From 05dac3bd35d6dde3f2810a2dc810ddb24cbc9069 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 19 2023 15:18:30 +0000 Subject: import java-11-openjdk-11.0.19.0.7-1.el9_1 --- diff --git a/.gitignore b/.gitignore index 7d99f3a..95e9ef2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk11u-jdk-11.0.18+10-4curve.tar.xz +SOURCES/openjdk-jdk11u-jdk-11.0.19+7-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index eeef643..6afe03c 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -65abc412a085af5ba08c019cf6d0e7e44cfe94eb SOURCES/openjdk-jdk11u-jdk-11.0.18+10-4curve.tar.xz +aa30c8827f7ced0a1fa9a9c226884f7c79101e86 SOURCES/openjdk-jdk11u-jdk-11.0.19+7-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 4958413..0b617ad 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,287 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.19 (2023-04-18): +============================================= +Live versions of these release notes can be found at: + * https://bit.ly/openjdk11019 + +* CVEs + - CVE-2023-21930 + - CVE-2023-21937 + - CVE-2023-21938 + - CVE-2023-21939 + - CVE-2023-21954 + - CVE-2023-21967 + - CVE-2023-21968 +* Security fixes + - JDK-8287404: Improve ping times + - JDK-8288436: Improve Xalan supports + - JDK-8294474: Better AES support + - JDK-8295304: Runtime support improvements + - JDK-8296676, JDK-8296622: Improve String platform support + - JDK-8296684: Improve String platform support + - JDK-8296692: Improve String platform support + - JDK-8296832: Improve Swing platform support + - JDK-8297371: Improve UTF8 representation redux + - JDK-8298191: Enhance object reclamation process + - JDK-8298310: Enhance TLS session negotiation + - JDK-8298667: Improved path handling + - JDK-8299129: Enhance NameService lookups +* Other changes + - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion + - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails + - JDK-8035787: SourcePositions are wrong for Strings concatenated with '+' operator + - JDK-8065097: [macosx] javax/swing/Popup/TaskbarPositionTest.java fails because Popup is one pixel off + - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled + - JDK-8129315: java/net/Socket/LingerTest.java and java/net/Socket/ShutdownBoth.java timeout intermittently + - JDK-8144030: [macosx] test java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again) + - JDK-8170705: sun/net/www/protocol/http/StackTraceTest.java fails intermittently with Invalid Http response + - JDK-8171405: java/net/URLConnection/ResendPostBody.java failed with "Error while cleaning up threads after test" + - JDK-8179317: [TESTBUG] rewrite runtime shell tests in java + - JDK-8190492: Remove SSLv2Hello and SSLv3 from default enabled TLS protocols + - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails + - JDK-8195057: java/util/concurrent/CountDownLatch/Basic.java failed w/ Xcomp + - JDK-8195716: BootstrapLoggerTest : Executor still alive + - JDK-8202621: bad test with broken links needs to be updated + - JDK-8207248: Reduce incidence of compiler.warn.source.no.bootclasspath in javac tests + - JDK-8208077: File.listRoots performance degradation + - JDK-8209023: fix 2 compiler tests to avoid JDK-8208690 + - JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update + - JDK-8209774: Refactor shell test javax/xml/jaxp/common/8035437/run.sh to java + - JDK-8209935: Test to cover CodeSource.getCodeSigners() + - JDK-8210373: Deadlock in libj2gss.so when loading "j2gss" and "net" libraries in parallel. + - JDK-8212165: JGSS: Fix cut/paste error in NativeUtil.c + - JDK-8212216: JGSS: Fix leak in exception cases in getJavaOID() + - JDK-8213130: Update ProblemList after verification of jtreg tests in Win 7 + - JDK-8213265: fix missing newlines at end of files + - JDK-8213932: [TESTBUG] assertEquals is invoked with the arguments in the wrong order + - JDK-8214445: [test] java/net/URL/HandlerLoop has illegal reflective access + - JDK-8215372: test/jdk/java/nio/file/DirectoryStream/Basic.java not correct when using a glob + - JDK-8215759: [test] java/math/BigInteger/ModPow.java can throw an ArithmeticException + - JDK-8217353: java/util/logging/LogManager/Configuration/updateConfiguration/HandlersOnComplexResetUpdate.java fails with Unexpected reference: java.lang.ref.WeakReference + - JDK-8217730: Split up MakeBase.gmk + - JDK-8218133: sun/net/www/protocol/http/ProtocolRedirect.java failed with "java.net.ConnectException" + - JDK-8218431: Improved platform checking in makefiles + - JDK-8218460: Test generation scripts do not invoke stream preprocessor correctly + - JDK-8221098: Run java/net/URL/HandlerLoop.java in othervm mode + - JDK-8221168: java/util/concurrent/CountDownLatch/Basic.java fails + - JDK-8221351: Crash in KlassFactory::check_shared_class_file_load_hook + - JDK-8221621: FindTests.gmk cannot handle "=" in TEST.groups comments + - JDK-8222430: Add tests for ElementKind predicates + - JDK-8223463: Replace wildcard address with loopback or local host in tests - part 2 + - JDK-8223716: sun/net/www/http/HttpClient/MultiThreadTest.java should be more resilient to unexpected traffic + - JDK-8223736: jvmti/scenarios/contention/TC04/tc04t001/TestDescription.java fails due to wrong number of MonitorContendedEntered events + - JDK-8224024: java/util/concurrent/BlockingQueue/DrainToFails.java testBounded fails intermittently + - JDK-8225648: [TESTBUG] java/lang/annotation/loaderLeak/Main.java fails with -Xcomp + - JDK-8226595: jvmti/scenarios/contention/TC04/tc04t001/TestDescription.java still fails due to wrong number of MonitorContendedEntered events + - JDK-8226917: jvmti/scenarios/contention/TC04/tc04t001/TestDescription.java fails on jvmti->InterruptThread (JVMTI_ERROR_THREAD_NOT_ALIVE) + - JDK-8227422: sun/net/www/protocol/file/DirPermissionDenied.java failed on Windows 2016 because DirPermissionDenied directory has no read permission + - JDK-8230374: maxOutputSize, instead of javatest.maxOutputSize, should be used in TEST.properties + - JDK-8230731: SA tests fail with "Windbg Error: ReadVirtual failed" + - JDK-8231595: [TEST] develop a test case for SuspendThreadList including current thread + - JDK-8233462: serviceability/tmtools/jstat tests times out with -Xcomp + - JDK-8235448: code cleanup in SSLContextImpl.java + - JDK-8238936: The crash in XRobotPeer when the custom GraphicsDevice is used + - JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out after 8 minutes + - JDK-8241806: The sun/awt/shell/FileSystemViewMemoryLeak.java is unstable + - JDK-8244592: Start supporting SOURCE_DATE_EPOCH + - JDK-8245245: WebSocket can lose the URL encoding of URI query parameters + - JDK-8245654: Add Certigna Root CA + - JDK-8247741: Test test/hotspot/jtreg/runtime/7162488/TestUnrecognizedVmOption.java fails when -XX:+IgnoreUnrecognizedVMOptions is set + - JDK-8248306: gc/stress/gclocker/TestExcessGCLockerCollections.java does not compile + - JDK-8249691: jdk/lambda/vm/StrictfpDefault.java file can be removed + - JDK-8252401: Introduce Utils.TEST_NATIVE_PATH + - JDK-8252532: use Utils.TEST_NATIVE_PATH instead of System.getProperty("test.nativepath") + - JDK-8252715: Problem list java/awt/event/KeyEvent/KeyTyped/CtrlASCII.java on Linux + - JDK-8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" + - JDK-8255710: Opensource unit/regression tests for CMM + - JDK-8256110: Create implementation for NSAccessibilityStepper protocol + - JDK-8256111: Create implementation for NSAccessibilityStaticText protocol + - JDK-8256126: Create implementation for NSAccessibilityImage protocol peer + - JDK-8256240: Reproducible builds should turn on the "deterministic" flag for Visual Studio + - JDK-8256934: C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8257928: Test image build failure with clang-10 due to -Wmisleading-indentation + - JDK-8258005: JDK build fails with incorrect fixpath script + - JDK-8259265: Refactor UncaughtExceptions shell test as java test. + - JDK-8259267: Refactor LoaderLeak shell test as java test. + - JDK-8260576: Typo in compiler/runtime/safepoints/TestRegisterRestoring.java + - JDK-8261270: MakeMethodNotCompilableTest fails with -XX:TieredStopAtLevel={1,2,3} + - JDK-8261279: sun/util/resources/cldr/TimeZoneNamesTest.java timed out + - JDK-8261350: Create implementation for NSAccessibilityCheckBox protocol peer + - JDK-8261351: Create implementation for NSAccessibilityRadioButton protocol + - JDK-8261352: Create implementation for component peer for all the components who should be ignored in a11y interactions + - JDK-8262060: compiler/whitebox/BlockingCompilation.java timed out + - JDK-8264200: java/nio/channels/DatagramChannel/SRTest.java fails intermittently + - JDK-8264299: Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles + - JDK-8264512: jdk/test/jdk/java/util/prefs/ExportNode.java relies on default platform encoding + - JDK-8266974: duplicate property key in java.sql.rowset resource bundle + - JDK-8267038: Update IANA Language Subtag Registry to Version 2022-03-02 + - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction + - JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java fails with -XX:TieredStopAtLevel=1 + - JDK-8271506: Add ResourceHashtable support for deleting selected entries + - JDK-8272985: Reference discovery is confused about atomicity and degree of parallelism + - JDK-8273497: building.md should link to both md and html + - JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should test for CPU feature explicitly + - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 + - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS + - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 + - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 + - JDK-8279614: The left line of the TitledBorder is not painted on 150 scale factor + - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC + - JDK-8279941: sun/security/pkcs11/Signature/TestDSAKeyLength.java fails when NSS version detection fails + - JDK-8280048: Missing comma in copyright header + - JDK-8280391: NMT: Correct NMT tag on CollectedHeap + - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized + - JDK-8280896: java/nio/file/Files/probeContentType/Basic.java fails on Windows 11 + - JDK-8281262: Windows builds in different directories are not fully reproducible + - JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java to stop HttpServer cleanly in case of exceptions + - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX + - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired + - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template + - JDK-8282958: Rendering Issues with Borders on Windows High-DPI systems + - JDK-8283606: Tests may fail with zh locale on MacOS + - JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/thread001 failed due to SocketTimeoutException + - JDK-8283719: java/util/logging/CheckZombieLockTest.java failing intermittently + - JDK-8283870: jdeprscan --help causes an exception when the locale is ja, zh_CN or de + - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo + - JDK-8284165: Add pid to process reaper thread name + - JDK-8285093: Introduce UTIL_ARG_WITH + - JDK-8285399: JNI exception pending in awt_GraphicsEnv.c:1432 + - JDK-8285690: CloneableReference subtest should not throw CloneNotSupportedException + - JDK-8285755: JDK-8285093 changed the default for --with-output-sync + - JDK-8285835: SIGSEGV in PhaseIdealLoop::build_loop_late_post_work + - JDK-8285919: Remove debug printout from JDK-8285093 + - JDK-8286030: Avoid JVM crash when containers share the same /tmp dir + - JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is too strong + - JDK-8286962: java/net/httpclient/ServerCloseTest.java failed once with ConnectException + - JDK-8287011: Improve container information + - JDK-8287180: Update IANA Language Subtag Registry to Version 2022-08-08 + - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests + - JDK-8288332: Tier1 validate-source fails after 8279614 + - JDK-8288499: Restore cancel-in-progress in GHA + - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https + - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun + - JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails on some systems for the ".rar" extension + - JDK-8290899: java/lang/String/StringRepeat.java test