_failed = untried; then -+ NSS_FOUND=no -+else -+ NSS_CFLAGS=$pkg_cv_NSS_CFLAGS -+ NSS_LIBS=$pkg_cv_NSS_LIBS -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+ NSS_FOUND=yes -+fi -+ if test "x${NSS_FOUND}" = "xyes"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system FIPS support in NSS" >&5 -+$as_echo_n "checking for system FIPS support in NSS... " >&6; } -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ ac_ext=c -+ac_cpp='$CPP $CPPFLAGS' -+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_c_compiler_gnu -+ -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+#include -+int -+main () -+{ -+SECMOD_GetSystemFIPSEnabled() -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ as_fn_error $? "System NSS FIPS detection unavailable" "$LINENO" 5 -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+ ac_ext=cpp -+ac_cpp='$CXXCPP $CPPFLAGS' -+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -+ -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ as_fn_error $? "--enable-sysconf-nss specified, but NSS 3.53 or above not found." "$LINENO" 5 -+ fi -+ fi -+ -+ -+ - ############################################################################### - # - # statically link libstdc++ before C++ ABI is stablized on Linux unless -diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4 -index 6efae578ea9..0080846255b 100644 ---- a/common/autoconf/libraries.m4 -+++ b/common/autoconf/libraries.m4 -@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS], - BASIC_DEPRECATED_ARG_WITH([dxsdk-include]) - fi - ]) -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in -index 506cf617087..7241593b1a4 100644 ---- a/common/autoconf/spec.gmk.in -+++ b/common/autoconf/spec.gmk.in -@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@ - ALSA_LIBS:=@ALSA_LIBS@ - ALSA_CFLAGS:=@ALSA_CFLAGS@ - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - PACKAGE_PATH=@PACKAGE_PATH@ - - # Source file for cacerts -diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl -index 3b79a526f56..d2a0e39b206 100644 ---- a/common/bin/compare_exceptions.sh.incl -+++ b/common/bin/compare_exceptions.sh.incl -@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/i386/libsplashscreen.so - ./jre/lib/i386/libsunec.so - ./jre/lib/i386/libsunwjdga.so -+./jre/lib/i386/libsystemconf.so - ./jre/lib/i386/libt2k.so - ./jre/lib/i386/libunpack.so - ./jre/lib/i386/libverify.so -@@ -433,6 +434,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/amd64/libsplashscreen.so - ./jre/lib/amd64/libsunec.so - ./jre/lib/amd64/libsunwjdga.so -+//jre/lib/amd64/libsystemconf.so - ./jre/lib/amd64/libt2k.so - ./jre/lib/amd64/libunpack.so - ./jre/lib/amd64/libverify.so -@@ -587,6 +589,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/sparc/libsplashscreen.so - ./jre/lib/sparc/libsunec.so - ./jre/lib/sparc/libsunwjdga.so -+./jre/lib/sparc/libsystemconf.so - ./jre/lib/sparc/libt2k.so - ./jre/lib/sparc/libunpack.so - ./jre/lib/sparc/libverify.so -@@ -741,6 +744,7 @@ ACCEPTED_SMALL_SIZE_DIFF=" - ./jre/lib/sparcv9/libsplashscreen.so - ./jre/lib/sparcv9/libsunec.so - ./jre/lib/sparcv9/libsunwjdga.so -+./jre/lib/sparcv9/libsystemconf.so - ./jre/lib/sparcv9/libt2k.so - ./jre/lib/sparcv9/libunpack.so - ./jre/lib/sparcv9/libverify.so -diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml -index d2beed0b93a..3b6aef98d9a 100644 ---- a/common/nb_native/nbproject/configurations.xml -+++ b/common/nb_native/nbproject/configurations.xml -@@ -53,6 +53,9 @@ - jvmtiEnterTrace.cpp -
- -+ -+ systemconf.c -+ - - - -@@ -12772,6 +12775,11 @@ - tool="0" - flavor2="0"> - -+ -+ - Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -62,6 +72,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -78,6 +101,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -93,6 +117,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -187,6 +212,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..a24a0445db2 ---- /dev/null -+++ b/jdk/src/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,248 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws IOException { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..5c30a8b29c7 ---- /dev/null -+++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.misc; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java -index f065a2c685d..0dafe6f59cf 100644 ---- a/jdk/src/share/classes/sun/misc/SharedSecrets.java -+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java -@@ -31,6 +31,7 @@ import java.io.Console; - import java.io.FileDescriptor; - import java.io.ObjectInputStream; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - import java.security.AccessController; -@@ -63,6 +64,7 @@ public class SharedSecrets { - private static JavaObjectInputStreamReadString javaObjectInputStreamReadString; - private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; - private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static JavaUtilJarAccess javaUtilJarAccess() { - if (javaUtilJarAccess == null) { -@@ -248,4 +250,15 @@ public class SharedSecrets { - } - return javaxCryptoSealedObjectAccess; - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ unsafe.ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..14d19450390 ---- /dev/null -+++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,290 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = P11ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -index fedcd7743ef..f9d70863bd1 100644 ---- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -42,6 +45,8 @@ import javax.security.auth.callback.ConfirmationCallback; - import javax.security.auth.callback.PasswordCallback; - import javax.security.auth.callback.TextOutputCallback; - -+import sun.misc.SharedSecrets; -+ - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - -@@ -58,6 +63,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -309,10 +337,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -328,7 +361,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -@@ -368,6 +401,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException -diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 2e42d1d9fb0..1b7eed1c656 100644 ---- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -145,18 +146,41 @@ public class PKCS11 { - this.pkcs11ModulePath = pkcs11ModulePath; - } - -+ /* -+ * Compatibility wrapper to allow this method to work as before -+ * when FIPS mode support is not active. -+ */ -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { -+ return getInstance(pkcs11ModulePath, functionList, -+ pInitArgs, omitInitialize, null); -+ } -+ - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1905,4 +1929,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } -diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -index ffee2c1603b..98119479823 100644 ---- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -+++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -@@ -33,8 +33,13 @@ import java.security.KeyStore.*; - - import javax.net.ssl.*; - -+import sun.misc.SharedSecrets; -+ - abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - X509ExtendedKeyManager keyManager; - boolean isInitialized; - -@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - KeyStoreException, NoSuchAlgorithmException, - UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { -- if (ks.getProvider() != SunJSSE.cryptoProvider) { -+ if (ks.getProvider() != SunJSSE.cryptoProvider && -+ !plainKeySupportEnabled) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } -@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - keyManager = new X509KeyManagerImpl( - Collections.emptyList()); - } else { -- if (SunJSSE.isFIPS() && -- (ks.getProvider() != SunJSSE.cryptoProvider)) { -+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) -+ && !plainKeySupportEnabled) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); -diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -index cd0e9e98df9..fba760187c0 100644 ---- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.cert.