diff --git a/.gitignore b/.gitignore
index f2440f6..e758bea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+SOURCES/openjdk-jdk11u-jdk-11.0.17+7-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index 5e3b532..d96bf8e 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-a3658fc54f198072f4c61090b712bfe6ff222928 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+10-4curve.tar.xz
+4cfb9133da3ebd3242c28f83980b3e461ced4553 SOURCES/openjdk-jdk11u-jdk-11.0.17+7-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java
index e2101cf..29b296b 100644
--- a/SOURCES/CheckVendor.java
+++ b/SOURCES/CheckVendor.java
@@ -21,8 +21,8 @@ along with this program. If not, see .
public class CheckVendor {
public static void main(String[] args) {
- if (args.length < 3) {
- System.err.println("CheckVendor ");
+ if (args.length < 4) {
+ System.err.println("CheckVendor ");
System.exit(1);
}
@@ -32,6 +32,8 @@ public class CheckVendor {
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
+ String vendorVersionString = System.getProperty("java.vendor.version");
+ String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
@@ -46,12 +48,18 @@ public class CheckVendor {
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
- System.err.printf("Invalid vendor bug URL%s, expected %s\n",
+ System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
- System.err.printf("Vendor information verified as %s, %s, %s\n",
- vendor, vendorURL, vendorBugURL);
+ if (!expectedVendorVersionString.equals(vendorVersionString)) {
+ System.err.printf("Invalid vendor version string %s, expected %s\n",
+ vendorVersionString, expectedVendorVersionString);
+ System.exit(5);
+ }
+
+ System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
+ vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index acb5afb..c697201 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,740 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 11.0.17 (2022-10-18):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11017
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.17.html
+
+* Other changes
+ - JDK-6606767: resexhausted00[34] fail assert(!thread->owns_locks(), "must release all locks when leaving VM")
+ - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7
+ - JDK-7131823: bug in GIFImageReader
+ - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac
+ - JDK-8028265: Add legacy tz tests to OpenJDK
+ - JDK-8069343: Improve gc/g1/TestHumongousCodeCacheRoots.java to use jtreg @requires
+ - JDK-8139348: Deprecate 3DES and RC4 in Kerberos
+ - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java
+ - JDK-8164804: sun/security/ssl/SSLSocketImpl/CloseSocket.java makes not reliable time assumption
+ - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes!
+ - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad"
+ - JDK-8183372: Refactor java/lang/Class shell tests to java
+ - JDK-8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names
+ - JDK-8193462: Fix Filer handling of package-info initial elements
+ - JDK-8203277: preflow visitor used during lambda attribution shouldn't visit class definitions inside the lambda body
+ - JDK-8208471: nsk/jdb/unwatch/unwatch002/unwatch002.java fails with "Prompt is not received during 300200 milliseconds"
+ - JDK-8209052: Low contrast in docs/api/constant-values.html
+ - JDK-8209736: runtime/RedefineTests/ModifyAnonymous.java fails with NullPointerException when running in CDS mode
+ - JDK-8210107: vmTestbase/nsk/stress/network tests fail with Cannot assign requested address (Bind failed)
+ - JDK-8210722: JAXP Tests: CatalogSupport2 and CatalogSupport3 generate incorrect messages upon failure
+ - JDK-8210960: Allow --with-boot-jdk-jvmargs to work during configure
+ - JDK-8212904: JTextArea line wrapping incorrect when using UI scale
+ - JDK-8213695: gc/TestAllocateHeapAtMultiple.java is slow in some configs
+ - JDK-8214078: (fs) SecureDirectoryStream not supported on arm32
+ - JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
+ - JDK-8215291: Broken links when generating from project without modules
+ - JDK-8217170: gc/arguments/TestUseCompressedOopsErgo.java timed out
+ - JDK-8217332: JTREG: Clean up, use generics instead of raw types
+ - JDK-8218128: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003 and 004 use wrong path to test classes
+ - JDK-8218413: make reconfigure ignores configure-time AUTOCONF environment variable
+ - JDK-8219074: [TESTBUG] runtime/containers/docker/TestCPUAwareness.java typo of printing parameters (period should be shares)
+ - JDK-8219149: ProcessTools.ProcessBuilder should print timing info for subprocesses
+ - JDK-8220744: [TESTBUG] Move RedefineTests from runtime to serviceability
+ - JDK-8221871: javadoc should not set role=region on elements
+ - JDK-8221907: make reconfigure breaks when configured with relative paths
+ - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues
+ - JDK-8223575: add subspace transitions to gc+metaspace=info log lines
+ - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled.