requests too much heap on windows x86 + - JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is false + - JDK-8290964: C2 compilation fails with assert "non-reduction loop contains reduction nodes" + - JDK-8292863: assert(_print_inlining_stream->size() > 0) failed: missing inlining msg + - JDK-8292877: java/util/concurrent/atomic/Serial.java uses {Double,Long}Accumulator incorrectly + - JDK-8293550: Optionally add get-task-allow entitlement to macos binaries + - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings + - JDK-8293996: C2: fix and simplify IdealLoopTree::do_remove_empty_loop + - JDK-8294378: URLPermission constructor exception when using tr locale + - JDK-8294580: frame::interpreter_frame_print_on() crashes if free BasicObjectLock exists in frame + - JDK-8294705: Disable an assertion in test/jdk/java/util/DoubleStreamSums/CompensatedSums.java + - JDK-8294947: Use 64bit atomics in patch_verified_entry on x86_64 + - JDK-8295116: C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead + - JDK-8295211: Fix autoconf 2.71 warning "AC_CHECK_HEADERS: you should use literals" + - JDK-8295405: Add cause in a couple of IllegalArgumentException and InvalidParameterException shown by sun/security/pkcs11 tests + - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13 + - JDK-8295685: Update Libpng to 1.6.38 + - JDK-8295774: Write a test to verify List sends ItemEvent/ActionEvent + - JDK-8295777: java/net/httpclient/ConnectExceptionTest.java should not rely on system resolver + - JDK-8295788: C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296611: Problemlist several sun/security tests until JDK-8295343 is resolved + - JDK-8296619: Upgrade jQuery to 3.6.1 + - JDK-8296675: Exclude linux-aarch64 in NSS tests + - JDK-8296878: Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters + - JDK-8296904: Improve handling of macos xcode toolchain + - JDK-8296912: C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 + - JDK-8296924: C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address + - JDK-8297088: Update LCMS to 2.14 + - JDK-8297257: Bump update version for OpenJDK: jdk-11.0.19 + - JDK-8297264: C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top + - JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG misses result - NULL check + - JDK-8297489: Modify TextAreaTextEventTest.java as to verify the content change of TextComponent sends TextEvent + - JDK-8297569: URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 + - JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + - JDK-8297963: Partially fix string expansion issues in UTIL_DEFUN_NAMED and related macros + - JDK-8298027: Remove SCCS id's from awt jtreg tests + - JDK-8298073: gc/metaspace/CompressedClassSpaceSizeInJmapHeap.java causes test task timeout on macosx + - JDK-8298093: improve cleanup and error handling of awt_parseColorModel in awt_parseImage.c + - JDK-8298108: Add a regression test for JDK-8297684 + - JDK-8298129: Let checkpoint event sizes grow beyond u4 limit + - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows + - JDK-8298459: Fix msys2 linking and handling out of tree build directory for source zip creation + - JDK-8298527: Cygwin's uname -m returns different string than before + - JDK-8298588: WebSockets: HandshakeUrlEncodingTest unnecessarily depends on a response body + - JDK-8299194: CustomTzIDCheckDST.java may fail at future date + - JDK-8299296: Write a test to verify the components selection sends ItemEvent + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299445: EndingDotHostname.java fails because of compilation errors + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8299520: TestPrintXML.java output error messages in case compare fails + - JDK-8299596: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.19 + - JDK-8299616: [11u] Bootcycle build fails after JDK-8257679 backport + - JDK-8299789: Compilation of gtest causes build to fail if runtime libraries are in different dirs + - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems + - JDK-8300424: [11u] Chunk lost in backport of 8297569 + - JDK-8300642: [17u,11u] Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + - JDK-8300742: jstat's CGCT is 5 percent higher than the pause time in -Xlog:gc. + - JDK-8300773: Address the inconsistency between the constant array and pool size + - JDK-8301397: [11u, 17u] Bump jtreg to fix issue with build JDK 11.0.18 + - JDK-8301760: Fix possible leak in SpNegoContext dispose + - JDK-8301842: JFR: increase checkpoint event size for stacktrace and string pool + - JDK-8302000: [11u] A subtle race condition during jdk11u build + - JDK-8302657: [11u] Add missing '(' in makefile after backport of 8218431 + - JDK-8302694: [11u] Update GHA Boot JDK to 11.0.18 + - JDK-8302903: [11u] Add modified test snippet after backport of JDK-8221871 + - JDK-8303075: [11u] Add CompileClassWithDebugTest to ProblemList for 8303074 + - JDK-8304389: [11u] Crash on Windows in C2 compiled code after 8248238 and 8218431 + +Notes on individual issues: +=========================== + +security-libs/javax.net.ssl: + +JDK-8190492: Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols +============================================================================ +SSLv2Hello and SSLv3 are versions of the SSL protocol that have not +been considered secure for some time and are already disabled by +default. They have been superseded by the more secure and modern TLS +protocol, and users are recommended to switch to TLS 1.2 or 1.3. + +With this release, SSLv2Hello and SSLv3 are now also removed from the +list of default enabled protocols. This means that, even if SSLv3 is +removed from the `jdk.tls.disabledAlgorithms` security property, it +will still not be returned by the following methods: + +* SSLServerSocket.getEnabledProtocols() +* SSLEngine.getEnabledProtocols() +* SSLParameters.getProtocols() + +To enable SSLv3, it is now necessary to use the +`jdk.tls.client.protocols` or `jdk.tls.server.protocols` system +properties on the command line, or call one of the following methods +to enable them programatically: + +* SSLSocket.setEnabledProtocols() +* SSLServerSocket.setEnabledProtocols() +* SSLEngine.setEnabledProtocols() + +security-libs/java.security: + +JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate +========================================================== +The following root certificate has been added to the cacerts truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR + +core-libs/java.io: + +JDK-8208077: File::listRoots Changed To Return All Available Drives On Windows +============================================================================== +The `java.io.File.listRoots()` method on Windows systems filtered out disk +drives that could not be accessed or did not have media loaded. The +use of this filtering led to observable performance issues. This release +now returns all available disk drives, unfiltered. + New in release OpenJDK 11.0.18 (2023-01-17): ============================================= Live versions of these release notes can be found at: @@ -224,7 +505,7 @@ Live versions of these release notes can be found at: - JDK-8296239: ISO 4217 Amendment 174 Update - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException - - JDK-8296496: Overzealous check in sizecalc.h prevents large memory allocation + - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent - JDK-8296652: Restore windows aarch64 fixpath patch that was removed in 8239708 - JDK-8296715: CLDR v42 update for tzdata 2022f @@ -244,6 +525,16 @@ Live versions of these release notes can be found at: Notes on individual issues: =========================== +client-libs/javax.imageio: + +JDK-8295687: Better BMP bounds +============================== +Loading a linked ICC profile within a BMP image is now disabled by +default. To re-enable it, set the new system property +`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property +replaces the old property, +`sun.imageio.plugins.bmp.disableLinkedProfiles`. + client-libs/javax.sound: JDK-8293742: Better Banking of Sounds diff --git a/SOURCES/fips-11u-9087e80d0ab.patch b/SOURCES/fips-11u-9087e80d0ab.patch deleted file mode 100644 index a396fb8..0000000 --- a/SOURCES/fips-11u-9087e80d0ab.patch +++ /dev/null @@ -1,1610 +0,0 @@ -diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a73c0f38181..80710886ed8 100644 ---- a/make/autoconf/libraries.m4 -+++ b/make/autoconf/libraries.m4 -@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_LIBFFI - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS -+ LIB_SETUP_SYSCONF_LIBS - LIB_SETUP_SOLARIS_STLPORT - LIB_TESTS_SETUP_GRAALUNIT - -@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT], - fi - ]) - -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index 0ae23b93167..a242acc1234 100644 ---- a/make/autoconf/spec.gmk.in -+++ b/make/autoconf/spec.gmk.in -@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk -index a529768f39e..daf9c947172 100644 ---- a/make/lib/Lib-java.base.gmk -+++ b/make/lib/Lib-java.base.gmk -@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) -+ -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml -index fb07d54c1f0..c5813e2b7aa 100644 ---- a/make/nb_native/nbproject/configurations.xml -+++ b/make/nb_native/nbproject/configurations.xml -@@ -2950,6 +2950,9 @@ - LinuxWatchService.c - - -+ -+ systemconf.c -+ - - - -@@ -29301,6 +29304,11 @@ - tool="0" - flavor2="0"> - -+ -+ - -+#include -+#include "jvm_md.h" -+#include -+ -+#ifdef SYSCONF_NSS -+#include -+#else -+#include -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index b36510a376b..ad5182e1e7c 100644 ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.misc.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ *

Additional default values of security properties are read from a -+ * system-specific location, if available.

-+ * - * @author Benjamin Renaud - * @since 1.1 - */ - - public final class Security { - -+ private static final String SYS_PROP_SWITCH = -+ "java.security.disableSystemPropertiesFile"; -+ private static final String SEC_PROP_SWITCH = -+ "security.useSystemPropertiesFile"; -+ - /* Are we debugging? -- for developers */ - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -83,6 +105,7 @@ public final class Security { - props = new Properties(); - boolean loadedProps = false; - boolean overrideAll = false; -+ boolean systemSecPropsEnabled = false; - - // first load the system properties file - // to determine the value of security.overridePropertiesFile -@@ -98,6 +121,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -192,6 +216,61 @@ public final class Security { - } - } - -+ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); -+ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); -+ if (sdebug != null) { -+ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); -+ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); -+ } -+ if (!sysUseProps && secUseProps) { -+ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); -+ if (!systemSecPropsEnabled) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System security properties could not be loaded."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("System security property support disabled by user."); -+ } -+ } -+ -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { -+ boolean shouldEnable; -+ String sysProp = System.getProperty("com.redhat.fips"); -+ if (sysProp == null) { -+ shouldEnable = true; -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips unset, using default value of true"); -+ } -+ } else { -+ shouldEnable = Boolean.valueOf(sysProp); -+ if (sdebug != null) { -+ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); -+ } -+ } -+ if (shouldEnable) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS mode support configured and enabled."); -+ } else { -+ sdebug.println("FIPS mode support disabled."); -+ } -+ } -+ } else { -+ if (sdebug != null ) { -+ sdebug.println("FIPS mode support disabled by user."); -+ } -+ } -+ } else { -+ if (sdebug != null) { -+ sdebug.println("WARNING: FIPS mode support can not be enabled without " + -+ "system security properties being enabled."); -+ } -+ } - } - - /* -diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 -index 00000000000..90f6dd2ebc0 ---- /dev/null -+++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,248 @@ -+/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+final class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; -+ -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ AccessController.doPrivileged(new PrivilegedAction() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ // Remove all security providers -+ Iterator> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } -+ loadedProps = true; -+ systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } -+ } else { -+ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ -+ /** -+ * Determines whether FIPS mode should be enabled. -+ * -+ * OpenJDK FIPS mode will be enabled only if the system is in -+ * FIPS mode. -+ * -+ * Calls to this method only occur if the system property -+ * com.redhat.fips is not set to false. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. -+ * -+ * @return true if the system is in FIPS mode -+ */ -+ private static boolean enableFips() throws Exception { -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ boolean fipsEnabled = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + fipsEnabled); -+ } -+ return fipsEnabled; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } -+ } -+} -diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..21bc6d0b591 ---- /dev/null -+++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,31 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.misc; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); -+} -diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java -index 688ec9f0915..8489b940c43 100644 ---- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java -+++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java -@@ -36,6 +36,7 @@ import java.io.FilePermission; - import java.io.ObjectInputStream; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -76,6 +77,7 @@ public class SharedSecrets { - private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; - private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static JavaUtilJarAccess javaUtilJarAccess() { - if (javaUtilJarAccess == null) { -@@ -361,4 +363,15 @@ public class SharedSecrets { - } - return javaxCryptoSealedObjectAccess; - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ unsafe.ensureClassInitialized(Security.class); -+ } -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java -index 5460efcf8c5..f08dc2fafc5 100644 ---- a/src/java.base/share/classes/module-info.java -+++ b/src/java.base/share/classes/module-info.java -@@ -182,6 +182,7 @@ module java.base { - java.security.jgss, - java.sql, - java.xml, -+ jdk.crypto.cryptoki, - jdk.jartool, - jdk.attach, - jdk.charsets, -diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -index ffee2c1603b..ff3d5e0e4ab 100644 ---- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -+++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java -@@ -33,8 +33,13 @@ import java.security.KeyStore.*; - - import javax.net.ssl.*; - -+import jdk.internal.misc.SharedSecrets; -+ - abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ - X509ExtendedKeyManager keyManager; - boolean isInitialized; - -@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - KeyStoreException, NoSuchAlgorithmException, - UnrecoverableKeyException { - if ((ks != null) && SunJSSE.isFIPS()) { -- if (ks.getProvider() != SunJSSE.cryptoProvider) { -+ if (ks.getProvider() != SunJSSE.cryptoProvider && -+ !plainKeySupportEnabled) { - throw new KeyStoreException("FIPS mode: KeyStore must be " - + "from provider " + SunJSSE.cryptoProvider.getName()); - } -@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { - keyManager = new X509KeyManagerImpl( - Collections.emptyList()); - } else { -- if (SunJSSE.isFIPS() && -- (ks.getProvider() != SunJSSE.cryptoProvider)) { -+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) -+ && !plainKeySupportEnabled) { - throw new KeyStoreException( - "FIPS mode: KeyStore must be " + - "from provider " + SunJSSE.cryptoProvider.getName()); -diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index de7da5c3379..5c3813dda7b 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -31,6 +31,7 @@ import java.security.*; - import java.security.cert.*; - import java.util.*; - import javax.net.ssl.*; -+import jdk.internal.misc.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static { - if (SunJSSE.isFIPS()) { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- ); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); - -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - } else { - supportedProtocols = Arrays.asList( - ProtocolVersion.TLS13, -@@ -620,6 +639,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getSupportedProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[] { - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -@@ -949,6 +978,16 @@ public abstract class SSLContextImpl extends SSLContextSpi { - - static ProtocolVersion[] getProtocols() { - if (SunJSSE.isFIPS()) { -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ return new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - return new ProtocolVersion[]{ - ProtocolVersion.TLS13, - ProtocolVersion.TLS12, -diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index c50ba93ecfc..de2a91a478c 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.misc.SharedSecrets; - import sun.security.rsa.SunRsaSignEntries; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.provider.SunEntries.createAliases; -@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - (isfips? null : createAliases("SSL")), null); -diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 097517926d1..474fe6f401f 100644 ---- a/src/java.base/share/conf/security/java.security -+++ b/src/java.base/share/conf/security/java.security -@@ -85,6 +85,14 @@ security.provider.tbd=Apple - security.provider.tbd=SunPKCS11 - #endif - -+# -+# Security providers used when FIPS mode support is active -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS -+ - # - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. -@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false - # - keystore.type=pkcs12 - -+# -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ - # - # Controls compatibility mode for JKS and PKCS12 keystore types. - # -@@ -335,6 +348,13 @@ package.definition=sun.misc.,\ - # - security.overridePropertiesFile=true - -+# -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=false -+ - # - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..b848a1fd783 ---- /dev/null -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,290 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 099caac605f..977e5332bd1 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback; - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - - import jdk.internal.misc.InnocuousThread; -+import jdk.internal.misc.SharedSecrets; -+ - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; - import static sun.security.util.SecurityConstants.PROVIDER_VER; -@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 04a369f453c..f033fe47593 100644 ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -148,18 +149,41 @@ public class PKCS11 { - this.pkcs11ModulePath = pkcs11ModulePath; - } - -+ /* -+ * Compatibility wrapper to allow this method to work as before -+ * when FIPS mode support is not active. -+ */ -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { -+ return getInstance(pkcs11ModulePath, functionList, -+ pInitArgs, omitInitialize, null); -+ } -+ - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } diff --git a/SOURCES/fips-11u-b34fb09a5c.patch b/SOURCES/fips-11u-b34fb09a5c.patch new file mode 100644 index 0000000..02ce6df --- /dev/null +++ b/SOURCES/fips-11u-b34fb09a5c.patch @@ -0,0 +1,1637 @@ +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index 16e906bdc6..1a352e5a32 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_LIBFFI + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS ++ LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_SOLARIS_STLPORT + LIB_TESTS_SETUP_GRAALUNIT + +@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT], + fi + ]) + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index 3787b12600..dab108a82b 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -848,6 +848,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk +index 4cd656a086..e1fc94b5b4 100644 +--- a/make/lib/Lib-java.base.gmk ++++ b/make/lib/Lib-java.base.gmk +@@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml +index fb07d54c1f..c5813e2b7a 100644 +--- a/make/nb_native/nbproject/configurations.xml ++++ b/make/nb_native/nbproject/configurations.xml +@@ -2950,6 +2950,9 @@ + LinuxWatchService.c + + ++ ++ systemconf.c ++ + + + +@@ -29301,6 +29304,11 @@ + tool="0" + flavor2="0"> + ++ ++ + ++#include ++#include "jvm_md.h" ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#else ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index b36510a376..ad5182e1e7 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.misc.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -47,12 +48,20 @@ import sun.security.jca.*; + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -83,6 +105,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -98,6 +121,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -192,6 +216,61 @@ public final class Security { + } + } + ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System security properties could not be loaded."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); ++ } ++ } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 0000000000..90f6dd2ebc +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,248 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean systemSecPropsLoaded = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ systemSecPropsLoaded = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return systemSecPropsLoaded; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode ++ */ ++ private static boolean enableFips() throws Exception { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); ++ } ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 0000000000..21bc6d0b59 +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +index 688ec9f091..8489b940c4 100644 +--- a/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +@@ -36,6 +36,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -76,6 +77,7 @@ public class SharedSecrets { + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -361,4 +363,15 @@ public class SharedSecrets { + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ unsafe.ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 7351627db3..859591890d 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +index ffee2c1603..ff3d5e0e4a 100644 +--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java +@@ -33,8 +33,13 @@ import java.security.KeyStore.*; + + import javax.net.ssl.*; + ++import jdk.internal.misc.SharedSecrets; ++ + abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + X509ExtendedKeyManager keyManager; + boolean isInitialized; + +@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + KeyStoreException, NoSuchAlgorithmException, + UnrecoverableKeyException { + if ((ks != null) && SunJSSE.isFIPS()) { +- if (ks.getProvider() != SunJSSE.cryptoProvider) { ++ if (ks.getProvider() != SunJSSE.cryptoProvider && ++ !plainKeySupportEnabled) { + throw new KeyStoreException("FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); + } +@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi { + keyManager = new X509KeyManagerImpl( + Collections.emptyList()); + } else { +- if (SunJSSE.isFIPS() && +- (ks.getProvider() != SunJSSE.cryptoProvider)) { ++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider) ++ && !plainKeySupportEnabled) { + throw new KeyStoreException( + "FIPS mode: KeyStore must be " + + "from provider " + SunJSSE.cryptoProvider.getName()); +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index e06b2a588c..315a2ce370 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import jdk.internal.