*; - import java.util.*; - import javax.net.ssl.*; -+import sun.misc.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -539,20 +540,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static { - if (SunJSSE.isFIPS()) { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- ); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); - -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, -@@ -612,6 +631,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -939,6 +968,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[]{ - ProtocolVersion.TLS12, - ProtocolVersion.TLS11, -diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -index 2845dc37938..52337a7b6cf 100644 ---- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -+++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java -@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER; - - import java.security.*; - -+import sun.misc.SharedSecrets; -+ - /** - * The JSSE provider. - * -@@ -215,8 +217,13 @@ public abstract class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context"); - put("SSLContext.TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context"); -- put("SSLContext.TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context"); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ put("SSLContext.TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context"); -+ } - put("SSLContext.TLS", - "sun.security.ssl.SSLContextImpl$TLSContext"); - if (isfips == false) { -diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index d3d64b3facd..bfe0c593adb 100644 ---- a/jdk/src/share/lib/security/java.security-aix -+++ b/jdk/src/share/lib/security/java.security-aix -@@ -287,6 +287,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index db610d4bfbb..9d1c8fe8a8e 100644 ---- a/jdk/src/share/lib/security/java.security-linux -+++ b/jdk/src/share/lib/security/java.security-linux -@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider - security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI - security.provider.9=sun.security.smartcardio.SunPCSC - -+# -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg -+fips.provider.2=sun.security.provider.Sun -+fips.provider.3=sun.security.ec.SunEC -+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS -+ - # - # Sun Provider SecureRandom seed source. - # -@@ -170,6 +178,11 @@ policy.ignoreIdentityScope=false - # - keystore.type=jks - -+# -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ - # - # Controls compatibility mode for the JKS keystore type. - # -@@ -287,6 +300,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index a919ba3d5cd..19047c61097 100644 ---- a/jdk/src/share/lib/security/java.security-macosx -+++ b/jdk/src/share/lib/security/java.security-macosx -@@ -290,6 +290,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index 86265ba5fb6..7eda556ae13 100644 ---- a/jdk/src/share/lib/security/java.security-solaris -+++ b/jdk/src/share/lib/security/java.security-solaris -@@ -288,6 +288,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index 9b4bda23cbe..dfa1a669aa9 100644 ---- a/jdk/src/share/lib/security/java.security-windows -+++ b/jdk/src/share/lib/security/java.security-windows -@@ -290,6 +290,13 @@ package.definition=sun.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/jdk/src/solaris/native/java/security/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} diff --git a/SOURCES/jdk8294357-tzdata2022d.patch b/SOURCES/jdk8294357-tzdata2022d.patch new file mode 100644 index 0000000..7356928 --- /dev/null +++ b/SOURCES/jdk8294357-tzdata2022d.patch @@ -0,0 +1,506 @@ +commit 8589b1229cffb9a0ab00baf62ce2d4376d31b055 +Author: Andrew John Hughes +Date: Fri Oct 14 22:55:39 2022 +0100 + + Backport f67b4de8a07b8158be1dfb5b09cdb4cc5b7ac93b + +diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION +index decb8716b22..889d0e6dad7 100644 +--- a/jdk/make/data/tzdata/VERSION ++++ b/jdk/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022c ++tzdata2022d +diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia +index 6cb6d2c57cf..1dc7d34f88e 100644 +--- a/jdk/make/data/tzdata/asia ++++ b/jdk/make/data/tzdata/asia +@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # The winter time in 2015 started on October 23 at 01:00. + # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY + # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 +-# +-# From Paul Eggert (2019-04-10): +-# For now, guess spring-ahead transitions are at 00:00 on the Saturday +-# preceding March's last Sunday (i.e., Sat>=24). + + # From P Chan (2021-10-18): + # http://wafa.ps/Pages/Details/34701 +@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # From Heba Hamad (2022-03-10): + # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. + ++# From Heba Hamad (2022-08-30): ++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by ++# 60 minutes backwards. Also the state of Palestine adopted the summer ++# and winter time for the years: 2023,2024,2025,2026 ... ++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf ++# (2022-08-31): ... the Saturday before the last Sunday in March and October ++# at 2:00 AM ,for the years from 2023 to 2026. ++# (2022-09-05): https://mtit.pna.ps/Site/New/1453 ++# ++# From Paul Eggert (2022-08-31): ++# For now, assume that this rule will also be used after 2026. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S + Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - +@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - + Rule Palestine 2014 only - Oct 24 0:00 0 - + Rule Palestine 2015 only - Mar 28 0:00 1:00 S + Rule Palestine 2015 only - Oct 23 1:00 0 - +-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S +-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - ++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S ++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - + Rule Palestine 2019 only - Mar 29 0:00 1:00 S +-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - +-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S ++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - ++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S + Rule Palestine 2020 only - Oct 24 1:00 0 - +-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - +-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S ++Rule Palestine 2021 only - Oct 29 1:00 0 - ++Rule Palestine 2022 only - Mar 27 0:00 1:00 S ++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward +index d4a29e8cf29..7765d99aedf 100644 +--- a/jdk/make/data/tzdata/backward ++++ b/jdk/make/data/tzdata/backward +@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe +index f7eb7a387aa..9e0a538f86d 100644 +--- a/jdk/make/data/tzdata/europe ++++ b/jdk/make/data/tzdata/europe +@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 + # From Alexander Krivenyshev (2014-03-17): + # time change at 2:00 (2am) on March 30, 2014 + # https://vz.ru/news/2014/3/17/677464.html +-# From Paul Eggert (2014-03-30): +-# Simferopol and Sevastopol reportedly changed their central town clocks +-# late the