+ - JDK-8226976: SessionTimeOutTests uses == operator for String value check
+ - JDK-8230708: Hotspot fails to build on linux-sparc with gcc-9
+ - JDK-8233712: Limit default tests jobs based on ulimit -u setting
+ - JDK-8235870: C2 crashes in IdealLoopTree::est_loop_flow_merge_sz()
+ - JDK-8236490: Compiler bug relating to @NonNull annotation
+ - JDK-8236823: Ensure that API documentation uses minified libraries
+ - JDK-8238196: tests that use SA Attach should not be allowed to run against signed binaries on Mac OS X 10.14.5 and later
+ - JDK-8238203: Return value of GetUserDefaultUILanguage() should be handled as LANGID
+ - JDK-8238268: Many SA tests are not running on OSX because they do not attempt to use sudo when available
+ - JDK-8238586: [TESTBUG] vmTestbase/jit/tiered/Test.java failed when TieredCompilation is disabled
+ - JDK-8239265: JFR: Test cleanup of jdk.jfr.api.consumer package
+ - JDK-8239379: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java on OSX
+ - JDK-8239423: jdk/jfr/jvm/TestJFRIntrinsic.java failed with -XX:-TieredCompilation
+ - JDK-8239902: [macos] Remove direct usage of JSlider, JProgressBar classes in CAccessible class
+ - JDK-8240903: Add test to check that jmod hashes are reproducible
+ - JDK-8242188: error in jtreg test jdk/jfr/api/consumer/TestRecordedFrame.java on linux-aarch64
+ - JDK-8247546: Pattern matching does not skip correctly over supplementary characters
+ - JDK-8247907: XMLDsig logging does not work
+ - JDK-8247964: All log0() in com/sun/org/slf4j/internal/Logger.java should be private
+ - JDK-8249623: test @ignore-d due to 7013634 should be returned back to execution
+ - JDK-8251152: ARM32: jtreg c2 Test8202414 test crash
+ - JDK-8251551: Use .md filename extension for README
+ - JDK-8252145: Unify Info.plist files with correct version strings
+ - JDK-8253829: Wrong length compared in SSPI bridge
+ - JDK-8253916: ResourceExhausted/resexhausted001 crashes on Linux-x64
+ - JDK-8254178: Remove .hgignore
+ - JDK-8254318: Remove .hgtags
+ - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline
+ - JDK-8255729: com.sun.tools.javac.processing.JavacFiler.FilerOutputStream is inefficient
+ - JDK-8257623: vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted001/TestDescription.java shouldn't use timeout
+ - JDK-8258946: Fix optimization-unstable code involving signed integer overflow
+ - JDK-8261160: Add a deserialization JFR event
+ - JDK-8262085: Hovering Metal HTML Tooltips in different windows cause IllegalArgExc on Linux
+ - JDK-8264400: (fs) WindowsFileStore equality depends on how the FileStore was constructed
+ - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly.
+ - JDK-8265020: tests must be updated for new TestNG module name
+ - JDK-8265100: (fs) WindowsFileStore.hashCode() should read cached hash code once
+ - JDK-8265531: doc/building.md should mention homebrew install freetype
+ - JDK-8266250: WebSocketTest and WebSocketProxyTest call assertEquals(List, List)
+ - JDK-8266254: Update to use jtreg 6
+ - JDK-8266460: java.io tests fail on null stream with upgraded jtreg/TestNG
+ - JDK-8266461: tools/jmod/hashes/HashesTest.java fails: static @Test methods
+ - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
+ - JDK-8266675: Optimize IntHashTable for encapsulation and ease of use
+ - JDK-8266774: System property values for stdout/err on Windows UTF-8
+ - JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java
+ - JDK-8267180: Typo in copyright header for HashesTest
+ - JDK-8267271: Fix gc/arguments/TestNewRatioFlag.java expectedNewSize calculation
+ - JDK-8267880: Upgrade the default PKCS12 MAC algorithm
+ - JDK-8268185: Update GitHub Actions for jtreg 6
+ - JDK-8269039: Disable SHA-1 Signed JARs
+ - JDK-8269517: compiler/loopopts/TestPartialPeelingSinkNodes.java crashes with -XX:+VerifyGraphEdges
+ - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections
+ - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java
+ - JDK-8271010: vmTestbase/gc/lock/malloc/malloclock04/TestDescription.java crashes intermittently
+ - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest
+ - JDK-8271512: ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java due to 8270326
+ - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8
+ - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
+ - JDK-8273526: Extend the OSContainer API pids controller with pids.current
+ - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
+ - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false]
+ - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend
+ - JDK-8275008: gtest build failure due to stringop-overflow warning with gcc11
+ - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test
+ - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
+ - JDK-8277893: Arraycopy stress tests
+ - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
+ - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output
+ - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null"
+ - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4
+ - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
+ - JDK-8279622: C2: miscompilation of map pattern as a vector reduction
+ - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method
+ - JDK-8281181: Do not use CPU Shares to compute active processor count
+ - JDK-8281535: Create a regression test for JDK-4670051
+ - JDK-8281569: Create tests for Frame.setMinimumSize() method
+ - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting
+ - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button
+ - JDK-8281745: Create a regression test for JDK-4514331
+ - JDK-8281988: Create a regression test for JDK-4618767
+ - JDK-8282214: Upgrade JQuery to version 3.6.0
+ - JDK-8282234: Create a regression test for JDK-4532513
+ - JDK-8282280: Update Xerces to Version 2.12.2
+ - JDK-8282343: Create a regression test for JDK-4518432
+ - JDK-8282538: PKCS11 tests fail on CentOS Stream 9
+ - JDK-8282548: Create a regression test for JDK-4330998
+ - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc
+ - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767
+ - JDK-8282860: Write a regression test for JDK-4164779
+ - JDK-8282933: Create a test for JDK-4529616
+ - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
+ - JDK-8283015: Create a test for JDK-4715496
+ - JDK-8283017: GHA: Workflows break with update release versions
+ - JDK-8283087: Create a test or JDK-4715503
+ - JDK-8283245: Create a test for JDK-4670319
+ - JDK-8283277: ISO 4217 Amendment 171 Update
+ - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
+ - JDK-8283493: Create an automated regression test for RFE 4231298
+ - JDK-8283507: Create a regression test for RFE 4287690
+ - JDK-8283621: Write a regression test for CCC4400728
+ - JDK-8283623: Create an automated regression test for JDK-4525475
+ - JDK-8283624: Create an automated regression test for RFE-4390885
+ - JDK-8283712: Create a manual test framework class
+ - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test
+ - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
+ - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
+ - JDK-8284077: Create an automated test for JDK-4170173
+ - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1
+ - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception
+ - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset
+ - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice
+ - JDK-8284754: print more interesting env variables in hs_err and VM.info
+ - JDK-8284758: [linux] improve print_container_info
+ - JDK-8284882: SIGSEGV in Node::verify_edges due to compilation bailout
+ - JDK-8284898: Enhance PassFailJFrame
+ - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization
+ - JDK-8284950: CgroupV1 detection code should consider memory.swappiness
+ - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment
+ - JDK-8285081: Improve XPath operators count accuracy
+ - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java
+ - JDK-8285380: Fix typos in security
+ - JDK-8285398: Cache the results of constraint checks
+ - JDK-8285693: Create an automated test for JDK-4702199
+ - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null
+ - JDK-8285728: Alpine Linux build fails with busybox tar
+ - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
+ - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java
+ - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure
+ - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5
+ - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache
+ - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
+ - JDK-8287017: Bump update version for OpenJDK: jdk-11.0.17
+ - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
+ - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
+ - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event
+ - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver
+ - JDK-8287336: GHA: Workflows break on patch versions
+ - JDK-8287366: Improve test failure reporting in GHA
+ - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node
+ - JDK-8287463: JFR: Disable TestDevNull.java on Windows
+ - JDK-8287663: Add a regression test for JDK-8287073
+ - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run
+ - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
+ - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes
+ - JDK-8288467: remove memory_operand assert for spilled instructions
+ - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp
+ - JDK-8288763: Pack200 extraction failure with invalid size
+ - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small
+ - JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
+ - JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)
+ - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java
+ - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc
+ - JDK-8289486: Improve XSLT XPath operators count efficiency
+ - JDK-8289549: ISO 4217 Amendment 172 Update
+ - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl
+ - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter
+ - JDK-8289853: Update HarfBuzz to 4.4.1
+ - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060
+ - JDK-8290000: Bump macOS GitHub actions to macOS 11
+ - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC
+ - JDK-8290198: Shenandoah: a few Shenandoah tests failure after JDK-8214799 11u backport
+ - JDK-8290246: test fails "assert(init != __null) failed: initialization not found"
+ - JDK-8290334: Update FreeType to 2.12.1
+ - JDK-8290813: jdk/nashorn/api/scripting/test/ScriptObjectMirrorTest.java fails: assertEquals is ambiguous
+ - JDK-8290886: [11u]: Backport of JDK-8266250 introduced test failures
+ - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u
+ - JDK-8291713: assert(!phase->exceeding_node_budget()) failed: sanity after JDK-8223389
+ - JDK-8291794: [11u] Corrections after backport of JDK-8212028
+ - JDK-8292579: (tz) Update Timezone Data to 2022c
+ - JDK-8292852: [11u] TestMemoryWithCgroupV1 fails after JDK-8292768
+
+Notes on individual issues:
+===========================
+
+core-libs/java.net:
+
+JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
+===========================================================================
+Two system properties have been added which control the keep alive
+behavior of HttpURLConnection in the case where the server does not
+specify a keep alive time. Two properties are defined for controlling
+connections to servers and proxies separately. They are:
+
+* `http.keepAlive.time.server`
+* `http.keepAlive.time.proxy`
+
+respectively. More information about them can be found on the
+Networking Properties page:
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html.
+
+hotspot/runtime:
+
+JDK-8281181: CPU Shares Ignored When Computing Active Processor Count
+=====================================================================
+Previous JDK releases used an incorrect interpretation of the Linux
+cgroups parameter "cpu.shares". This might cause the JVM to use fewer
+CPUs than available, leading to an under utilization of CPU resources
+when the JVM is used inside a container.
+
+Starting from this JDK release, by default, the JVM no longer
+considers "cpu.shares" when deciding the number of threads to be used
+by the various thread pools. The `-XX:+UseContainerCpuShares`
+command-line option can be used to revert to the previous
+behavior. This option is deprecated and may be removed in a future JDK
+release.
+
+security-libs/java.security:
+
+JDK-8269039: Disabled SHA-1 Signed JARs
+=======================================
+JARs signed with SHA-1 algorithms are now restricted by default and
+treated as if they were unsigned. This applies to the algorithms used
+to digest, sign, and optionally timestamp the JAR. It also applies to
+the signature and digest algorithms of the certificates in the
+certificate chain of the code signer and the Timestamp Authority, and
+any CRLs or OCSP responses that are used to verify if those
+certificates have been revoked. These restrictions also apply to
+signed JCE providers.
+
+To reduce the compatibility risk for JARs that have been previously
+timestamped, there is one exception to this policy:
+
+- Any JAR signed with SHA-1 algorithms and timestamped prior to
+ January 01, 2019 will not be restricted.
+
+This exception may be removed in a future JDK release. To determine if
+your signed JARs are affected by this change, run:
+
+$ jarsigner -verify -verbose -certs`
+
+on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
+"disabled" and a warning that the JAR will be treated as unsigned in
+the output.
+
+For example:
+
+ Signed by "CN="Signer""
+ Digest algorithm: SHA-1 (disabled)
+ Signature algorithm: SHA1withRSA (disabled), 2048-bit key
+
+ WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
+
+ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
+
+JARs affected by these new restrictions should be replaced or
+re-signed with stronger algorithms.
+
+Users can, *at their own risk*, remove these restrictions by modifying
+the `java.security` configuration file (or override it by using the
+`java.security.properties` system property) and removing "SHA1 usage
+SignedJAR & denyAfter 2019-01-01" from the
+`jdk.certpath.disabledAlgorithms` security property and "SHA1
+denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
+property.
+
+JDK-8267880: Upgrade the default PKCS12 MAC algorithm
+=====================================================
+
+The default MAC algorithm used in a PKCS #12 keystore has been
+updated. The new algorithm is based on SHA-256 and is stronger than
+the old one based on SHA-1. See the security properties starting with
+`keystore.pkcs12` in the `java.security` file for detailed
+information.