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -542,20 +543,38 @@ public abstract class SSLContextImpl extends SSLContextSpi { + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -910,12 +929,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + if (client) { + // default client protocols + if (SunJSSE.isFIPS()) { +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS13, +@@ -927,12 +957,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + } else { + // default server protocols + if (SunJSSE.isFIPS()) { +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + candidates = new ProtocolVersion[] { + ProtocolVersion.TLS13, +diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index c50ba93ecf..de2a91a478 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.provider.SunEntries.createAliases; +@@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + (isfips? null : createAliases("SSL")), null); +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 9af64321c4..957cd78a55 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -85,6 +85,14 @@ security.provider.tbd=Apple + security.provider.tbd=SunPKCS11 + #endif + ++# ++# Security providers used when FIPS mode support is active ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -335,6 +348,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=false ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 0000000000..b848a1fd78 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,290 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static P11Key importerKey = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ private static CK_MECHANISM importerKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ ++ private static Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), ++ null); ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index cf7cd19b68..69cda46f85 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -43,6 +46,8 @@ import javax.security.auth.callback.PasswordCallback; + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + + import jdk.internal.misc.InnocuousThread; ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer initialization" + ++ " failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); + } + p11 = tmpPKCS11; + +@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 04a369f453..f033fe4759 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; + import java.util.*; + + import java.security.AccessController; +@@ -148,18 +149,41 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } + ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null); ++ } ++ + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1909,4 +1933,69 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter) throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++} + } diff --git a/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch b/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch new file mode 100644 index 0000000..6436e33 --- /dev/null +++ b/SOURCES/jdk8274864-remove_amman_cairo_hacks.patch @@ -0,0 +1,55 @@ +commit b4caafe16f14983e303b7f1fdf3090e5c513ebd8 +Author: Andrew John Hughes +Date: Thu Apr 13 15:37:20 2023 +0000 + + 8274864: Remove Amman/Cairo hacks in ZoneInfoFile + + Backport-of: ec199072c5867624d66840238cc8828e16ae8da7 + +diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +index 1dc82561f2..a51490767d 100644 +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -607,34 +607,6 @@ public final class ZoneInfoFile { + params[8] = endRule.secondOfDay * 1000; + params[9] = toSTZTime[endRule.timeDefinition]; + dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000; +- +- // Note: known mismatching -> Asia/Amman +- // ZoneInfo : startDayOfWeek=5 <= Thursday +- // startTime=86400000 <= 24 hours +- // This: startDayOfWeek=6 +- // startTime=0 +- // Similar workaround needs to be applied to Africa/Cairo and +- // its endDayOfWeek and endTime +- // Below is the workarounds, it probably slows down everyone a little +- if (params[2] == 6 && params[3] == 0 && +- (zoneId.equals("Asia/Amman"))) { +- params[2] = 5; +- params[3] = 86400000; +- } +- // Additional check for startDayOfWeek=6 and starTime=86400000 +- // is needed for Asia/Amman; +- if (params[2] == 7 && params[3] == 0 && +- (zoneId.equals("Asia/Amman"))) { +- params[2] = 6; // Friday +- params[3] = 86400000; // 24h +- } +- //endDayOfWeek and endTime workaround +- if (params[7] == 6 && params[8] == 0 && +- (zoneId.equals("Africa/Cairo"))) { +- params[7] = 5; +- params[8] = 86400000; +- } +- + } else if (nTrans > 0) { // only do this if there is something in table already + if (lastyear < LASTYEAR) { + // ZoneInfo has an ending entry for 2037 +@@ -907,7 +879,6 @@ public final class ZoneInfoFile { + this.dow = dowByte == 0 ? -1 : dowByte; + this.secondOfDay = timeByte == 31 ? in.readInt() : timeByte * 3600; + this.timeDefinition = (data & (3 << 12)) >>> 12; +- + this.standardOffset = stdByte == 255 ? in.readInt() : (stdByte - 128) * 900; + this.offsetBefore = beforeByte == 3 ? in.readInt() : standardOffset + beforeByte * 1800; + this.offsetAfter = afterByte == 3 ? in.readInt() : standardOffset + afterByte * 1800; diff --git a/SOURCES/jdk8305113-tzdata2023c.patch b/SOURCES/jdk8305113-tzdata2023c.patch new file mode 100644 index 0000000..338f7ac --- /dev/null +++ b/SOURCES/jdk8305113-tzdata2023c.patch @@ -0,0 +1,1098 @@ +commit 0642dd19c61aa884b5c96c219b586a0c635470b5 +Author: Yoshiki Sato +Date: Wed Apr 5 01:19:00 2023 +0000 + + Backport ed9592c6e81f82e2bf6508ce45ba15aad8232181 + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +index 0f328a4a7f..66bd061e8b 100644 +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022g ++tzdata2023c +diff --git a/make/data/tzdata/africa b/make/data/tzdata/africa +index 830d7d10b7..a73405fdb0 100644 +--- a/make/data/tzdata/africa ++++ b/make/data/tzdata/africa +@@ -344,6 +344,14 @@ Rule Egypt 2007 only - Sep Thu>=1 24:00 0 - + # From Mina Samuel (2016-07-04): + # Egyptian government took the decision to cancel the DST, + ++# From Ahmad ElDardiry (2023-03-01): ++# Egypt officially announced today that daylight savings will be ++# applied from last Friday of April to last Thursday of October. ++# From Paul Eggert (2023-03-01): ++# Assume transitions are at 00:00 and 24:00 respectively. ++# From Amir Adib (2023-03-07): ++# https://www.facebook.com/EgyptianCabinet/posts/638829614954129/ ++ + Rule Egypt 2008 only - Aug lastThu 24:00 0 - + Rule Egypt 2009 only - Aug 20 24:00 0 - + Rule Egypt 2010 only - Aug 10 24:00 0 - +@@ -353,6 +361,8 @@ Rule Egypt 2014 only - May 15 24:00 1:00 S + Rule Egypt 2014 only - Jun 26 24:00 0 - + Rule Egypt 2014 only - Jul 31 24:00 1:00 S + Rule Egypt 2014 only - Sep lastThu 24:00 0 - ++Rule Egypt 2023 max - Apr lastFri 0:00 1:00 S ++Rule Egypt 2023 max - Oct lastThu 24:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + #STDOFF 2:05:08.9 +@@ -452,7 +462,7 @@ Zone Africa/Nairobi 2:27:16 - LMT 1908 May + # President William R. Tolbert, Jr., July 23, 1971-July 31, 1972. + # Monrovia: Executive Mansion. + # +-# Use the abbreviation "MMT" before 1972, as the more-accurate numeric ++# Use the abbreviation "MMT" before 1972, as the more accurate numeric + # abbreviation "-004430" would be one byte over the POSIX limit. + # + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -589,8 +599,8 @@ Zone Africa/Tripoli 0:52:44 - LMT 1920 + # DST the coming summer... + # + # Some sources, in French: +-# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-%C2%AB-L%E2%80%99heure-d%E2%80%99%C3%A9t%C3%A9-ne-sera-pas-appliqu%C3%A9e-cette-ann%C3%A9e-%C2%BB +-# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints- ++# http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-«-L%E2%80%99heure-d%E2%80%99été-ne-sera-pas-appliquée-cette-année-» ++# http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-économie-d-énergie-de-l-heure-d-été-ont-été-atteints- + # + # Our wrap-up: + # https://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html +@@ -721,7 +731,7 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # More articles in the press + # https://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html + # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923 +-# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim ++# http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT+1-a-partir-de-dim + + # From Petr Machata (2011-03-30): + # They have it written in English here: +@@ -736,7 +746,7 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # According to Infomédiaire web site from Morocco (infomediaire.ma), + # on March 9, 2012, (in French) Heure légale: + # Le Maroc adopte officiellement l'heure d'été +-# http://www.infomediaire.ma/news/maroc/heure-l%C3%A9gale-le-maroc-adopte-officiellement-lheure-d%C3%A9t%C3%A9 ++# http://www.infomediaire.ma/news/maroc/heure-légale-le-maroc-adopte-officiellement-lheure-dété + # Governing Council adopted draft decree, that Morocco DST starts on + # the last Sunday of March (March 25, 2012) and ends on + # last Sunday of September (September 30, 2012) +@@ -860,19 +870,28 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # Friday or Saturday (and so the 2 days off are on a weekend), the next time + # shift will be the next weekend. + # +-# From Paul Eggert (2020-05-31): ++# From Milamber (2021-03-31, 2022-03-10): ++# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076 ++# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/ ++# ++# From Milamber (2023-03-14, 2023-03-15): ++# The return to legal GMT time will take place this Sunday, March 19 at 3 a.m. ++# ... the return to GMT+1 will be made on Sunday April 23, 2023 at 2 a.m. ++# https://www.mmsp.gov.ma/fr/actualites/passage-à-l%E2%80%99heure-gmt-à-partir-du-dimanche-19-mars-2023 ++# ++# From Paul Eggert (2023-03-14): + # For now, guess that in the future Morocco will fall back at 03:00 + # the last Sunday before Ramadan, and spring forward at 02:00 the +-# first Sunday after two days after Ramadan. To implement this, ++# first Sunday after one day after Ramadan. To implement this, + # transition dates and times for 2019 through 2087 were determined by +-# running the following program under GNU Emacs 26.3. (This algorithm ++# running the following program under GNU Emacs 28.2. (This algorithm + # also produces the correct transition dates for 2016 through 2018, + # though the times differ due to Morocco's time zone change in 2018.) + # (let ((islamic-year 1440)) + # (require 'cal-islam) + # (while (< islamic-year 1511) + # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) +-# (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) ++# (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) + # (sunday 0)) + # (while (/= sunday (mod (setq a (1- a)) 7))) + # (while (/= sunday (mod b 7)) +@@ -886,10 +905,6 @@ Zone Indian/Mauritius 3:50:00 - LMT 1907 # Port Louis + # (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a)) + # (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) + # (setq islamic-year (+ 1 islamic-year)))) +-# +-# From Milamber (2021-03-31, 2022-03-10), confirming these predictions: +-# https://www.mmsp.gov.ma/fr/actualites.aspx?id=2076 +-# https://www.ecoactu.ma/horaires-administration-ramadan-gmtheure-gmt-a-partir-de-dimanche-27-mars/ + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Morocco 1939 only - Sep 12 0:00 1:00 - +@@ -942,7 +957,7 @@ Rule Morocco 2021 only - May 16 2:00 0 - + Rule Morocco 2022 only - Mar 27 3:00 -1:00 - + Rule Morocco 2022 only - May 8 2:00 0 - + Rule Morocco 2023 only - Mar 19 3:00 -1:00 - +-Rule Morocco 2023 only - Apr 30 2:00 0 - ++Rule Morocco 2023 only - Apr 23 2:00 0 - + Rule Morocco 2024 only - Mar 10 3:00 -1:00 - + Rule Morocco 2024 only - Apr 14 2:00 0 - + Rule Morocco 2025 only - Feb 23 3:00 -1:00 - +@@ -958,7 +973,7 @@ Rule Morocco 2029 only - Feb 18 2:00 0 - + Rule Morocco 2029 only - Dec 30 3:00 -1:00 - + Rule Morocco 2030 only - Feb 10 2:00 0 - + Rule Morocco 2030 only - Dec 22 3:00 -1:00 - +-Rule Morocco 2031 only - Feb 2 2:00 0 - ++Rule Morocco 2031 only - Jan 26 2:00 0 - + Rule Morocco 2031 only - Dec 14 3:00 -1:00 - + Rule Morocco 2032 only - Jan 18 2:00 0 - + Rule Morocco 2032 only - Nov 28 3:00 -1:00 - +@@ -974,7 +989,7 @@ Rule Morocco 2036 only - Nov 23 2:00 0 - + Rule Morocco 2037 only - Oct 4 3:00 -1:00 - + Rule Morocco 2037 only - Nov 15 2:00 0 - + Rule Morocco 2038 only - Sep 26 3:00 -1:00 - +-Rule Morocco 2038 only - Nov 7 2:00 0 - ++Rule Morocco 2038 only - Oct 31 2:00 0 - + Rule Morocco 2039 only - Sep 18 3:00 -1:00 - + Rule Morocco 2039 only - Oct 23 2:00 0 - + Rule Morocco 2040 only - Sep 2 3:00 -1:00 - +@@ -990,7 +1005,7 @@ Rule Morocco 2044 only - Aug 28 2:00 0 - + Rule Morocco 2045 only - Jul 9 3:00 -1:00 - + Rule Morocco 2045 only - Aug 20 2:00 0 - + Rule Morocco 2046 only - Jul 1 3:00 -1:00 - +-Rule Morocco 2046 only - Aug 12 2:00 0 - ++Rule Morocco 2046 only - Aug 5 2:00 0 - + Rule Morocco 2047 only - Jun 23 3:00 -1:00 - + Rule Morocco 2047 only - Jul 28 2:00 0 - + Rule Morocco 2048 only - Jun 7 3:00 -1:00 - +@@ -1006,7 +1021,7 @@ Rule Morocco 2052 only - Jun 2 2:00 0 - + Rule Morocco 2053 only - Apr 13 3:00 -1:00 - + Rule Morocco 2053 only - May 25 2:00 0 - + Rule Morocco 2054 only - Apr 5 3:00 -1:00 - +-Rule Morocco 2054 only - May 17 2:00 0 - ++Rule Morocco 2054 only - May 10 2:00 0 - + Rule Morocco 2055 only - Mar 28 3:00 -1:00 - + Rule Morocco 2055 only - May 2 2:00 0 - + Rule Morocco 2056 only - Mar 12 3:00 -1:00 - +@@ -1022,7 +1037,7 @@ Rule Morocco 2060 only - Mar 7 2:00 0 - + Rule Morocco 2061 only - Jan 16 3:00 -1:00 - + Rule Morocco 2061 only - Feb 27 2:00 0 - + Rule Morocco 2062 only - Jan 8 3:00 -1:00 - +-Rule Morocco 2062 only - Feb 19 2:00 0 - ++Rule Morocco 2062 only - Feb 12 2:00 0 - + Rule Morocco 2062 only - Dec 31 3:00 -1:00 - + Rule Morocco 2063 only - Feb 4 2:00 0 - + Rule Morocco 2063 only - Dec 16 3:00 -1:00 - +@@ -1038,7 +1053,7 @@ Rule Morocco 2067 only - Dec 11 2:00 0 - + Rule Morocco 2068 only - Oct 21 3:00 -1:00 - + Rule Morocco 2068 only - Dec 2 2:00 0 - + Rule Morocco 2069 only - Oct 13 3:00 -1:00 - +-Rule Morocco 2069 only - Nov 24 2:00 0 - ++Rule Morocco 2069 only - Nov 17 2:00 0 - + Rule Morocco 2070 only - Oct 5 3:00 -1:00 - + Rule Morocco 2070 only - Nov 9 2:00 0 - + Rule Morocco 2071 only - Sep 20 3:00 -1:00 - +@@ -1054,7 +1069,7 @@ Rule Morocco 2075 only - Sep 15 2:00 0 - + Rule Morocco 2076 only - Jul 26 3:00 -1:00 - + Rule Morocco 2076 only - Sep 6 2:00 0 - + Rule Morocco 2077 only - Jul 18 3:00 -1:00 - +-Rule Morocco 2077 only - Aug 29 2:00 0 - ++Rule Morocco 2077 only - Aug 22 2:00 0 - + Rule Morocco 2078 only - Jul 10 3:00 -1:00 - + Rule Morocco 2078 only - Aug 14 2:00 0 - + Rule Morocco 2079 only - Jun 25 3:00 -1:00 - +@@ -1064,13 +1079,13 @@ Rule Morocco 2080 only - Jul 21 2:00 0 - + Rule Morocco 2081 only - Jun 1 3:00 -1:00 - + Rule Morocco 2081 only - Jul 13 2:00 0 - + Rule Morocco 2082 only - May 24 3:00 -1:00 - +-Rule Morocco 2082 only - Jul 5 2:00 0 - ++Rule Morocco 2082 only - Jun 28 2:00 0 - + Rule Morocco 2083 only - May 16 3:00 -1:00 - + Rule Morocco 2083 only - Jun 20 2:00 0 - + Rule Morocco 2084 only - Apr 30 3:00 -1:00 - + Rule Morocco 2084 only - Jun 11 2:00 0 - + Rule Morocco 2085 only - Apr 22 3:00 -1:00 - +-Rule Morocco 2085 only - Jun 3 2:00 0 - ++Rule Morocco 2085 only - May 27 2:00 0 - + Rule Morocco 2086 only - Apr 14 3:00 -1:00 - + Rule Morocco 2086 only - May 19 2:00 0 - + Rule Morocco 2087 only - Mar 30 3:00 -1:00 - +@@ -1213,15 +1228,15 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8 + # From P Chan (2020-12-03): + # GMT was adopted as the standard time of Lagos on 1905-07-01. + # Lagos Weekly Record, 1905-06-24, p 3 +-# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446%2C5221%2C1931%2C1235 ++# http://ddsnext.crl.edu/titles/31558#?c=0&m=668&s=0&cv=2&r=0&xywh=1446,5221,1931,1235 + # says "It is officially notified that on and after the 1st of July 1905 +-# Greenwich Mean Solar Time will be adopted thought the Colony and ++# Greenwich Mean Solar Time will be adopted throughout the Colony and + # Protectorate, and that it will be necessary to put all clocks 13 minutes and + # 35 seconds back, recording local mean time." + # + # It seemed that Lagos returned to LMT on 1908-07-01. + # [The Lagos Standard], 1908-07-01, p 5 +-# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92%2C3590%2C3944%2C2523 ++# http://ddsnext.crl.edu/titles/31556#?c=0&m=78&s=0&cv=4&r=0&xywh=-92,3590,3944,2523 + # says "Scarcely have the people become accustomed to this new time, when + # another official notice has now appeared announcing that from and after the + # 1st July next, return will be made to local mean time." +@@ -1233,7 +1248,7 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8 + # https://libsysdigi.library.illinois.edu/ilharvest/Africana/Books2011-05/3064634/3064634_1914/3064634_1914_opt.pdf#page=27 + # "On January 1st [1914], a universal standard time for Nigeria was adopted, + # viz., half an hour fast on Greenwich mean time, corresponding to the meridian +-# 7 [degrees] 30' E. long." ++# 7° 30' E. long." + # Lloyd's Register of Shipping (1915) says "Hitherto the time observed in Lagos + # was the local mean time. On 1st January, 1914, standard time for the whole of + # Nigeria was introduced ... Lagos time has been advanced about 16 minutes +@@ -1251,7 +1266,7 @@ Zone Africa/Windhoek 1:08:24 - LMT 1892 Feb 8 + # The Lagos Weekly Record, 1919-09-20, p 3 details discussion on the first + # reading of this Bill by the Legislative Council of the Colony of Nigeria on + # Thursday 1919-08-28: +-# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261%2C3408%2C2994%2C1915 ++# http://ddsnext.crl.edu/titles/31558?terms&item_id=303484#?m=1118&c=1&s=0&cv=2&r=0&xywh=1261,3408,2994,1915 + # "The proposal is that the Globe should be divided into twelve zones East and + # West of Greenwich, of one hour each, Nigeria falling into the zone with a + # standard of one hour fast on Greenwich Mean Time. Nigeria standard time is +diff --git a/make/data/tzdata/antarctica b/make/data/tzdata/antarctica +index 792542b922..3de5e726eb 100644 +--- a/make/data/tzdata/antarctica ++++ b/make/data/tzdata/antarctica +@@ -315,7 +315,7 @@ Zone Antarctica/Rothera 0 - -00 1976 Dec 1 + # but that he found it more convenient to keep GMT+12 + # as supplies for the station were coming from McMurdo Sound, + # which was on GMT+12 because New Zealand was on GMT+12 all year +-# at that time (1957). (Source: Siple's book 90 Degrees South.) ++# at that time (1957). (Source: Siple's book 90° South.) + # + # From Susan Smith + # http://www.cybertours.com/whs/pole10.html +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +index ff81978bc4..6a048c3ad2 100644 +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -2714,6 +2714,40 @@ Zone Asia/Pyongyang 8:23:00 - LMT 1908 Apr 1 + + + # Lebanon ++# ++# From Saadallah Itani (2023-03-23): ++# Lebanon ... announced today delay of Spring forward from March 25 to April 20. ++# ++# From Paul Eggert (2023-03-27): ++# This announcement was by the Lebanese caretaker prime minister Najib Mikati. ++# https://www.mtv.com.lb/en/News/Local/1352516/lebanon-postpones-daylight-saving-time-adoption ++# A video was later leaked to the media of parliament speaker Nabih Berri ++# asking Mikati to postpone DST to aid observance of Ramadan, Mikati objecting ++# that this would cause problems such as scheduling airline flights, to which ++# Berri interjected, "What flights?" ++# ++# The change was controversial and led to a partly-sectarian divide. ++# Many Lebanese institutions, including the education ministry, the Maronite ++# church, and two news channels LCBI and MTV, ignored the announcement and ++# went ahead with the long-scheduled spring-forward on March 25/26, some ++# arguing that the prime minister had not followed the law because the change ++# had not been approved by the cabinet. Google went with the announcement; ++# Apple ignored it. At least one bank followed the announcement for its doors, ++# but ignored the announcement in internal computer systems. ++# Beirut international airport listed two times for each departure. ++# Dan Azzi wrote "My view is that this whole thing is a Dumb and Dumber movie." ++# Eventually the prime minister backed down, said the cabinet had decided to ++# stick with its 1998 decision, and that DST would begin midnight March 29/30. ++# https://www.nna-leb.gov.lb/en/miscellaneous/604093/lebanon-has-two-times-of-day-amid-daylight-savings ++# https://www.cnbc.com/2023/03/27/lebanon-in-two-different-time-zones-as-government-disagrees-on-daylight-savings.html ++# ++# Although we could model the chaos with two Zones, that would likely cause ++# more trouble than it would cure. Since so many manual clocks and ++# computer-based timestamps ignored the announcement, stick with official ++# cabinet resolutions in the data while recording the prime minister's ++# announcement as a comment. This is how we treated a similar situation in ++# Rio de Janeiro in spring 1993. ++# + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Lebanon 1920 only - Mar 28 0:00 1:00 S + Rule Lebanon 1920 only - Oct 25 0:00 0 - +@@ -2739,6 +2773,10 @@ Rule Lebanon 1992 only - Oct 4 0:00 0 - + Rule Lebanon 1993 max - Mar lastSun 0:00 1:00 S + Rule Lebanon 1993 1998 - Sep lastSun 0:00 0 - + Rule Lebanon 1999 max - Oct lastSun 0:00 0 - ++# This one-time rule, announced by the prime minister first for April 21 ++# then for March 30, is commented out for reasons described above. ++#Rule Lebanon 2023 only - Mar 30 0:00 1:00 S ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Beirut 2:22:00 - LMT 1880 + 2:00 Lebanon EE%sT +@@ -2977,7 +3015,7 @@ Zone Asia/Kathmandu 5:41:16 - LMT 1920 + # 9pm and moving clocks forward by one hour for the next three months. ...." + # + # http://www.worldtimezone.com/dst_news/dst_news_pakistan01.html +-# http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4 ++# http://www.dailytimes.com.pk/default.asp?page=2008\05\15\story_15-5-2008_pg1_4 + + # From Arthur David Olson (2008-05-19): + # XXX--midnight transitions is a guess; 2008 only is a guess. +@@ -3300,7 +3338,7 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # Some of many sources in Arabic: + # http://www.samanews.com/index.php?act=Show&id=122638 + # +-# http://safa.ps/details/news/74352/%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-%D8%A8%D8%A7%D9%84%D8%B6%D9%81%D8%A9-%D9%88%D8%BA%D8%B2%D8%A9-%D9%84%D9%8A%D9%84%D8%A9-%D8%A7%D9%84%D8%AC%D9%85%D8%B9%D8%A9.html ++# http://safa.ps/details/news/74352/بدء-التوقيت-الصيفي-بالضفة-وغزة-ليلة-الجمعة.html + # + # Our brief summary: + # https://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html +@@ -3310,7 +3348,7 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # time from midnight on Friday, March 29, 2013" (translated). + # [These are in Arabic and are for Gaza and for Ramallah, respectively.] + # http://www.samanews.com/index.php?act=Show&id=154120 +-# http://safa.ps/details/news/99844/%D8%B1%D8%A7%D9%85-%D8%A7%D9%84%D9%84%D9%87-%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-29-%D8%A7%D9%84%D8%AC%D8%A7%D8%B1%D9%8A.html ++# http://safa.ps/details/news/99844/رام-الله-بدء-التوقيت-الصيفي-29-الجاري.html + + # From Steffen Thorsen (2013-09-24): + # The Gaza and West Bank are ending DST Thursday at midnight +@@ -3408,9 +3446,41 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # (2022-08-31): ... the Saturday before the last Sunday in March and October + # at 2:00 AM ,for the years from 2023 to 2026. + # (2022-09-05): https://mtit.pna.ps/Site/New/1453 +-# +-# From Paul Eggert (2022-08-31): +-# For now, assume that this rule will also be used after 2026. ++ ++# From Heba Hamad (2023-03-22): ++# ... summer time will begin in Palestine from Saturday 04-29-2023, ++# 02:00 AM by 60 minutes forward. ++# ++# From Paul Eggert (2023-03-22): ++# For now, guess that spring and fall transitions will normally ++# continue to use 2022's rules, that during DST Palestine will switch ++# to standard time at 02:00 the last Saturday before Ramadan and back ++# to DST at 02:00 the first Saturday after Ramadan, and that ++# if the normal spring-forward or fall-back transition occurs during ++# Ramadan the former is delayed and the latter advanced. ++# To implement this, I predicted Ramadan-oriented transition dates for ++# 2023 through 2086 by running the following program under GNU Emacs 28.2, ++# with the results integrated by hand into the table below. ++# Predictions after 2086 are approximated without Ramadan. ++# ++# (let ((islamic-year 1444)) ++# (require 'cal-islam) ++# (while (< islamic-year 1510) ++# (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) ++# (b (+ 1 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) ++# (saturday 6)) ++# (while (/= saturday (mod (setq a (1- a)) 7))) ++# (while (/= saturday (mod b 7)) ++# (setq b (1+ b))) ++# (setq a (calendar-gregorian-from-absolute