previous day, but this appears to have been ceremonial +-# and the discrepancies are small enough to not worry about. ++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): ++# The clocks at the railway station in Simferopol were put forward from 22:00 ++# to 24:00 the previous day in a "symbolic ceremony"; however, per ++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings ++# time switch at 2am" on Sunday. ++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html ++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329 ++# https://www.bbc.com/news/av/world-europe-26806583 + 2:00 EU EE%sT 2014 Mar 30 2:00 + 4:00 - MSK 2014 Oct 26 2:00s + 3:00 - MSK +@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # US colleague David Cochrane) are still trying to get more + # information upon these local deviations from Kiev rules. + # +-# From Paul Eggert (2022-02-08): +-# For now, assume that Ukraine's other three zones followed the same rules, ++# From Paul Eggert (2022-08-27): ++# For now, assume that Ukraine's zones all followed the same rules, + # except that Crimea switched to Moscow time in 1994 as described elsewhere. + + # From Igor Karpov, who works for the Ukrainian Ministry of Justice, +@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # * Ukrainian Government's Resolution of 20.03.1992, No. 139. + # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm + +-# From Paul Eggert (2022-04-12): +-# As is usual in tzdb, Ukrainian zones use the most common English spellings. +-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in +-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, +-# "Kyiv" is now more common due to widespread reporting of the current conflict. +-# Conversely, tzdb continues to use the names Europe/Uzhgorod and +-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is +-# certainly wrong as a transliteration of the Czech "Praha". +-# English-language spelling of Ukrainian names is in flux, and +-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more +-# common in English; in the meantime, do not change these +-# English spellings as that means less disruption for our users. +- + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-# This represents most of Ukraine. See above for the spelling of "Kyiv". + Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time + 2:00 - EET 1930 Jun 21 +@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:00 1:00 EEST 1991 Sep 29 3:00 + 2:00 C-Eur EE%sT 1996 May 13 + 2:00 EU EE%sT +-# Transcarpathia used CET 1990/1991. +-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but +-# "Uzhgorod" is more common in English. +-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct +- 1:00 - CET 1940 +- 1:00 C-Eur CE%sT 1944 Oct +- 1:00 1:00 CEST 1944 Oct 26 +- 1:00 - CET 1945 Jun 29 +- 3:00 Russia MSK/MSD 1990 +- 3:00 - MSK 1990 Jul 1 2:00 +- 1:00 - CET 1991 Mar 31 3:00 +- 2:00 - EET 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT +-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. +-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but +-# "Zaporozh'ye" is more common in English. Use the common English +-# spelling, except omit the apostrophe as it is not allowed in +-# portable Posix file names. +-Zone Europe/Zaporozhye 2:20:40 - LMT 1880 +- 2:20 - +0220 1924 May 2 +- 2:00 - EET 1930 Jun 21 +- 3:00 - MSK 1941 Aug 25 +- 1:00 C-Eur CE%sT 1943 Oct 25 +- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 +- 2:00 E-Eur EE%sT 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT + + # Vatican City + # See Europe/Rome. +diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica +index 13ec081c7e0..3c0e0e2061c 100644 +--- a/jdk/make/data/tzdata/southamerica ++++ b/jdk/make/data/tzdata/southamerica +@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 + # for America/Santiago will start on midnight of September 11th; + # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) + # will keep UTC -3 "indefinitely"... This is because on September 4th +-# we will have a voting whether to approve a new Constitution.... +-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/ ++# we will have a voting whether to approve a new Constitution. ++# ++# From Eduardo Romero Urra (2022-08-17): ++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf ++# ++# From Paul Eggert (2022-08-17): ++# Although the presidential decree stops at fall 2026, assume that ++# similar DST rules will continue thereafter. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - +diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab +index 51b65fa273c..ee025196e50 100644 +--- a/jdk/make/data/tzdata/zone.tab ++++ b/jdk/make/data/tzdata/zone.tab +@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti + TW +2503+12130 Asia/Taipei + TZ -0648+03917 Africa/Dar_es_Salaam + UA +5026+03031 Europe/Kyiv Ukraine (most areas) +-UA +4837+02218 Europe/Uzhgorod Transcarpathia +-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk + UG +0019+03225 Africa/Kampala + UM +2813-17722 Pacific/Midway Midway Islands + UM +1917+16637 Pacific/Wake Wake Island +diff --git a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java +index 43bddd5859a..4b84cda3067 100644 +--- a/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/jdk/src/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -573,12 +573,8 @@ public final class ZoneInfoFile { + // we can then pass in the dom = -1, dow > 0 into ZoneInfo + // + // hacking, assume the >=24 is the result of ZRB optimization for +- // "last", it works for now. From tzdata2020d this hacking +- // will not work for Asia/Gaza and Asia/Hebron which follow +- // Palestine DST rules. +- if (dom < 0 || dom >= 24 && +- !(zoneId.equals("Asia/Gaza") || +- zoneId.equals("Asia/Hebron"))) { ++ // "last", it works for now. ++ if (dom < 0 || dom >= 24) { + params[1] = -1; + params[2] = toCalendarDOW[dow]; + } else { +@@ -600,7 +596,6 @@ public final class ZoneInfoFile { + params[7] = 0; + } else { + // hacking: see comment above +- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e + if (dom < 0 || dom >= 24) { + params[6] = -1; + params[7] = toCalendarDOW[dow]; +diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION +index c32bee39fba..71470168456 100644 +--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION ++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022c ++tzdata2022d +diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt +index a5e6428a3f5..e3ce742f887 100644 +--- a/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt ++++ b/jdk/test/java/util/TimeZone/TimeZoneData/aliases.txt +@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt +index fc148537f1f..b3823958ae4 100644 +--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -163,11 +163,9 @@ Europe/Simferopol MSK + Europe/Sofia EET EEST + Europe/Tallinn EET EEST + Europe/Tirane CET CEST +-Europe/Uzhgorod EET EEST + Europe/Vienna CET CEST + Europe/Vilnius EET EEST + Europe/Warsaw CET CEST +-Europe/Zaporozhye EET EEST + Europe/Zurich CET CEST + HST HST + MET MET MEST +diff --git a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java +index 3aad69f8118..c682531d4bd 100644 +--- a/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java ++++ b/jdk/test/sun/util/calendar/zi/TestZoneInfo310.java +@@ -173,10 +173,19 @@ public class TestZoneInfo310 { + * Temporary ignoring the failing TimeZones which are having zone + * rules defined till year 2037 and/or above and have negative DST + * save time in IANA tzdata. This bug is