+
+The new SHA-256 based MAC algorithms were introduced in the 11.0.12
+release. Keystores created using this newer, stronger, MAC algorithm
+cannot be opened in versions of OpenJDK 11 earlier than 11.0.12. A
+'java.security.NoSuchAlgorithmException' exception will be thrown in
+such circumstances.
+
+For compatibility, use the `keystore.pkcs12.legacy` system property,
+which will revert the algorithms to use the older, weaker
+algorithms. There is no value defined for this property.
+
+core-libs/java.io:serialization:
+
+JDK-8261160: JDK Flight Recorder Event for Deserialization
+==========================================================
+It is now possible to monitor deserialization of objects using JDK
+Flight Recorder (JFR). When JFR is enabled and the JFR configuration
+includes deserialization events, JFR will emit an event whenever the
+running program attempts to deserialize an object. The deserialization
+event is named `jdk.Deserialization`, and it is disabled by
+default. The deserialization event contains information that is used
+by the serialization filter mechanism; see the ObjectInputFilter API
+specification for details.
+
+Additionally, if a filter is enabled, the JFR event indicates whether
+the filter accepted or rejected deserialization of the object. For
+further information about how to use the JFR deserialization event,
+see the article "Monitoring Deserialization to Improve Application
+Security"
+(https://inside.java/2021/03/02/monitoring-deserialization-activity-in-the-jdk/).
+
+For reference information about using and configuring JFR, see the
+"JFR Runtime Guide"
+(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-runtime-guide/preface_jfrrt.htm#JFRRT165)
+and "JFR Command Reference"
+(https://docs.oracle.com/javacomponents/jmc-5-5/jfr-command-reference/command-line-options.htm#JFRCR-GUID-FE61CA60-E1DF-460E-A8E0-F4FF5D58A7A0)
+sections of the JDK Mission Control documentation.
+
+security-libs/org.ietf.jgss:krb5:
+
+JDK-8139348: Deprecate 3DES and RC4 in Kerberos
+===============================================
+The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
+are now deprecated and disabled by default. Users can set
+`allow_weak_crypto = true` in the `krb5.conf` configuration file to
+re-enable them (along with other weak etypes including `des-cbc-crc`
+and `des-cbc-md5`) at their own risk. To disable a subset of the weak
+etypes, users can list preferred etypes explicitly in any of the
+`default_tkt_enctypes`, `default_tgs_enctypes`, or
+`permitted_enctypes` settings.
+
+New in release OpenJDK 11.0.16.1 (2022-08-12):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bit.ly/openjdk110161
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.1.txt
+
+* Other changes
+ - JDK-8292255: Bump update version for OpenJDK: jdk-11.0.16.1
+ - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large
+
+Notes on individual issues:
+===========================
+
+hotspot/compiler:
+
+JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM
+============================================================
+Fixes a regression in the C2 JIT compiler which caused the Java
+Runtime to crash unpredictably.
+
+New in release OpenJDK 11.0.16 (2022-07-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11016
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.16.txt
+
+* Security fixes
+ - JDK-8277608: Address IP Addressing
+ - JDK-8272243: Improve DER parsing
+ - JDK-8272249: Better properties of loaded Properties
+ - JDK-8281859, CVE-2022-21540: Improve class compilation
+ - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations
+ - JDK-8283190: Improve MIDI processing
+ - JDK-8284370: Improve zlib usage
+ - JDK-8285407, CVE-2022-34169: Improve Xalan supports
+* Other changes
+ - JDK-6986863: ProfileDeferralMgr throwing ConcurrentModificationException
+ - JDK-7124293: [macosx] VoiceOver reads percentages rather than the actual values for sliders.
+ - JDK-7124301: [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
+ - JDK-8133713: [macosx] Accessible JTables always reported as empty
+ - JDK-8139046: Compiler Control: IGVPrintLevel directive should set PrintIdealGraph
+ - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn
+ - JDK-8163498: Many long-running security libs tests
+ - JDK-8166727: javac crashed: [jimage.dll+0x1942] ImageStrings::find+0x28
+ - JDK-8169004: Fix redundant @requires tags in tests
+ - JDK-8181571: printing to CUPS fails on mac sandbox app
+ - JDK-8182404: remove jdk.testlibrary.JDKToolFinder and JDKToolLauncher
+ - JDK-8186548: move jdk.testlibrary.JcmdBase closer to tests
+ - JDK-8192057: com/sun/jdi/BadHandshakeTest.java fails with java.net.ConnectException
+ - JDK-8193682: Infinite loop in ZipOutputStream.close()
+ - JDK-8199874: [TESTBUG] runtime/Thread/ThreadPriorities.java fails with "expected 0 to equal 10"
+ - JDK-8202886: [macos] Test java/awt/MenuBar/8007006/bug8007006.java fails on MacOS
+ - JDK-8203238: [TESTBUG] rewrite MemOptions shell test in Java
+ - JDK-8203239: [TESTBUG] remove vmTestbase/vm/gc/kind/parOld test
+ - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use
+ - JDK-8206330: Revisit com/sun/jdi/RedefineCrossEvent.java
+ - JDK-8207364: nsk/jvmti/ResourceExhausted/resexhausted003 fails to start
+ - JDK-8208207: Test nsk/stress/jni/gclocker/gcl001 fails after co-location
+ - JDK-8208246: flags duplications in vmTestbase_vm_g1classunloading tests
+ - JDK-8208249: TriggerUnloadingByFillingMetaspace generates garbage class names
+ - JDK-8208697: vmTestbase/metaspace/stressHierarchy/stressHierarchy012/TestDescription.java fails with OutOfMemoryError: Metaspace
+ - JDK-8209150: [TESTBUG] Add logging to verify JDK-8197901 to a different test
+ - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test
+ - JDK-8209883: ZGC: Compile without C1 broken