a)) ++# (setq b (calendar-gregorian-from-absolute b)) ++# (insert ++# (format ++# (concat "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t0\t-\n" ++# "Rule Palestine\t%d\tonly\t-\t%s\t%2d\t2:00\t1:00\tS\n") ++# (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a)) ++# (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) ++# (setq islamic-year (+ 1 islamic-year)))) + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S +@@ -3450,8 +3520,86 @@ Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S + Rule Palestine 2020 only - Oct 24 1:00 0 - + Rule Palestine 2021 only - Oct 29 1:00 0 - + Rule Palestine 2022 only - Mar 27 0:00 1:00 S +-Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - +-Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2022 2035 - Oct Sat<=30 2:00 0 - ++Rule Palestine 2023 only - Apr 29 2:00 1:00 S ++Rule Palestine 2024 only - Apr 13 2:00 1:00 S ++Rule Palestine 2025 only - Apr 5 2:00 1:00 S ++Rule Palestine 2026 2054 - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2036 only - Oct 18 2:00 0 - ++Rule Palestine 2037 only - Oct 10 2:00 0 - ++Rule Palestine 2038 only - Sep 25 2:00 0 - ++Rule Palestine 2039 only - Sep 17 2:00 0 - ++Rule Palestine 2039 only - Oct 22 2:00 1:00 S ++Rule Palestine 2039 2067 - Oct Sat<=30 2:00 0 - ++Rule Palestine 2040 only - Sep 1 2:00 0 - ++Rule Palestine 2040 only - Oct 13 2:00 1:00 S ++Rule Palestine 2041 only - Aug 24 2:00 0 - ++Rule Palestine 2041 only - Sep 28 2:00 1:00 S ++Rule Palestine 2042 only - Aug 16 2:00 0 - ++Rule Palestine 2042 only - Sep 20 2:00 1:00 S ++Rule Palestine 2043 only - Aug 1 2:00 0 - ++Rule Palestine 2043 only - Sep 12 2:00 1:00 S ++Rule Palestine 2044 only - Jul 23 2:00 0 - ++Rule Palestine 2044 only - Aug 27 2:00 1:00 S ++Rule Palestine 2045 only - Jul 15 2:00 0 - ++Rule Palestine 2045 only - Aug 19 2:00 1:00 S ++Rule Palestine 2046 only - Jun 30 2:00 0 - ++Rule Palestine 2046 only - Aug 11 2:00 1:00 S ++Rule Palestine 2047 only - Jun 22 2:00 0 - ++Rule Palestine 2047 only - Jul 27 2:00 1:00 S ++Rule Palestine 2048 only - Jun 6 2:00 0 - ++Rule Palestine 2048 only - Jul 18 2:00 1:00 S ++Rule Palestine 2049 only - May 29 2:00 0 - ++Rule Palestine 2049 only - Jul 3 2:00 1:00 S ++Rule Palestine 2050 only - May 21 2:00 0 - ++Rule Palestine 2050 only - Jun 25 2:00 1:00 S ++Rule Palestine 2051 only - May 6 2:00 0 - ++Rule Palestine 2051 only - Jun 17 2:00 1:00 S ++Rule Palestine 2052 only - Apr 27 2:00 0 - ++Rule Palestine 2052 only - Jun 1 2:00 1:00 S ++Rule Palestine 2053 only - Apr 12 2:00 0 - ++Rule Palestine 2053 only - May 24 2:00 1:00 S ++Rule Palestine 2054 only - Apr 4 2:00 0 - ++Rule Palestine 2054 only - May 16 2:00 1:00 S ++Rule Palestine 2055 only - May 1 2:00 1:00 S ++Rule Palestine 2056 only - Apr 22 2:00 1:00 S ++Rule Palestine 2057 only - Apr 7 2:00 1:00 S ++Rule Palestine 2058 max - Mar Sat<=30 2:00 1:00 S ++Rule Palestine 2068 only - Oct 20 2:00 0 - ++Rule Palestine 2069 only - Oct 12 2:00 0 - ++Rule Palestine 2070 only - Oct 4 2:00 0 - ++Rule Palestine 2071 only - Sep 19 2:00 0 - ++Rule Palestine 2072 only - Sep 10 2:00 0 - ++Rule Palestine 2072 only - Oct 15 2:00 1:00 S ++Rule Palestine 2073 only - Sep 2 2:00 0 - ++Rule Palestine 2073 only - Oct 7 2:00 1:00 S ++Rule Palestine 2074 only - Aug 18 2:00 0 - ++Rule Palestine 2074 only - Sep 29 2:00 1:00 S ++Rule Palestine 2075 only - Aug 10 2:00 0 - ++Rule Palestine 2075 only - Sep 14 2:00 1:00 S ++Rule Palestine 2075 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2076 only - Jul 25 2:00 0 - ++Rule Palestine 2076 only - Sep 5 2:00 1:00 S ++Rule Palestine 2077 only - Jul 17 2:00 0 - ++Rule Palestine 2077 only - Aug 28 2:00 1:00 S ++Rule Palestine 2078 only - Jul 9 2:00 0 - ++Rule Palestine 2078 only - Aug 13 2:00 1:00 S ++Rule Palestine 2079 only - Jun 24 2:00 0 - ++Rule Palestine 2079 only - Aug 5 2:00 1:00 S ++Rule Palestine 2080 only - Jun 15 2:00 0 - ++Rule Palestine 2080 only - Jul 20 2:00 1:00 S ++Rule Palestine 2081 only - Jun 7 2:00 0 - ++Rule Palestine 2081 only - Jul 12 2:00 1:00 S ++Rule Palestine 2082 only - May 23 2:00 0 - ++Rule Palestine 2082 only - Jul 4 2:00 1:00 S ++Rule Palestine 2083 only - May 15 2:00 0 - ++Rule Palestine 2083 only - Jun 19 2:00 1:00 S ++Rule Palestine 2084 only - Apr 29 2:00 0 - ++Rule Palestine 2084 only - Jun 10 2:00 1:00 S ++Rule Palestine 2085 only - Apr 21 2:00 0 - ++Rule Palestine 2085 only - Jun 2 2:00 1:00 S ++Rule Palestine 2086 only - Apr 13 2:00 0 - ++Rule Palestine 2086 only - May 18 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +@@ -3655,7 +3803,7 @@ Zone Asia/Singapore 6:55:25 - LMT 1901 Jan 1 + # standard time is SLST. + # + # From Paul Eggert (2016-10-18): +-# "SLST" seems to be reasonably recent and rarely-used outside time ++# "SLST" seems to be reasonably recent and rarely used outside time + # zone nerd sources. I searched Google News and found three uses of + # it in the International Business Times of India in February and + # March of this year when discussing cricket match times, but nothing +diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia +index fbe3b8a6d7..893d7055ea 100644 +--- a/make/data/tzdata/australasia ++++ b/make/data/tzdata/australasia +@@ -346,7 +346,7 @@ Zone Antarctica/Macquarie 0 - -00 1899 Nov + + # From Steffen Thorsen (2013-01-10): + # Fiji will end DST on 2014-01-19 02:00: +-# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-%281%29.aspx ++# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVINGS-TO-END-THIS-MONTH-(1).aspx + + # From Ken Rylander (2014-10-20): + # DST will start Nov. 2 this year. +@@ -746,7 +746,7 @@ Zone Pacific/Pago_Pago 12:37:12 - LMT 1892 Jul 5 + # + # Samoa's Daylight Saving Time Act 2009 is available here, but does not + # contain any dates: +-# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20%28English%29%20-%20Final%207-7-091.pdf ++# http://www.parliament.gov.ws/documents/acts/Daylight%20Saving%20Act%20%202009%20(English)%20-%20Final%207-7-091.pdf + + # From Laupue Raymond Hughes (2010-10-07): + # Please see +@@ -1831,7 +1831,7 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila + # period. It would probably be reasonable to assume Guam use GMT+9 during + # that period of time like the surrounding area. + +-# From Paul Eggert (2018-11-18): ++# From Paul Eggert (2023-01-23): + # Howse writes (p 153) "The Spaniards, on the other hand, reached the + # Philippines and the Ladrones from America," and implies that the Ladrones + # (now called the Marianas) kept American date for quite some time. +@@ -1844,7 +1844,7 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila + # they did as that avoids the need for a separate zone due to our 1970 cutoff. + # + # US Public Law 106-564 (2000-12-23) made UT +10 the official standard time, +-# under the name "Chamorro Standard Time". There is no official abbreviation, ++# under the name "Chamorro standard time". There is no official abbreviation, + # but Congressman Robert A. Underwood, author of the bill that became law, + # wrote in a press release (2000-12-27) that he will seek the use of "ChST". + +@@ -2222,24 +2222,18 @@ Zone Pacific/Efate 11:13:16 - LMT 1912 Jan 13 # Vila + # an international standard, there are some places on the high seas where the + # correct date is ambiguous. + +-# From Wikipedia (2005-08-31): +-# Before 1920, all ships kept local apparent time on the high seas by setting +-# their clocks at night or at the morning sight so that, given the ship's +-# speed and direction, it would be 12 o'clock when the Sun crossed the ship's +-# meridian (12 o'clock = local apparent noon). During 1917, at the +-# Anglo-French Conference on Time-keeping at Sea, it was recommended that all +-# ships, both military and civilian, should adopt hourly standard time zones +-# on the high seas. Whenever a ship was within the territorial waters of any +-# nation it would use that nation's standard time. The captain was permitted +-# to change his ship's clocks at a time of his choice following his ship's +-# entry into another zone time - he often chose midnight. These zones were +-# adopted by all major fleets between 1920 and 1925 but not by many +-# independent merchant ships until World War II. +- +-# From Paul Eggert, using references suggested by Oscar van Vlijmen +-# (2005-03-20): +-# +-# The American Practical Navigator (2002) +-# http://pollux.nss.nima.mil/pubs/pubs_j_apn_sections.html?rid=187 +-# talks only about the 180-degree meridian with respect to ships in +-# international waters; it ignores the international date line. ++# From Wikipedia (2023-01-23): ++# The nautical time zone system is analogous to the terrestrial time zone ++# system for use on high seas. Under the system time changes are required for ++# changes of longitude in one-hour steps. The one-hour step corresponds to a ++# time zone width of 15° longitude. The 15° gore that is offset from GMT or ++# UT1 (not UTC) by twelve hours is bisected by the nautical date line into two ++# 7°30' gores that differ from GMT by ±12 hours. A nautical date line is ++# implied but not explicitly drawn on time zone maps. It follows the 180th ++# meridian except where it is interrupted by territorial waters adjacent to ++# land, forming gaps: it is a pole-to-pole dashed line. ++ ++# From Paul Eggert (2023-01-23): ++# The American Practical Navigator , ++# 2019 edition, merely says that the International Date Line ++# "coincides with the 180th meridian over most of its length." +diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward +index fa44f65500..c0746d6dd1 100644 +--- a/make/data/tzdata/backward ++++ b/make/data/tzdata/backward +@@ -297,6 +297,7 @@ Link America/Argentina/Cordoba America/Rosario + Link America/Tijuana America/Santa_Isabel + Link America/Denver America/Shiprock + Link America/Toronto America/Thunder_Bay ++Link America/Edmonton America/Yellowknife + Link Pacific/Auckland Antarctica/South_Pole + Link Asia/Shanghai Asia/Chongqing + Link Asia/Shanghai Asia/Harbin +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +index acc5da3ec7..446d2e1e65 100644 +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -540,9 +540,7 @@ Zone Europe/London -0:01:15 - LMT 1847 Dec 1 + # other form with a traditional approximation for Irish timestamps + # after 1971-10-31 02:00 UTC; although this approximation has tm_isdst + # flags that are reversed, its UTC offsets are correct and this often +-# suffices. This source file currently uses only nonnegative SAVE +-# values, but this is intended to change and downstream code should +-# not rely on it. ++# suffices.... + # + # The following is like GB-Eire and EU, except with standard time in + # summer and negative daylight saving time in winter. It is for when +@@ -1136,19 +1134,18 @@ Zone Atlantic/Faroe -0:27:04 - LMT 1908 Jan 11 # Tórshavn + # + # From Jürgen Appel (2022-11-25): + # https://ina.gl/samlinger/oversigt-over-samlinger/samling/dagsordener/dagsorden.aspx?lang=da&day=24-11-2022 +-# If I understand this correctly, from the next planned switch to +-# summer time, Greenland will permanently stay at that time, i.e. no +-# switch back to winter time in 2023 will occur. +-# +-# From Paul Eggert (2022-11-28): +-# The official document in Danish +-# https://naalakkersuisut.gl/-/media/naalakkersuisut/filer/kundgoerelser/2022/11/2511/31_da_inatsisartutlov-om-tidens-bestemmelse.pdf?la=da&hash=A33597D8A38CC7038465241119EF34F3 +-# says standard time for Greenland is -02, that Naalakkersuisut can lay down +-# rules for DST and can require some areas to use a different time zone, +-# and that this all takes effect 2023-03-25 22:00. The abovementioned +-# "bekymringer" URL says the intent is no transition March 25, that +-# Greenland will not go back to winter time in fall 2023, and that +-# only America/Nuuk is affected (though further changes may occur). ++# ++# From Thomas M. Steenholdt (2022-12-02): ++# - The bill to move America/Nuuk from UTC-03 to UTC-02 passed. ++# - The bill to stop observing DST did not (Greenland will stop observing DST ++# when EU does). ++# Details on the implementation are here (section 6): ++# https://ina.gl/dvd/EM%202022/pdf/media/2553529/pkt17_em2022_tidens_bestemmelse_bem_da.pdf ++# This is how the change will be implemented: ++# 1. The shift *to* DST in 2023 happens as normal. ++# 2. The shift *from* DST in 2023 happens as normal, but coincides with the ++# shift to UTC-02 normaltime (people will not change their clocks here). ++# 3. After this, DST is still observed, but as -02/-01 instead of -03/-02. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D +@@ -1172,8 +1169,8 @@ Zone America/Scoresbysund -1:27:52 - LMT 1916 Jul 28 # Ittoqqortoormiit + -1:00 EU -01/+00 + Zone America/Nuuk -3:26:56 - LMT 1916 Jul 28 # Godthåb + -3:00 - -03 1980 Apr 6 2:00 +- -3:00 EU -03/-02 2023 Mar 25 22:00 +- -2:00 - -02 ++ -3:00 EU -03/-02 2023 Oct 29 1:00u ++ -2:00 EU -02/-01 + Zone America/Thule -4:35:08 - LMT 1916 Jul 28 # Pituffik + -4:00 Thule A%sT + +@@ -1509,9 +1506,9 @@ Zone Europe/Paris 0:09:21 - LMT 1891 Mar 16 + Rule Germany 1946 only - Apr 14 2:00s 1:00 S + Rule Germany 1946 only - Oct 7 2:00s 0 - + Rule Germany 1947 1949 - Oct Sun>=1 2:00s 0 - +-# http://www.ptb.de/de/org/4/44/441/salt.htm says the following transition +-# occurred at 3:00 MEZ, not the 2:00 MEZ given in Shanks & Pottenger. +-# Go with the PTB. ++# https://www.ptb.de/cms/en/ptb/fachabteilungen/abt4/fb-44/ag-441/realisation-of-legal-time-in-germany/dst-and-midsummer-dst-in-germany-until-1979.html ++# says the following transition occurred at 3:00 MEZ, not the 2:00 MEZ ++# given in Shanks & Pottenger. Go with the PTB. + Rule Germany 1947 only - Apr 6 3:00s 1:00 S + Rule Germany 1947 only - May 11 2:00s 2:00 M + Rule Germany 1947 only - Jun 29 3:00 1:00 S +@@ -2272,7 +2269,7 @@ Zone Europe/Bucharest 1:44:24 - LMT 1891 Oct + # the State Duma has approved ... the draft bill on returning to + # winter time standard and return Russia 11 time zones. The new + # regulations will come into effect on October 26, 2014 at 02:00 ... +-# http://asozd2.duma.gov.ru/main.nsf/%28Spravka%29?OpenAgent&RN=431985-6&02 ++# http://asozd2.duma.gov.ru/main.nsf/(Spravka)?OpenAgent&RN=431985-6&02 + # Here is a link where we put together table (based on approved Bill N + # 431985-6) with proposed 11 Russian time zones and corresponding + # areas/cities/administrative centers in the Russian Federation (in English): +@@ -2682,13 +2679,13 @@ Zone Europe/Volgograd 2:57:40 - LMT 1920 Jan 3 + 3:00 - +03 1930 Jun 21 + 4:00 - +04 1961 Nov 11 + 4:00 Russia +04/+05 1988 Mar 27 2:00s +- 3:00 Russia +03/+04 1991 Mar 31 2:00s ++ 3:00 Russia MSK/MSD 1991 Mar 31 2:00s + 4:00 - +04 1992 Mar 29 2:00s +- 3:00 Russia +03/+04 2011 Mar 27 2:00s +- 4:00 - +04 2014 Oct 26 2:00s +- 3:00 - +03 2018 Oct 28 2:00s ++ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s ++ 4:00 - MSK 2014 Oct 26 2:00s ++ 3:00 - MSK 2018 Oct 28 2:00s + 4:00 - +04 2020 Dec 27 2:00s +- 3:00 - +03 ++ 3:00 - MSK + + # From Paul Eggert (2016-11-11): + # Europe/Saratov covers: +@@ -2719,11 +2716,11 @@ Zone Europe/Saratov 3:04:18 - LMT 1919 Jul 1 0:00u + Zone Europe/Kirov 3:18:48 - LMT 1919 Jul 1 0:00u + 3:00 - +03 1930 Jun 21 + 4:00 Russia +04/+05 1989 Mar 26 2:00s +- 3:00 Russia +03/+04 1991 Mar 31 2:00s ++ 3:00 Russia MSK/MSD 1991 Mar 31 2:00s + 4:00 - +04 1992 Mar 29 2:00s +- 3:00 Russia +03/+04 2011 Mar 27 2:00s +- 4:00 - +04 2014 Oct 26 2:00s +- 3:00 - +03 ++ 3:00 Russia MSK/MSD 2011 Mar 27 2:00s ++ 4:00 - MSK 2014 Oct 26 2:00s ++ 3:00 - MSK + + # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25): + # Europe/Samara covers... +diff --git a/make/data/tzdata/iso3166.tab b/make/data/tzdata/iso3166.tab +index fbfb74bec4..cea17732dd 100644 +--- a/make/data/tzdata/iso3166.tab ++++ b/make/data/tzdata/iso3166.tab +@@ -261,7 +261,7 @@ SY Syria + SZ Eswatini (Swaziland) + TC Turks & Caicos Is + TD Chad +-TF French Southern Territories ++TF French S. Terr. + TG Togo + TH Thailand + TJ Tajikistan +diff --git a/make/data/tzdata/leapseconds b/make/data/tzdata/leapseconds +index d6fb840f51..89ce8b89cd 100644 +--- a/make/data/tzdata/leapseconds ++++ b/make/data/tzdata/leapseconds +@@ -95,11 +95,11 @@ Leap 2016 Dec 31 23:59:60 + S + # Any additional leap seconds will come after this. + # This Expires line is commented out for now, + # so that pre-2020a zic implementations do not reject this file. +-#Expires 2023 Jun 28 00:00:00 ++#Expires 2023 Dec 28 00:00:00 + + # POSIX timestamps for the data in this file: + #updated 1467936000 (2016-07-08 00:00:00 UTC) +-#expires 1687910400 (2023-06-28 00:00:00 UTC) ++#expires 1703721600 (2023-12-28 00:00:00 UTC) + +-# Updated through IERS Bulletin C64 +-# File expires on: 28 June 2023 ++# Updated through IERS Bulletin C65 ++# File expires on: 28 December 2023 +diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica +index a5fd701f88..e240cf3510 100644 +--- a/make/data/tzdata/northamerica ++++ b/make/data/tzdata/northamerica +@@ -1,4 +1,3 @@ +-# + # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + # + # This code is free software; you can redistribute it and/or modify it +@@ -299,9 +298,10 @@ Zone PST8PDT -8:00 US P%sT + # -10 Standard Alaska Time (AST) Alaska-Hawaii standard time (AHST) + # -11 (unofficial) Nome (NST) Bering standard time (BST) + # +-# From Paul Eggert (2000-01-08), following a heads-up from Rives McDow: +-# Public law 106-564 (2000-12-23) introduced ... "Chamorro Standard Time" ++# From Paul Eggert (2023-01-23), from a 2001-01-08 heads-up from Rives McDow: ++# Public law 106-564 (2000-12-23) introduced "Chamorro standard time" + # for time in Guam and the Northern Marianas. See the file "australasia". ++# Also see 15 U.S.C. §263 . + # + # From Paul Eggert (2015-04-17): + # HST and HDT are standardized abbreviations for Hawaii-Aleutian +@@ -618,7 +618,7 @@ Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + # local times of other Alaskan locations so that they change simultaneously. + + # From Paul Eggert (2014-07-18): +-# One opinion of the early-1980s turmoil in Alaska over time zones and ++# One opinion of the early 1980s turmoil in Alaska over time zones and + # daylight saving time appeared as graffiti on a Juneau airport wall: + # "Welcome to Juneau. Please turn your watch back to the 19th century." + # See: Turner W. Alaska's four time zones now two. NY Times 1983-11-01. +@@ -690,6 +690,10 @@ Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + # So they won't be waiting for Alaska to join them on 2019-03-10, but will + # rather change their clocks twice in seven weeks. + ++# From Paul Eggert (2023-01-23): ++# America/Adak is for the Aleutian Islands that are part of Alaska ++# and are west of 169.5° W. ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone America/Juneau 15:02:19 - LMT 1867 Oct 19 15:33:32 + -8:57:41 - LMT 1900 Aug 20 12:00 +@@ -2148,10 +2152,6 @@ Zone America/Fort_Nelson -8:10:47 - LMT 1884 + # Nunavut ... moved ... to incorporate the whole territory into one time zone. + # Nunavut moves to single time zone Oct. 31 + # http://www.nunatsiaq.com/nunavut/nvt90903_13.html +-# +-# From Antoine Leca (1999-09-06): +-# We then need to create a new timezone for the Kitikmeot region of Nunavut +-# to differentiate it from the Yellowknife region. + + # From Paul Eggert (1999-09-20): + # Basic Facts: The New Territory +@@ -2345,9 +2345,6 @@ Zone America/Cambridge_Bay 0 - -00 1920 # trading post est.? + -5:00 - EST 2000 Nov 5 0:00 + -6:00 - CST 2001 Apr 1 3:00 + -7:00 Canada M%sT +-Zone America/Yellowknife 0 - -00 1935 # Yellowknife founded? +- -7:00 NT_YK M%sT 1980 +- -7:00 Canada M%sT + Zone America/Inuvik 0 - -00 1953 # Inuvik founded + -8:00 NT_YK P%sT 1979 Apr lastSun 2:00 + -7:00 NT_YK M%sT 1980 +@@ -2584,7 +2581,7 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + # and in addition changes all of Chihuahua to -06 with no DST. + + # From Heitor David Pinto (2022-11-28): +-# Now the northern municipalities want to have the same time zone as the ++# Now the northern [municipios] want to have the same time zone as the + # respective neighboring cities in the US, for example Juárez in UTC-7 with + # DST, matching El Paso, and Ojinaga in UTC-6 with DST, matching Presidio.... + # the president authorized the publication of the decree for November 29, +@@ -2621,7 +2618,7 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u + -5:00 - EST 1982 Dec 2 + -6:00 Mexico C%sT + # Coahuila, Nuevo León, Tamaulipas (near US border) +-# This includes the following municipalities: ++# This includes the following municipios: + # in Coahuila: Acuña, Allende, Guerrero, Hidalgo, Jiménez, Morelos, Nava, + # Ocampo, Piedras Negras, Villa Unión, Zaragoza + # in Nuevo León: Anáhuac +@@ -2647,8 +2644,8 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u + -6:00 - CST 2002 Feb 20 + -6:00 Mexico C%sT + # Chihuahua (near US border - western side) +-# This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, +-# and Práxedis G Guerrero. ++# This includes the municipios of Janos, Ascensión, Juárez, Guadalupe, and ++# Práxedis G Guerrero. + # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf + Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 +@@ -2662,7 +2659,8 @@ Zone America/Ciudad_Juarez -7:05:56 - LMT 1922 Jan 1 7:00u + -6:00 - CST 2022 Nov 30 0:00 + -7:00 US M%sT + # Chihuahua (near US border - eastern side) +-# The municipalities of Coyame del Sotol, Ojinaga, and Manuel Benavides. ++# This includes the municipios of Coyame del Sotol, Ojinaga, and Manuel ++# Benavides. + # http://gaceta.diputados.gob.mx/PDF/65/2a022/nov/20221124-VII.pdf + Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 +@@ -3083,7 +3081,7 @@ Zone America/Costa_Rica -5:36:13 - LMT 1890 # San José + # + # He supplied these references: + # +-# http://www.prensalatina.com.mx/article.asp?ID=%7B4CC32C1B-A9F7-42FB-8A07-8631AFC923AF%7D&language=ES ++# http://www.prensalatina.com.mx/article.asp?ID={4CC32C1B-A9F7-42FB-8A07-8631AFC923AF}&language=ES + # http://actualidad.terra.es/sociedad/articulo/cuba_llama_ahorrar_energia_cambio_1957044.htm + # + # From Alex Krivenyshev (2007-10-25): +diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica +index 81fdd793df..4024e7180c 100644 +--- a/make/data/tzdata/southamerica ++++ b/make/data/tzdata/southamerica +@@ -231,7 +231,7 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 - + # Hora de verano para la República Argentina + # http://buenasiembra.com.ar/esoterismo/astrologia/hora-de-verano-de-la-republica-argentina-27.html + # says that standard time in Argentina from 1894-10-31 +-# to 1920-05-01 was -4:16:48.25. Go with this more-precise value ++# to 1920-05-01 was -4:16:48.25. Go with this more precise value + # over Shanks & Pottenger. It is upward compatible with Milne, who + # says Córdoba time was -4:16:48.2. + +diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab +index 939432d345..3edb0d61c8 100644 +--- a/make/data/tzdata/zone.tab ++++ b/make/data/tzdata/zone.tab +@@ -144,9 +144,8 @@ CA +744144-0944945 America/Resolute Central - NU (Resolute) + CA +624900-0920459 America/Rankin_Inlet Central - NU (central) + CA +5024-10439 America/Regina CST - SK (most areas) + CA +5017-10750 America/Swift_Current CST - SK (midwest) +-CA +5333-11328 America/Edmonton Mountain - AB; BC (E); SK (W) ++CA +5333-11328 America/Edmonton Mountain - AB; BC (E); NT (E); SK (W) + CA +690650-1050310 America/Cambridge_Bay Mountain - NU (west) +-CA +6227-11421 America/Yellowknife Mountain - NT (central) + CA +682059-1334300 America/Inuvik Mountain - NT (west) + CA +4906-11631 America/Creston MST - BC (Creston) + CA +5546-12014 America/Dawson_Creek MST - BC (Dawson Cr, Ft St John) +@@ -162,7 +161,7 @@ CG -0416+01517 Africa/Brazzaville + CH +4723+00832 Europe/Zurich + CI +0519-00402 Africa/Abidjan + CK -2114-15946 Pacific/Rarotonga +-CL -3327-07040 America/Santiago Chile (most areas) ++CL -3327-07040 America/Santiago most of Chile + CL -5309-07055 America/Punta_Arenas Region of Magallanes + CL -2709-10926 Pacific/Easter Easter Island + CM +0403+00942 Africa/Douala +@@ -174,10 +173,10 @@ CU +2308-08222 America/Havana + CV +1455-02331 Atlantic/Cape_Verde + CW +1211-06900 America/Curacao + CX -1025+10543 Indian/Christmas +-CY +3510+03322 Asia/Nicosia Cyprus (most areas) ++CY +3510+03322 Asia/Nicosia most of Cyprus + CY +3507+03357 Asia/Famagusta Northern Cyprus + CZ +5005+01426 Europe/Prague +-DE +5230+01322 Europe/Berlin Germany (most areas) ++DE +5230+01322 Europe/Berlin most of Germany + DE +4742+00841 Europe/Busingen Busingen + DJ +1136+04309 Africa/Djibouti + DK +5540+01235 Europe/Copenhagen +@@ -210,7 +209,7 @@ GF +0456-05220 America/Cayenne + GG +492717-0023210 Europe/Guernsey + GH +0533-00013 Africa/Accra + GI +3608-00521 Europe/Gibraltar +-GL +6411-05144 America/Nuuk Greenland (most areas) ++GL +6411-05144 America/Nuuk most of Greenland + GL +7646-01840 America/Danmarkshavn National Park (east coast) + GL +7029-02158 America/Scoresbysund Scoresbysund/Ittoqqortoormiit + GL +7634-06847 America/Thule Thule/Pituffik +@@ -258,7 +257,7 @@ KP +3901+12545 Asia/Pyongyang + KR +3733+12658 Asia/Seoul + KW +2920+04759 Asia/Kuwait + KY +1918-08123 America/Cayman +-KZ +4315+07657 Asia/Almaty Kazakhstan (most areas) ++KZ +4315+07657 Asia/Almaty most of Kazakhstan + KZ +4448+06528 Asia/Qyzylorda Qyzylorda/Kyzylorda/Kzyl-Orda + KZ +5312+06337 Asia/Qostanay Qostanay/Kostanay/Kustanay + KZ +5017+05710 Asia/Aqtobe Aqtobe/Aktobe +@@ -282,12 +281,12 @@ MD +4700+02850 Europe/Chisinau + ME +4226+01916 Europe/Podgorica + MF +1804-06305 America/Marigot + MG -1855+04731 Indian/Antananarivo +-MH +0709+17112 Pacific/Majuro Marshall Islands (most areas) ++MH +0709+17112 Pacific/Majuro most of Marshall Islands + MH +0905+16720 Pacific/Kwajalein Kwajalein + MK +4159+02126 Europe/Skopje + ML +1239-00800 Africa/Bamako + MM +1647+09610 Asia/Yangon +-MN +4755+10653 Asia/Ulaanbaatar Mongolia (most areas) ++MN +4755+10653 Asia/Ulaanbaatar most of Mongolia + MN +4801+09139 Asia/Hovd Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan + MN +4804+11430 Asia/Choibalsan Dornod, Sukhbaatar + MO +221150+1133230 Asia/Macau +@@ -325,7 +324,7 @@ NO +5955+01045 Europe/Oslo + NP +2743+08519 Asia/Kathmandu + NR -0031+16655 Pacific/Nauru + NU -1901-16955 Pacific/Niue +-NZ -3652+17446 Pacific/Auckland New Zealand (most areas) ++NZ -3652+17446 Pacific/Auckland most of New Zealand + NZ -4357-17633 Pacific/Chatham Chatham Islands + OM +2336+05835 Asia/Muscat + PA +0858-07932 America/Panama +@@ -333,7 +332,7 @@ PE -1203-07703 America/Lima + PF -1732-14934 Pacific/Tahiti Society Islands + PF -0900-13930 Pacific/Marquesas Marquesas Islands + PF -2308-13457 Pacific/Gambier Gambier Islands +-PG -0930+14710 Pacific/Port_Moresby Papua New Guinea (most areas) ++PG -0930+14710 Pacific/Port_Moresby most of Papua New Guinea + PG -0613+15534 Pacific/Bougainville Bougainville + PH +1435+12100 Asia/Manila + PK +2452+06703 Asia/Karachi +@@ -379,7 +378,7 @@ RU +4310+13156 Asia/Vladivostok MSK+07 - Amur River + RU +643337+1431336 Asia/Ust-Nera MSK+07 - Oymyakonsky + RU +5934+15048 Asia/Magadan MSK+08 - Magadan + RU +4658+14242 Asia/Sakhalin MSK+08 - Sakhalin Island +-RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); North Kuril Is ++RU +6728+15343 Asia/Srednekolymsk MSK+08 - Sakha (E); N Kuril Is + RU +5301+15839 Asia/Kamchatka MSK+09 - Kamchatka + RU +6445+17729 Asia/Anadyr MSK+09 - Bering Sea + RW -0157+03004 Africa/Kigali +@@ -420,7 +419,7 @@ TT +1039-06131 America/Port_of_Spain + TV -0831+17913 Pacific/Funafuti + TW +2503+12130 Asia/Taipei + TZ -0648+03917 Africa/Dar_es_Salaam +-UA +5026+03031 Europe/Kyiv Ukraine (most areas) ++UA +5026+03031 Europe/Kyiv most of Ukraine + UG +0019+03225 Africa/Kampala + UM +2813-17722 Pacific/Midway Midway Islands + UM +1917+16637 Pacific/Wake Wake Island +@@ -443,7 +442,7 @@ US +465042-1012439 America/North_Dakota/New_Salem Central - ND (Morton rural) + US +471551-1014640 America/North_Dakota/Beulah Central - ND (Mercer) + US +394421-1045903 America/Denver Mountain (most areas) + US +433649-1161209 America/Boise Mountain - ID (south); OR (east) +-US +332654-1120424 America/Phoenix MST - Arizona (except Navajo) ++US +332654-1120424 America/Phoenix MST - AZ (except Navajo) + US +340308-1181434 America/Los_Angeles Pacific + US +611305-1495401 America/Anchorage Alaska (most areas) + US +581807-1342511 America/Juneau Alaska - Juneau area +@@ -451,7 +450,7 @@ US +571035-1351807 America/Sitka Alaska - Sitka area + US +550737-1313435 America/Metlakatla Alaska - Annette Island + US +593249-1394338 America/Yakutat Alaska - Yakutat + US +643004-1652423 America/Nome Alaska (west) +-US +515248-1763929 America/Adak Aleutian Islands ++US +515248-1763929 America/Adak Alaska - western Aleutians + US +211825-1575130 Pacific/Honolulu Hawaii + UY -345433-0561245 America/Montevideo + UZ +3940+06648 Asia/Samarkand Uzbekistan (west) +diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +index a51490767d..9fdc741af9 100644 +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -607,6 +607,17 @@ public final class ZoneInfoFile { + params[8] = endRule.secondOfDay * 1000; + params[9] = toSTZTime[endRule.timeDefinition]; + dstSavings = (startRule.offsetAfter - startRule.offsetBefore) * 1000; ++ ++ // Note: known mismatching -> Africa/Cairo ++ // ZoneInfo : startDayOfWeek=5 <= Thursday ++ // startTime=86400000 <= 24:00 ++ // This: startDayOfWeek=6 <= Friday ++ // startTime=0 <= 0:00 ++ if (zoneId.equals("Africa/Cairo") && ++ params[7] == Calendar.FRIDAY && params[8] == 0) { ++ params[7] = Calendar.THURSDAY; ++ params[8] = SECONDS_PER_DAY * 1000; ++ } + } else if (nTrans > 0) { // only do this if there is something in table already + if (lastyear < LASTYEAR) { + // ZoneInfo has an ending entry for 2037 +diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +index bf7918659a..2763ac30ca 100644 +--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java ++++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -845,9 +845,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, +- {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00", +- "Kirov Daylight Time", "GMT+03:00", +- "Kirov Time", "GMT+03:00"}}, ++ {"Europe/Kirov", MSK}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +index 0f66ee12c9..c5483b4851 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022g ++tzdata2023c +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +index d495743b26..07c5edbafe 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +@@ -211,6 +211,7 @@ Link America/Argentina/Cordoba America/Rosario + Link America/Tijuana America/Santa_Isabel + Link America/Denver America/Shiprock + Link America/Toronto America/Thunder_Bay ++Link America/Edmonton America/Yellowknife + Link Pacific/Auckland Antarctica/South_Pole + Link Asia/Shanghai Asia/Chongqing + Link Asia/Shanghai Asia/Harbin +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +index 44db4dbdb8..03f5305e65 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -92,7 +92,6 @@ America/Vancouver PST PDT + America/Whitehorse MST + America/Winnipeg CST CDT + America/Yakutat AKST AKDT +-America/Yellowknife MST MDT + Antarctica/Macquarie AEST AEDT + Asia/Beirut EET EEST + Asia/Famagusta EET EEST +@@ -144,6 +143,7 @@ Europe/Dublin IST/GMT IST/GMT + Europe/Gibraltar CET CEST + Europe/Helsinki EET EEST + Europe/Kaliningrad EET ++Europe/Kirov MSK + Europe/Kyiv EET EEST + Europe/Lisbon WET WEST + Europe/London GMT/BST GMT/BST +@@ -160,6 +160,7 @@ Europe/Tallinn EET EEST + Europe/Tirane CET CEST + Europe/Vienna CET CEST + Europe/Vilnius EET EEST ++Europe/Volgograd MSK + Europe/Warsaw CET CEST + Europe/Zurich CET CEST + HST HST +diff --git a/test/jdk/java/util/TimeZone/TimeZoneTest.java b/test/jdk/java/util/TimeZone/TimeZoneTest.java +index d31d1722b7..8e5d403f87 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneTest.java ++++ b/test/jdk/java/util/TimeZone/TimeZoneTest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -25,7 +25,7 @@ + * @test + * @bug 4028006 4044013 4096694 4107276 4107570 4112869 4130885 7039469 7126465 7158483 + * 8008577 8077685 8098547 8133321 8138716 8148446 8151876 8159684 8166875 8181157 +- * 8228469 8274407 ++ * 8228469 8274407 8305113 + * @modules java.base/sun.util.resources + * @library /java/text/testlib + * @summary test TimeZone +@@ -121,7 +121,7 @@ public class TimeZoneTest extends IntlTest + new ZoneDescriptor("GMT", 0, false), + new ZoneDescriptor("UTC", 0, false), + new ZoneDescriptor("ECT", 60, true), +- new ZoneDescriptor("ART", 120, false), ++ new ZoneDescriptor("ART", 120, true), + new ZoneDescriptor("EET", 120, true), + new ZoneDescriptor("EAT", 180, false), + new ZoneDescriptor("MET", 60, true), diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch index e6355f2..37d600a 100644 --- a/SOURCES/rh1750419-redhat_alt_java.patch +++ b/SOURCES/rh1750419-redhat_alt_java.patch @@ -1,7 +1,8 @@ -diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk ---- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 -+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 -@@ -41,6 +41,16 @@ +diff --git openjdk.orig/make/launcher/Launcher-java.base.gmk openjdk/make/launcher/Launcher-java.base.gmk +index a8990dd0ef..320fec6e51 100644 +--- openjdk.orig/make/launcher/Launcher-java.base.gmk ++++ openjdk/make/launcher/Launcher-java.base.gmk +@@ -41,6 +41,16 @@ $(eval $(call SetupBuildLauncher, java, \ OPTIMIZATION := HIGH, \ )) @@ -15,13 +16,14 @@ diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk + OPTIMIZATION := HIGH, \ +)) + - ifeq ($(OPENJDK_TARGET_OS), windows) + ifeq ($(call isTargetOs, windows), true) $(eval $(call SetupBuildLauncher, javaw, \ CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ - -diff -r 25e94aa812b2 src/share/bin/alt_main.h ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h +new file mode 100644 +index 0000000000..697df2898a +--- /dev/null ++++ openjdk/src/java.base/share/native/launcher/alt_main.h @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2019, Red Hat, Inc. All rights reserved. @@ -96,9 +98,10 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h +} + +#endif // REDHAT_ALT_JAVA -diff -r 25e94aa812b2 src/share/bin/main.c ---- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 -+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c +index b734fe2ba7..79dc830765 100644 +--- openjdk.orig/src/java.base/share/native/launcher/main.c ++++ openjdk/src/java.base/share/native/launcher/main.c @@ -34,6 +34,14 @@ #include "jli_util.h" #include "jni.h" diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index a7d8fe9..0c33bf4 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -331,7 +331,7 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 18 +%global updatever 19 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -370,15 +370,15 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 9087e80d0ab +%global fipsver b34fb09a5c # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 10 -%global rpmrelease 2 +%global buildver 7 +%global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -1360,7 +1360,7 @@ Patch1003: rh1842572-rsa_default_for_keytool.patch # Crypto policy and FIPS support patches # Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips -# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch +# as follows: git diff %%{vcstag} src make test > fips-11u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: # PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy @@ -1412,13 +1412,17 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 ############################################# # -# Patches appearing in 11.0.18 +# Patches appearing in 11.0.20 # # This section includes patches which are present # in the listed OpenJDK 11u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile +Patch2002: jdk8274864-remove_amman_cairo_hacks.patch +# JDK-8305113: (tz) Update Timezone Data to 2023c +Patch2003: jdk8305113-tzdata2023c.patch BuildRequires: autoconf BuildRequires: automake @@ -1453,8 +1457,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022g required as of JDK-8297804 -BuildRequires: tzdata-java >= 2022g +# 2023c required as of JDK-8305113 +BuildRequires: tzdata-java >= 2023c # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1837,6 +1841,9 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# tzdata update +%patch2002 -p1 +%patch2003 -p1 popd # openjdk %patch600 @@ -2647,6 +2654,22 @@ require "copy_jdk_configs.lua" %endif %changelog +* Fri Apr 14 2023 Andrew Hughes - 1:11.0.19.0.7-1 +- Update to jdk-11.0.19.0+7 +- Update release notes to 11.0.19.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Rebase FIPS support against 11.0.19+6 +- Rebase RH1750419 alt-java patch against 11.0.19+6 +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 + +* Fri Jan 13 2023 Andrew Hughes - 1:11.0.18.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + * Wed Jan 11 2023 Andrew Hughes - 1:11.0.18.0.10-2 - Update to jdk-11.0.18+10 (GA) - Update release notes to 11.0.18+10