tracked via JDK-8223388. ++ * ++ * Tehran/Iran rule has rules beyond 2037, in which javazic assumes ++ * to be the last year. Thus javazic's rule is based on year 2037 ++ * (Mar 20th/Sep 20th are the cutover dates), while the real rule ++ * has year 2087 where Mar 21st/Sep 21st are the cutover dates. + */ +- if (zid.equals("Africa/Casablanca") || zid.equals("Africa/El_Aaiun") +- || zid.equals("Asia/Tehran") || zid.equals("Iran")) { +- continue; ++ if (zid.equals("Africa/Casablanca") || // uses "Morocco" rule ++ zid.equals("Africa/El_Aaiun") || // uses "Morocco" rule ++ zid.equals("Asia/Tehran") || // last rule mismatch ++ zid.equals("Asia/Gaza") || // uses "Palestine" rule ++ zid.equals("Asia/Hebron") || // uses "Palestine" rule ++ zid.equals("Iran")) { // last rule mismatch ++ continue; + } + if (! zi.equalsTo(ziOLD)) { + System.out.println(zi.diffsTo(ziOLD)); +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION +index decb8716b22..889d0e6dad7 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION ++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022c ++tzdata2022d +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia +index 6cb6d2c57cf..1dc7d34f88e 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/asia ++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia +@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # The winter time in 2015 started on October 23 at 01:00. + # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY + # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 +-# +-# From Paul Eggert (2019-04-10): +-# For now, guess spring-ahead transitions are at 00:00 on the Saturday +-# preceding March's last Sunday (i.e., Sat>=24). + + # From P Chan (2021-10-18): + # http://wafa.ps/Pages/Details/34701 +@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # From Heba Hamad (2022-03-10): + # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. + ++# From Heba Hamad (2022-08-30): ++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by ++# 60 minutes backwards. Also the state of Palestine adopted the summer ++# and winter time for the years: 2023,2024,2025,2026 ... ++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001.pdf ++# (2022-08-31): ... the Saturday before the last Sunday in March and October ++# at 2:00 AM ,for the years from 2023 to 2026. ++# (2022-09-05): https://mtit.pna.ps/Site/New/1453 ++# ++# From Paul Eggert (2022-08-31): ++# For now, assume that this rule will also be used after 2026. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S + Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - +@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - + Rule Palestine 2014 only - Oct 24 0:00 0 - + Rule Palestine 2015 only - Mar 28 0:00 1:00 S + Rule Palestine 2015 only - Oct 23 1:00 0 - +-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S +-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - ++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S ++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - + Rule Palestine 2019 only - Mar 29 0:00 1:00 S +-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - +-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S ++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - ++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S + Rule Palestine 2020 only - Oct 24 1:00 0 - +-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - +-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S ++Rule Palestine 2021 only - Oct 29 1:00 0 - ++Rule Palestine 2022 only - Mar 27 0:00 1:00 S ++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward +index d4a29e8cf29..7765d99aedf 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/backward ++++ b/jdk/test/sun/util/calendar/zi/tzdata/backward +@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe +index f7eb7a387aa..9e0a538f86d 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/europe ++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe +@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 + # From Alexander Krivenyshev (2014-03-17): + # time change at 2:00 (2am) on March 30, 2014 + # https://vz.ru/news/2014/3/17/677464.html +-# From Paul Eggert (2014-03-30): +-# Simferopol and Sevastopol reportedly changed their central town clocks +-# late the previous day, but this appears to have been ceremonial +-# and the discrepancies are small enough to not worry about. ++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): ++# The clocks at the railway station in Simferopol were put forward from 22:00 ++# to 24:00 the previous day in a "symbolic ceremony"; however, per ++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings ++# time switch at 2am" on Sunday. ++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clocks-to-russia-time-114033000014_1.html ++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-switches-to-moscow-time-amid-incorporation-frenzy-idUKBREA2S0LT20140329 ++# https://www.bbc.com/news/av/world-europe-26806583 + 2:00 EU EE%sT 2014 Mar 30 2:00 + 4:00 - MSK 2014 Oct 26 2:00s + 3:00 - MSK +@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # US colleague David Cochrane) are still trying to get more + # information upon these local deviations from Kiev rules. + # +-# From Paul Eggert (2022-02-08): +-# For now, assume that Ukraine's other three zones followed the same rules, ++# From Paul Eggert (2022-08-27): ++# For now, assume that Ukraine's zones all followed the same rules, + # except that Crimea switched to Moscow time in 1994 as described elsewhere. + + # From Igor Karpov, who works for the Ukrainian Ministry of Justice, +@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # * Ukrainian Government's Resolution of 20.03.1992, No. 139. + # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm + +-# From Paul Eggert (2022-04-12): +-# As is usual in tzdb, Ukrainian zones use the most common English spellings. +-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in +-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, +-# "Kyiv" is now more common due to widespread reporting of the current conflict. +-# Conversely, tzdb continues to use the names Europe/Uzhgorod and +-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is +-# certainly wrong as a transliteration of the Czech "Praha". +-# English-language spelling of Ukrainian names is in flux, and +-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more +-# common in English; in the meantime, do not change these +-# English spellings as that means less disruption for our users. +- + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-# This represents most of Ukraine. See above for the spelling of "Kyiv". + Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time + 2:00 - EET 1930 Jun 21 +@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:00 1:00 EEST 1991 Sep 29 3:00 + 2:00 C-Eur EE%sT 1996 May 13 + 2:00 EU EE%sT +-# Transcarpathia used CET 1990/1991. +-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but +-# "Uzhgorod" is more common in English. +-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct +- 1:00 - CET 1940 +- 1:00 C-Eur CE%sT 1944 Oct +- 1:00 1:00 CEST 1944 Oct 26 +- 1:00 - CET 1945 Jun 29 +- 3:00 Russia MSK/MSD 1990 +- 3:00 - MSK 1990 Jul 1 2:00 +- 1:00 - CET 1991 Mar 31 3:00 +- 2:00 - EET 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT +-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. +-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but +-# "Zaporozh'ye" is more common in