+ - JDK-8209920: runtime/logging/RedefineClasses.java fail with OOME with ZGC
+ - JDK-8210022: remove jdk.testlibrary.ProcessThread, TestThread and XRun
+ - JDK-8210039: move OSInfo to top level testlibrary
+ - JDK-8210108: sun/tools/jstatd test build failures after JDK-8210022
+ - JDK-8210112: remove jdk.testlibrary.ProcessTools
+ - JDK-8210649: AssertionError @ jdk.compiler/com.sun.tools.javac.comp.Modules.enter(Modules.java:244)
+ - JDK-8210732: remove jdk.testlibrary.Utils
+ - JDK-8211795: ArrayIndexOutOfBoundsException in PNGImageReader after JDK-6788458
+ - JDK-8211822: Some tests fail after JDK-8210039
+ - JDK-8211962: Implicit narrowing in MacOSX java.desktop jsound
+ - JDK-8212151: jdi/ExclusiveBind.java times out due to "bind failed: Address already in use" on Solaris-X64
+ - JDK-8213440: Lingering INCLUDE_ALL_GCS in test_oopStorage_parperf.cpp
+ - JDK-8214275: CondyRepeatFailedResolution asserts "Dynamic constant has no fixed basic type"
+ - JDK-8214799: Add package declaration to each JTREG test case in the gc folder
+ - JDK-8215544: SA: Modify ClhsdbLauncher to add sudo privileges to enable MacOS tests on Mach5
+ - JDK-8216137: assert(Compile::current()->live_nodes() < Compile::current()->max_node_limit()) failed: Live Node limit exceeded limit
+ - JDK-8216265: [testbug] Introduce Platform.sharedLibraryPathVariableName() and adapt all tests.
+ - JDK-8216366: Add rationale to PER_CPU_SHARES define
+ - JDK-8217017: [TESTBUG] Tests fail to compile after JDK-8216265
+ - JDK-8217233: Update build settings for AIX/xlc
+ - JDK-8217340: Compilation failed: tools/launcher/Test7029048.java
+ - JDK-8217473: SA: Tests using ClhsdbLauncher fail on SAP docker containers
+ - JDK-8218136: minor hotspot adjustments for xlclang++ from xlc16 on AIX
+ - JDK-8218751: Do not store original classfiles inside the CDS archive
+ - JDK-8218965: aix: support xlclang++ in the compiler detection
+ - JDK-8220658: Improve the readability of container information in the error log
+ - JDK-8220813: update hotspot tier1_gc tests depending on GC to use @requires vm.gc.X
+ - JDK-8222799: java.beans.Introspector uses an obsolete methods cache
+ - JDK-8222926: Shenandoah build fails with --with-jvm-features=-compiler1
+ - JDK-8223143: Restructure/clean-up for 'loopexit_or_null()'.
+ - JDK-8223363: Bad node estimate assertion failure
+ - JDK-8223389: Shenandoah optimizations fail with assert(!phase->exceeding_node_budget())
+ - JDK-8223396: [TESTBUG] several jfr tests do not clean up files created in /tmp
+ - JDK-8223502: Node estimate for loop unswitching is not correct: assert(delta <= 2 * required) failed: Bad node estimate
+ - JDK-8224648: assert(!exceeding_node_budget()) failed: Too many NODES required! failure with ctw
+ - JDK-8225475: Node budget asserts on x86_32/64
+ - JDK-8227171: provide function names in native stack trace on aix with xlc16
+ - JDK-8227389: Remove unsupported xlc16 compile options on aix
+ - JDK-8229202: Docker reporting causes secondary crashes in error handling
+ - JDK-8229210: [TESTBUG] Move gc stress tests from JFR directory tree to gc/stress
+ - JDK-8229486: Replace wildcard address with loopback or local host in tests - part 21
+ - JDK-8229499: Node budget assert in fuzzed test
+ - JDK-8230305: Cgroups v2: Container awareness
+ - JDK-8230865: [TESTBUG] jdk/jfr/event/io/EvilInstrument.java fails at-run shell MakeJAR.sh target
+ - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+ - JDK-8231454: File lock in Windows on a loaded jar due to a leak in Introspector::getBeanInfo
+ - JDK-8231489: GC watermark_0_1 failed due to "metaspace.gc.Fault: GC has happened too rare"
+ - JDK-8231565: More node budget asserts in fuzzed tests
+ - JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
+ - JDK-8234382: Test tools/javac/processing/model/testgetallmembers/Main.java using too small heap
+ - JDK-8234605: C2 failed "assert(C->live_nodes() - live_at_begin <= 2 * _nodes_required) failed: Bad node estimate: actual = 208 >> request = 101"
+ - JDK-8234608: [TESTBUG] Fix G1 redefineClasses tests and a memory leak
+ - JDK-8235220: ClhsdbScanOops.java fails with sun.jvm.hotspot.types.WrongTypeException
+ - JDK-8235385: Crash on aarch64 JDK due to long offset
+ - JDK-8237479: 8230305 causes slowdebug build failure
+ - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+ - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+ - JDK-8240132: ProblemList com/sun/jdi/InvokeHangTest.java
+ - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+ - JDK-8240335: C2: assert(found_sfpt) failed: no node in loop that's not input to safepoint
+ - JDK-8240734: ModuleHashes attribute not reproducible between builds
+ - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
+ - JDK-8241707: introduce randomness k/w to hotspot test suite
+ - JDK-8242310: use reproducible random in hotspot compiler tests
+ - JDK-8242311: use reproducible random in hotspot runtime tests
+ - JDK-8242312: use reproducible random in hotspot gc tests
+ - JDK-8242313: use reproducible random in hotspot svc tests
+ - JDK-8242538: java/security/SecureRandom/ThreadSafe.java failed on windows
+ - JDK-8243429: use reproducible random in :vmTestbase_nsk_stress
+ - JDK-8243666: ModuleHashes attribute generated for JMOD and JAR files depends on timestamps
+ - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+ - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
+ - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+ - JDK-8245938: Remove unused print_stack(void) method from XToolkit.c
+ - JDK-8246494: introduce vm.flagless at-requires property
+ - JDK-8246741: NetworkInterface/UniqueMacAddressesTest: mac address uniqueness test failed
+ - JDK-8247589: Implementation of Alpine Linux/x64 Port
+ - JDK-8247591: Document Alpine Linux build steps in OpenJDK build guide
+ - JDK-8247592: refactor test/jdk/tools/launcher/Test7029048.java
+ - JDK-8247614: java/nio/channels/DatagramChannel/Connect.java timed out
+ - JDK-8248876: LoadObject with bad base address created for exec file on linux
+ - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode
+ - JDK-8252117: com/sun/jdi/BadHandshakeTest.java failed with "ConnectException: Connection refused: connect"
+ - JDK-8252248: __SIGRTMAX is not declared in musl libc
+ - JDK-8252250: isnanf is obsolete
+ - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+ - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+ - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+ - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+ - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+ - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+ - JDK-8253872: ArgumentHandler must use the same delimiters as in jvmti_tools.cpp
+ - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+ - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+ - JDK-8254887: C2: assert(cl->trip_count() > 0) failed: peeling a fully unrolled loop
+ - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+ - JDK-8255266: Update Public Suffix List to 3c213aa
+ - JDK-8255604: java/nio/channels/DatagramChannel/Connect.java fails with java.net.BindException: Cannot assign requested address: connect
+ - JDK-8255787: Tag container tests that use cGroups with cgroups keyword
+ - JDK-8256146: Cleanup test/jdk/java/nio/channels/DatagramChannel/Connect.java
+ - JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
+ - JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+ - JDK-8258795: Update IANA Language Subtag Registry to Version 2021-05-11
+ - JDK-8258956: Memory Leak in StringCoding on ThreadLocal resultCached StringCoding.Result
+ - JDK-8259517: Incorrect test path in test cases
+ - JDK-8260518: Change default -mmacosx-version-min to 10.12
+ - JDK-8261169: Upgrade HarfBuzz to the latest 2.8.0
+ - JDK-8262379: Add regression test for JDK-8257746
+ - JDK-8263364: sun/net/www/http/KeepAliveStream/KeepAliveStreamCloseWithWrongContentLength.java wedged in getInputStream
+ - JDK-8263718: unused-result warning happens at os_linux.cpp
+ - JDK-8263856: Github Actions for macos/aarch64 cross-build
+ - JDK-8264179: [TESTBUG] Some compiler tests fail when running without C2
+ - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8265297: javax/net/ssl/SSLSession/TestEnabledProtocols.java failed with "RuntimeException: java.net.SocketException: Connection reset"
+ - JDK-8265343: Update Debian-based cross-compilation recipes
+ - JDK-8266251: compiler.inlining.InlineAccessors shouldn't do testing in driver VM
+ - JDK-8266318: Switch to macos prefix for macOS bundles
+ - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+ - JDK-8266545: 8261169 broke Harfbuzz build with gcc 7 and 8
+ - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN)
+ - JDK-8269772: [macos-aarch64] test compilation failed with "SocketException: No buffer space available"
+ - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support
+ - JDK-8270797: ShortECDSA.java test is not complete
+ - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack
+ - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+ - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
+ - JDK-8272358: Some tests may fail when executed with other locales than the US
+ - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2
+ - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security
+ - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted
+ - JDK-8273176: handle latest VS2019 in abstract_vm_version
+ - JDK-8273655: content-types.properties files are missing some common types
+ - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
+ - JDK-8274233: Minor cleanup for ToolBox
+ - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
+ - JDK-8274751: Drag And Drop hangs on Windows
+ - JDK-8275082: Update XML Security for Java to 2.3.0
+ - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
+ - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty
+ - JDK-8276657: XSLT compiler tries to define a class with empty name
+ - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations
+ - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive
+ - JDK-8277093: Vector should throw ClassNotFoundException for a missing class of an element
+ - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread
+ - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch
+ - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge
+ - JDK-8278065: Refactor subclassAudits to use ClassValue
+ - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
+ - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
+ - JDK-8278472: Invalid value set to CANDIDATEFORM structure
+ - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
+ - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs
+ - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+ - JDK-8279219: [REDO] C2 crash when allocating array of size too large
+ - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist!
+ - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
+ - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism
+ - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64
+ - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+ - JDK-8279668: x86: AVX2 versions of vpxor should be asserted
+ - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region
+ - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos
+ - JDK-8279958: Provide configure hints for Alpine/apk package managers
+ - JDK-8280041: Retry loop issues in java.io.ClassCache
+ - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
+ - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang
+ - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device.
+ - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination
+ - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs
+ - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly
+ - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info
+ - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths
+ - JDK-8281615: Deadlock caused by jdwp agent
+ - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799
+ - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder
+ - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads
+ - JDK-8282225: GHA: Allow one concurrent run per PR only
+ - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers
+ - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive
+ - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86
+ - JDK-8282382: Report glibc malloc tunables in error reports
+ - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale
+ - JDK-8282501: Bump update version for OpenJDK: jdk-11.0.16
+ - JDK-8282583: Update BCEL md to include the copyright notice
+ - JDK-8282588: [11] set harfbuzz compilation flag to -std=c++11
+ - JDK-8282589: runtime/ErrorHandling/ErrorHandler.java fails on MacOS aarch64 in jdk 11
+ - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows
+ - JDK-8283018: 11u GHA: Update GCC 9 minor versions
+ - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c
+ - JDK-8283323: libharfbuzz optimization level results in extreme build times
+ - JDK-8283350: (tz) Update Timezone Data to 2022a
+ - JDK-8283408: Fix a C2 crash when filling arrays with unsafe
+ - JDK-8283420: [AOT] Exclude TrackedFlagTest/NotTrackedFlagTest in 11u because of intermittent java.lang.AssertionError: duplicate classes for name Ljava/lang/Boolean;
+ - JDK-8283424: compiler/loopopts/LoopUnswitchingBadNodeBudget.java fails with release VMs due to lack of -XX:+UnlockDiagnosticVMOptions
+ - JDK-8283451: C2: assert(_base == Long) failed: Not a Long
+ - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak
+ - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info
+ - JDK-8283614: [11] Repair compiler versions handling after 8233787
+ - JDK-8283641: Large value for CompileThresholdScaling causes assert
+ - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate
+ - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
+ - JDK-8284094: Memory leak in invoker_completeInvokeRequest()
+ - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+ - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4
+ - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
+ - JDK-8284458: CodeHeapState::aggregate() leaks blob_name
+ - JDK-8284507: GHA: Only check test results if testing was not skipped
+ - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member
+ - JDK-8284573: [11u] ProblemList TestBubbleUpRef.java and TestGCOldWithCMS.java because of 8272195
+ - JDK-8284604: [11u] Update Boot JDK used in GHA to 11.0.14.1
+ - JDK-8284620: CodeBuffer may leak _overflow_arena
+ - JDK-8284622: Update versions of some Github Actions used in JDK workflow
+ - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+ - JDK-8285395: [JVMCI] [11u] Partial backport of JDK-8220623: InstalledCode
+ - JDK-8285397: JNI exception pending in CUPSfuncs.c:250
+ - JDK-8285445: cannot open file "NUL:"
+ - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
+ - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java
+ - JDK-8285591: [11] add signum checks in DSA.java engineVerify
+ - JDK-8285686: Update FreeType to 2.12.0
+ - JDK-8285720: test/jdk/java/nio/file/Files/probeContentType/Basic.java fails to compile after backport of 8273655
+ - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head
+ - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head
+ - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols
+ - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java
+ - JDK-8286198: [linux] Fix process-memory information
+ - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources
+ - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause
+ - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups
+ - JDK-8286630: [11] avoid -std=c++11 CXX harfbuzz buildflag on Windows
+ - JDK-8286855: javac error on invalid jar should only print filename
+ - JDK-8287109: Distrust.java failed with CertificateExpiredException
+ - JDK-8287119: Add Distrust.java to ProblemList
+ - JDK-8287362: FieldAccessWatch testcase failed on AIX platform
+ - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows
+ - JDK-8287739: [11u] ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
+
+Notes on individual issues:
+===========================
+
+core-libs/java.io:serialization:
+
+JDK-8277157: Vector should throw ClassNotFoundException for a missing class of an element
+=========================================================================================
+`java.util.Vector` is updated to correctly report
+`ClassNotFoundException that occurs during deserialization using
+`java.io.ObjectInputStream.GetField.get(name, object)` when the class
+of an element of the Vector is not found. Without this fix, a
+`StreamCorruptedException` is thrown that does not provide information
+about the missing class.
+
+core-libs/java.net:
+
+JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos
+================================================================
+Support has been added for TLS channel binding tokens for
+Negotiate/Kerberos authentication over HTTPS through
+javax.net.HttpsURLConnection.
+
+Channel binding tokens are increasingly required as an enhanced form
+of security which can mitigate certain kinds of socially engineered,
+man in the middle (MITM) attacks. They work by communicating from a
+client to a server the client's understanding of the binding between
+connection security (as represented by a TLS server cert) and higher
+level authentication credentials (such as a username and
+password). The server can then detect if the client has been fooled by
+a MITM and shutdown the session/connection.
+
+The feature is controlled through a new system property
+`jdk.https.negotiate.cbt` which is described fully at the following
+page:
+
+https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt
+
+core-libs/java.lang:
+
+JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder
+=====================================================================
+ProcessBuilder on Windows is restored to address a regression caused
+by JDK-8250568. Previously, an argument to ProcessBuilder that
+started with a double-quote and ended with a backslash followed by a
+double-quote was passed to a command incorrectly and may cause the
+command to fail. For example the argument `"C:\\Program Files\"`,
+would be seen by the command with extra double-quotes. This update
+restores the long standing behavior that does not treat the backslash
+before the final double-quote specially.
+
+core-libs/java.util.jar:
+
+JDK-8278386: Default JDK compressor will be closed when IOException is encountered
+==================================================================================
+`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods
+have been modified to close out the associated default JDK compressor
+before propagating a Throwable up the
+stack. `ZIPOutputStream.closeEntry()` method has been modified to
+close out the associated default JDK compressor before propagating an
+IOException, not of type ZipException, up the stack.