English. Use the common English +-# spelling, except omit the apostrophe as it is not allowed in +-# portable Posix file names. +-Zone Europe/Zaporozhye 2:20:40 - LMT 1880 +- 2:20 - +0220 1924 May 2 +- 2:00 - EET 1930 Jun 21 +- 3:00 - MSK 1941 Aug 25 +- 1:00 C-Eur CE%sT 1943 Oct 25 +- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 +- 2:00 E-Eur EE%sT 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT + + # Vatican City + # See Europe/Rome. +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica +index 13ec081c7e0..3c0e0e2061c 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica ++++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica +@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 + # for America/Santiago will start on midnight of September 11th; + # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) + # will keep UTC -3 "indefinitely"... This is because on September 4th +-# we will have a voting whether to approve a new Constitution.... +-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sabado-10-de-septiembre-los-relojes-se-deben-adelantar-una-hora/ ++# we will have a voting whether to approve a new Constitution. ++# ++# From Eduardo Romero Urra (2022-08-17): ++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/01/2172567.pdf ++# ++# From Paul Eggert (2022-08-17): ++# Although the presidential decree stops at fall 2026, assume that ++# similar DST rules will continue thereafter. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab +index 51b65fa273c..ee025196e50 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab ++++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab +@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti + TW +2503+12130 Asia/Taipei + TZ -0648+03917 Africa/Dar_es_Salaam + UA +5026+03031 Europe/Kyiv Ukraine (most areas) +-UA +4837+02218 Europe/Uzhgorod Transcarpathia +-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk + UG +0019+03225 Africa/Kampala + UM +2813-17722 Pacific/Midway Midway Islands + UM +1917+16637 Pacific/Wake Wake Island diff --git a/SOURCES/jdk8295173-tzdata2022e.patch b/SOURCES/jdk8295173-tzdata2022e.patch new file mode 100644 index 0000000..a7d23ef --- /dev/null +++ b/SOURCES/jdk8295173-tzdata2022e.patch @@ -0,0 +1,813 @@ +commit 44ea8322b2f62e3d8139a78923e3bf017e535989 +Author: Andrew John Hughes +Date: Sun Oct 16 03:02:37 2022 +0100 + + Backport 21407dec0156301871a83328615e4d975c4287c4 + +diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION +index 889d0e6dad7..b8cb36e69f4 100644 +--- a/jdk/make/data/tzdata/VERSION ++++ b/jdk/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022d ++tzdata2022e +diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia +index 1dc7d34f88e..f1771e42a71 100644 +--- a/jdk/make/data/tzdata/asia ++++ b/jdk/make/data/tzdata/asia +@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u + # From the Arabic version, it seems to say it would be at midnight + # (assume 24:00) on the last Thursday in February, starting from 2022. + ++# From Issam Al-Zuwairi (2022-10-05): ++# The Council of Ministers in Jordan decided Wednesday 5th October 2022, ++# that daylight saving time (DST) will be throughout the year.... ++# ++# From Brian Inglis (2022-10-06): ++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news ++# ++# From Paul Eggert (2022-10-05): ++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Jordan 1973 only - Jun 6 0:00 1:00 S + Rule Jordan 1973 1975 - Oct 1 0:00 0 - +@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - + Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - + Rule Jordan 2013 only - Dec 20 0:00 0 - + Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S +-Rule Jordan 2014 max - Oct lastFri 0:00s 0 - +-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S ++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - ++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Amman 2:23:44 - LMT 1931 +- 2:00 Jordan EE%sT ++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s ++ 3:00 - +03 + + + # Kazakhstan +@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - + # Our brief summary: + # https://www.timeanddate.com/news/time/syria-dst-2012.html + +-# From Arthur David Olson (2012-03-27): +-# Assume last Friday in March going forward XXX. ++# From Steffen Thorsen (2022-10-05): ++# Syria is adopting year-round DST, starting this autumn.... ++# From https://www.enabbaladi.net/archives/607812 ++# "This [the decision] came after the weekly government meeting today, ++# Tuesday 4 October ..." ++# ++# From Paul Eggert (2022-10-05): ++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. + + Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S + Rule Syria 2008 only - Nov 1 0:00 0 - + Rule Syria 2009 only - Mar lastFri 0:00 1:00 S + Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S +-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S +-Rule Syria 2009 max - Oct lastFri 0:00 0 - ++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S ++Rule Syria 2009 2022 - Oct lastFri 0:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq +- 2:00 Syria EE%sT ++ 2:00 Syria EE%sT 2022 Oct 28 0:00 ++ 3:00 - +03 + + # Tajikistan + # From Shanks & Pottenger. +diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe +index 9e0a538f86d..930cede4cf4 100644 +--- a/jdk/make/data/tzdata/europe ++++ b/jdk/make/data/tzdata/europe +@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u + 0:00 Spain WE%sT 1940 Mar 16 23:00 + 1:00 Spain CE%sT 1979 + 1:00 EU CE%sT +-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 ++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u + 0:00 - WET 1918 May 6 23:00 + 0:00 1:00 WEST 1918 Oct 7 23:00 + 0:00 - WET 1924 +diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica +index 114cef14cce..ce4ee74582c 100644 +--- a/jdk/make/data/tzdata/northamerica ++++ b/jdk/make/data/tzdata/northamerica +@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D + Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S + Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 ++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Chicago C%sT 1936 Mar 1 2:00 + -5:00 - EST 1936 Nov 15 2:00 +@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 + -6:00 Chicago C%sT 1967 + -6:00 US C%sT + # Oliver County, ND switched from mountain to central time on 1992-10-25. +-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 ++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1992 Oct 25 2:00 + -6:00 US C%sT + # Morton County, ND, switched from mountain to central time on +@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 + # Jones, Mellette, and Todd Counties in South Dakota; + # but in practice these other counties were already observing central time. + # See . +-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 ++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2003 Oct 26 2:00 + -6:00 US C%sT + +@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 + # largest city in Mercer County). Google Maps places Beulah's city hall + # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". + +-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 ++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2010 Nov 7 2:00 + -6:00 US C%sT + +@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S + Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D + Rule Denver 1965 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 ++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1920 + -7:00 Denver M%sT 1942 + -7:00 US M%sT 1946 +@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D + Rule CA 1950 1961 - Sep lastSun 2:00 0 S + Rule CA 1962 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 ++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1946 + -8:00 CA P%sT 1967 + -8:00 US P%sT +@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 + # Go with the Arizona State Library instead. + + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 ++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1944 Jan 1 0:01 + -7:00 - MST 1944 Apr 1 0:01 + -7:00 US M%sT 1944 Oct 1 0:01 +@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston + # switched four weeks late in 1974. + # + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 ++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1923 May 13 2:00 + -7:00 US M%sT 1974 + -7:00 - MST 1974 Feb 3 2:00 +@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D + Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S + Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 ++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Indianapolis C%sT 1942 + -6:00 US C%sT 1946 +@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S + Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D + Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 ++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1951 + -6:00 Marengo C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S + Rule Vincennes 1961 only - Sep lastSun 2:00 0 S + Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 ++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Vincennes C%sT 1964 Apr 26 2:00 + -5:00 - EST 1969 +@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S + Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D + Rule Perry 1961 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 ++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Perry C%sT 1964 Apr 26 2:00 + -5:00 - EST 1967 Oct 29 2:00 +@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S + Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D + Rule Pike 1961 1964 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 ++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1955 + -6:00 Pike C%sT 1965 Apr 25 2:00 + -5:00 - EST 1966 Oct 30 2:00 +@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S + Rule Starke 1957 1958 - Sep lastSun 2:00 0 S + Rule Starke 1959 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 ++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1947 + -6:00 Starke C%sT 1962 Apr 29 2:00 + -5:00 - EST 1963 Oct 27 2:00 +@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S + Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S + Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 ++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Pulaski C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 + # + # Switzerland County, Indiana, did not observe DST from 1973 through 2005. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 ++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1954 Apr 25 2:00 + -5:00 - EST 1969 + -5:00 US E%sT 1973 +@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D + Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S + Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 ++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1921 + -6:00 Louisville C%sT 1942 + -6:00 US C%sT 1946 +@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 + # Federal Register 65, 160 (2000-08-17), pp 50154-50158. + # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm + # +-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 ++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 - CST 1968 + -6:00 US C%sT 2000 Oct 29 2:00 +@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + # longitude they are located at. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S ++Rule Mexico 1931 only - May 1 23:00 1:00 D ++Rule Mexico 1931 only - Oct 1 0:00 0 S + Rule Mexico 1939 only - Feb 5 0:00 1:00 D + Rule Mexico 1939 only - Jun 25 0:00 0 S + Rule Mexico 1940 only - Dec 9 0:00 1:00 D +@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D + Rule Mexico 2002 max - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + # Quintana Roo; represented by Cancún +-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 ++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 Mexico E%sT 1998 Aug 2 2:00 + -6:00 Mexico C%sT 2015 Feb 1 2:00 + -5:00 - EST + # Campeche, Yucatán; represented by Mérida +-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 ++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 - EST 1982 Dec 2 + -6:00 Mexico C%sT +@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 + # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, + # 2016-03-12 + # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza +-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 ++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT 2010 + -6:00 US C%sT + # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) +-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 ++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT + # Central Mexico +-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 ++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 Mexico C%sT 2001 Sep 30 2:00 + -6:00 - CST 2002 Feb 20 + -6:00 Mexico C%sT +@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 + # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, + # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. + # (See the 2016-03-12 El Universal source mentioned above.) +-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 ++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT 2010 + -7:00 US M%sT + # Chihuahua (away from US border) +-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 ++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT + # Sonora +-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 ++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 + # Use "Bahia_Banderas" to keep the name to fourteen characters. + + # Mazatlán +-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 ++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 + -7:00 Mexico M%sT + + # Bahía de Banderas +-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 ++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 + -6:00 Mexico C%sT + + # Baja California +-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 ++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1924 + -8:00 - PST 1927 Jun 10 23:00 + -7:00 - MST 1930 Nov 15 +diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION +index 71470168456..0cad939008f 100644 +--- a/jdk/test/java/util/TimeZone/TimeZoneData/VERSION ++++ b/jdk/test/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022d ++tzdata2022e +diff --git a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt +index b3823958ae4..2f2786f1c69 100644 +--- a/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/jdk/test/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -97,9 +97,7 @@ America/Winnipeg CST CDT + America/Yakutat AKST AKDT + America/Yellowknife MST MDT + Antarctica/Macquarie AEST AEDT +-Asia/Amman EET EEST + Asia/Beirut EET EEST +-Asia/Damascus EET EEST + Asia/Famagusta EET EEST + Asia/Gaza EET EEST + Asia/Hebron EET EEST +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION +index 889d0e6dad7..b8cb36e69f4 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION ++++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022d ++tzdata2022e +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia +index 1dc7d34f88e..f1771e42a71 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/asia ++++ b/jdk/test/sun/util/calendar/zi/tzdata/asia +@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u + # From the Arabic version, it seems to say it would be at midnight + # (assume 24:00) on the last Thursday in February, starting from 2022. + ++# From Issam Al-Zuwairi (2022-10-05): ++# The Council of Ministers in Jordan decided Wednesday 5th October 2022, ++# that daylight saving time (DST) will be throughout the year.... ++# ++# From Brian Inglis (2022-10-06): ++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news ++# ++# From Paul Eggert (2022-10-05): ++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Jordan 1973 only - Jun 6 0:00 1:00 S + Rule Jordan 1973 1975 - Oct 1 0:00 0 - +@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - + Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - + Rule Jordan 2013 only - Dec 20 0:00 0 - + Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S +-Rule Jordan 2014 max - Oct lastFri 0:00s 0 - +-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S ++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - ++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Amman 2:23:44 - LMT 1931 +- 2:00 Jordan EE%sT ++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s ++ 3:00 - +03 + + + # Kazakhstan +@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - + # Our brief summary: + # https://www.timeanddate.com/news/time/syria-dst-2012.html + +-# From Arthur David Olson (2012-03-27): +-# Assume last Friday in March going forward XXX. ++# From Steffen Thorsen (2022-10-05): ++# Syria is adopting year-round DST, starting this autumn.... ++# From https://www.enabbaladi.net/archives/607812 ++# "This [the decision] came after the weekly government meeting today, ++# Tuesday 4 October ..." ++# ++# From Paul Eggert (2022-10-05): ++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. + + Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S + Rule Syria 2008 only - Nov 1 0:00 0 - + Rule Syria 2009 only - Mar lastFri 0:00 1:00 S + Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S +-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S +-Rule Syria 2009 max - Oct lastFri 0:00 0 - ++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S ++Rule Syria 2009 2022 - Oct lastFri 0:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq +- 2:00 Syria EE%sT ++ 2:00 Syria EE%sT 2022 Oct 28 0:00 ++ 3:00 - +03 + + # Tajikistan + # From Shanks & Pottenger. +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe +index 9e0a538f86d..930cede4cf4 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/europe ++++ b/jdk/test/sun/util/calendar/zi/tzdata/europe +@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u + 0:00 Spain WE%sT 1940 Mar 16 23:00 + 1:00 Spain CE%sT 1979 + 1:00 EU CE%sT +-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 ++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u + 0:00 - WET 1918 May 6 23:00 + 0:00 1:00 WEST 1918 Oct 7 23:00 + 0:00 - WET 1924 +diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica +index 114cef14cce..ce4ee74582c 100644 +--- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica ++++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica +@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D + Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S + Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 ++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Chicago C%sT 1936 Mar 1 2:00 + -5:00 - EST 1936 Nov 15 2:00 +@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 + -6:00 Chicago C%sT 1967 + -6:00 US C%sT + # Oliver County, ND switched from mountain to central time on 1992-10-25. +-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 ++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1992 Oct 25 2:00 + -6:00 US C%sT + # Morton County, ND, switched from mountain to central time on +@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 + # Jones, Mellette, and Todd Counties in South Dakota; + # but in practice these other counties were already observing central time. + # See . +-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 ++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2003 Oct 26 2:00 + -6:00 US C%sT + +@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 + # largest city in Mercer County). Google Maps places Beulah's city hall + # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". + +-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 ++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2010 Nov 7 2:00 + -6:00 US C%sT + +@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S + Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D + Rule Denver 1965 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 ++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1920 + -7:00 Denver M%sT 1942 + -7:00 US M%sT 1946 +@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D + Rule CA 1950 1961 - Sep lastSun 2:00 0 S + Rule CA 1962 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 ++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1946 + -8:00 CA P%sT 1967 + -8:00 US P%sT +@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 + # Go with the Arizona State Library instead. + + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 ++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1944 Jan 1 0:01 + -7:00 - MST 1944 Apr 1 0:01 + -7:00 US M%sT 1944 Oct 1 0:01 +@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston + # switched four weeks late in 1974. + # + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 ++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1923 May 13 2:00 + -7:00 US M%sT 1974 + -7:00 - MST 1974 Feb 3 2:00 +@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D + Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S + Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 ++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Indianapolis C%sT 1942 + -6:00 US C%sT 1946 +@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S + Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D + Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 ++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1951 + -6:00 Marengo C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S + Rule Vincennes 1961 only - Sep lastSun 2:00 0 S + Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 ++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Vincennes C%sT 1964 Apr 26 2:00 + -5:00 - EST 1969 +@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S + Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D + Rule Perry 1961 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 ++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Perry C%sT 1964 Apr 26 2:00 + -5:00 - EST 1967 Oct 29 2:00 +@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S + Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D + Rule Pike 1961 1964 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 ++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1955 + -6:00 Pike C%sT 1965 Apr 25 2:00 + -5:00 - EST 1966 Oct 30 2:00 +@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S + Rule Starke 1957 1958 - Sep lastSun 2:00 0 S + Rule Starke 1959 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 ++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1947 + -6:00 Starke C%sT 1962 Apr 29 2:00 + -5:00 - EST 1963 Oct 27 2:00 +@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S + Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S + Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 ++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Pulaski C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 + # + # Switzerland County, Indiana, did not observe DST from 1973 through 2005. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 ++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1954 Apr 25 2:00 + -5:00 - EST 1969 + -5:00 US E%sT 1973 +@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D + Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S + Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 ++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1921 + -6:00 Louisville C%sT 1942 + -6:00 US C%sT 1946 +@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 + # Federal Register 65, 160 (2000-08-17), pp 50154-50158. + # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm + # +-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 ++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 - CST 1968 + -6:00 US C%sT 2000 Oct 29 2:00 +@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + # longitude they are located at. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S ++Rule Mexico 1931 only - May 1 23:00 1:00 D ++Rule Mexico 1931 only - Oct 1 0:00 0 S + Rule Mexico 1939 only - Feb 5 0:00 1:00 D + Rule Mexico 1939 only - Jun 25 0:00 0 S + Rule Mexico 1940 only - Dec 9 0:00 1:00 D +@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D + Rule Mexico 2002 max - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + # Quintana Roo; represented by Cancún +-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 ++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 Mexico E%sT 1998 Aug 2 2:00 + -6:00 Mexico C%sT 2015 Feb 1 2:00 + -5:00 - EST + # Campeche, Yucatán; represented by Mérida +-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 ++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 - EST 1982 Dec 2 + -6:00 Mexico C%sT +@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 + # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, + # 2016-03-12 + # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-horario-de-verano-en-zona-fronteriza +-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 ++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT 2010 + -6:00 US C%sT + # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) +-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 ++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT + # Central Mexico +-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 ++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 Mexico C%sT 2001 Sep 30 2:00 + -6:00 - CST 2002 Feb 20 + -6:00 Mexico C%sT +@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 + # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, + # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. + # (See the 2016-03-12 El Universal source mentioned above.) +-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 ++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT 2010 + -7:00 US M%sT + # Chihuahua (away from US border) +-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 ++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT + # Sonora +-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 ++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 + # Use "Bahia_Banderas" to keep the name to fourteen characters. + + # Mazatlán +-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 ++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 + -7:00 Mexico M%sT + + # Bahía de Banderas +-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 ++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 + -6:00 Mexico C%sT + + # Baja California +-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 ++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1924 + -8:00 - PST 1927 Jun 10 23:00 + -7:00 - MST 1930 Nov 15 diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index febb3c4..ce5c5be 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -294,11 +294,6 @@ # New Version-String scheme-style defines %global majorver 8 -# Define IcedTea version used for SystemTap tapsets and desktop file -%global icedteaver 3.15.0 -# Define current Git revision for the FIPS support patches -%global fipsver 8e8bbf0ff74 - # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK @@ -331,13 +326,16 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u345-b01 +%global openjdk_revision jdk8u352-b08 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} %global revision %{shenandoah_revision} - +# Define IcedTea version used for SystemTap tapsets and desktop files +%global icedteaver 3.15.0 +# Define current Git revision for the FIPS support patches +%global fipsver 6d1aade0648 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) @@ -347,7 +345,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 5 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1236,9 +1234,9 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release} Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem -# Require zoneinfo data provided by tzdata-java subpackage. -# 2022a required as of JDK-8283350 in 8u342 -Requires: tzdata-java >= 2022a +# 2022d required as of JDK-8294357 +# Should be bumped to 2022e once available (JDK-8295173) +Requires: tzdata-java >= 2022d # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1417,6 +1415,9 @@ Source16: CheckVendor.java # nss fips configuration file Source17: nss.fips.cfg.in +# Ensure translations are available for new timezones +Source18: TestTranslations.java + Source20: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. @@ -1542,13 +1543,17 @@ Patch581: jdk8257794-remove_broken_assert.patch ############################################# # -# Patches appearing in 8u282 +# Patches appearing in 8u362 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8294357: (tz) Update Timezone Data to 2022d +Patch2002: jdk8294357-tzdata2022d.patch +# JDK-8295173: (tz) Update Timezone Data to 2022e +Patch2003: jdk8295173-tzdata2022e.patch ############################################# # @@ -1618,8 +1623,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022a required as of JDK-8283350 in 8u342 -BuildRequires: tzdata-java >= 2022a +# 2022d required as of JDK-8294357 +# Should be bumped to 2022e once available (JDK-8295173) +BuildRequires: tzdata-java >= 2022d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1943,6 +1949,9 @@ pushd %{top_level_dir_name} %patch1000 -p1 # cacerts patch; must follow FIPS patch as it also alters java.security %patch539 -p1 +# tzdata updates targetted for 8u362 +%patch2002 -p1 +%patch2003 -p1 popd # RPM-only fixes @@ -2270,6 +2279,9 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif +# Check translations are available for new timezones +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} @@ -2719,6 +2731,14 @@ cjc.mainProgram(args) %endif %changelog +* Sun Oct 16 2022 Andrew Hughes - 1:1.8.0.352.b08-2 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Rebase FIPS patch against 8u352-b07 +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Add test to ensure timezones can be translated +- Resolves: rhbz#2133695 + * Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5 - Allow the default keystore to be configured using security.systemCACerts - Use of the property can now be disabled using -Dsecurity.systemCACerts=