+
+core-libs/java.io:
+
+JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File
+=================================================================================================
+The Windows implementation of `java.io.File` allows access to NTFS
+Alternate Data Streams (ADS) by default. Such streams have a structure
+like “filename:streamname”. A system property `jdk.io.File.enableADS`
+has been added to control this behavior. To disable ADS support in
+`java.io.File`, the system property `jdk.io.File.enableADS` should be
+set to `false` (case ignored). Stricter path checking however prevents
+the use of special devices such as `NUL:`
+
New in release OpenJDK 11.0.15 (2022-04-19):
=============================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
index 06a0b07..2967a32 100644
--- a/SOURCES/TestSecurityProperties.java
+++ b/SOURCES/TestSecurityProperties.java
@@ -1,3 +1,20 @@
+/* TestSecurityProperties -- Ensure system security properties can be used to
+ enable the crypto policies.
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
@@ -9,35 +26,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
+
+ private static final String MSG_PREFIX = "DEBUG: ";
+
public static void main(String[] args) {
+ if (args.length == 0) {
+ System.err.println("TestSecurityProperties ");
+ System.err.println("Invoke with 'true' if system security properties should be enabled.");
+ System.err.println("Invoke with 'false' if system security properties should be disabled.");
+ System.exit(1);
+ }
+ boolean enabled = Boolean.valueOf(args[0]);
+ System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
+ if (enabled) {
+ loadPolicy(jdkProps);
+ }
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
- String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
- System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
-
+
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
- System.out.println("Debug: Java version is " + javaVersion);
+ System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
- try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
+
+ private static void loadPolicy(Properties props) {
+ try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+
}
diff --git a/SOURCES/TestTranslations.java b/SOURCES/TestTranslations.java
new file mode 100644
index 0000000..cf83303
--- /dev/null
+++ b/SOURCES/TestTranslations.java
@@ -0,0 +1,35 @@
+/* TestTranslations -- Ensure translations are available for new timezones
+ Copyright (C) 2022 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.ResourceBundle;
+
+import sun.util.resources.LocaleData;
+import sun.util.locale.provider.LocaleProviderAdapter;
+
+public class TestTranslations {
+ public static void main(String[] args) {
+ for (String zone : args) {
+ System.out.printf("Translations for %s\n", zone);
+ for (Locale l : Locale.getAvailableLocales()) {
+ ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l);
+ System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone)));
+ }
+ }
+ }
+}
diff --git a/SOURCES/fips-11u-9087e80d0ab.patch b/SOURCES/fips-11u-9087e80d0ab.patch
new file mode 100644
index 0000000..a396fb8
--- /dev/null
+++ b/SOURCES/fips-11u-9087e80d0ab.patch
@@ -0,0 +1,1610 @@
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+index a73c0f38181..80710886ed8 100644
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+ LIB_SETUP_LIBFFI
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
++ LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_SOLARIS_STLPORT
+ LIB_TESTS_SETUP_GRAALUNIT
+
+@@ -223,3 +224,62 @@ AC_DEFUN_ONCE([LIB_SETUP_SOLARIS_STLPORT],
+ fi
+ ])
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+index 0ae23b93167..a242acc1234 100644
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -826,6 +826,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
+index a529768f39e..daf9c947172 100644
+--- a/make/lib/Lib-java.base.gmk
++++ b/make/lib/Lib-java.base.gmk
+@@ -178,6 +178,31 @@ ifeq ($(OPENJDK_TARGET_OS_TYPE), unix)
+ endif
+ endif
+
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
+ ################################################################################
+ # Create the symbols file for static builds.
+
+diff --git a/make/nb_native/nbproject/configurations.xml b/make/nb_native/nbproject/configurations.xml
+index fb07d54c1f0..c5813e2b7aa 100644
+--- a/make/nb_native/nbproject/configurations.xml
++++ b/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+ LinuxWatchService.c
+
+
++
++ systemconf.c
++
+
+
+
+@@ -29301,6 +29304,11 @@
+ tool="0"
+ flavor2="0">
+
++
++
+
++#include
++#include "jvm_md.h"
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#else
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define MSG_MAX_SIZE 256
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++ } else {
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++ }
++}
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+index b36510a376b..ad5182e1e7c 100644
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@ import java.net.URL;
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -47,12 +48,20 @@ import sun.security.jca.*;
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ *
Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+
+ public final class Security {
+
++ private static final String SYS_PROP_SWITCH =
++ "java.security.disableSystemPropertiesFile";
++ private static final String SEC_PROP_SWITCH =
++ "security.useSystemPropertiesFile";
++
+ /* Are we debugging? -- for developers */
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -67,6 +76,19 @@ public final class Security {
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -83,6 +105,7 @@ public final class Security {
+ props = new Properties();
+ boolean loadedProps = false;
+ boolean overrideAll = false;
++ boolean systemSecPropsEnabled = false;
+
+ // first load the system properties file
+ // to determine the value of security.overridePropertiesFile
+@@ -98,6 +121,7 @@ public final class Security {
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -192,6 +216,61 @@ public final class Security {
+ }
+ }
+
++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false"));
++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH));
++ if (sdebug != null) {
++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps);
++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps);
++ }
++ if (!sysUseProps && secUseProps) {
++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props);
++ if (!systemSecPropsEnabled) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System security properties could not be loaded.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("System security property support disabled by user.");
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps && systemSecPropsEnabled) {
++ boolean shouldEnable;
++ String sysProp = System.getProperty("com.redhat.fips");
++ if (sysProp == null) {
++ shouldEnable = true;
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips unset, using default value of true");
++ }
++ } else {
++ shouldEnable = Boolean.valueOf(sysProp);
++ if (sdebug != null) {
++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable);
++ }
++ }
++ if (shouldEnable) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS mode support configured and enabled.");
++ } else {
++ sdebug.println("FIPS mode support disabled.");
++ }
++ }
++ } else {
++ if (sdebug != null ) {
++ sdebug.println("FIPS mode support disabled by user.");
++ }
++ }
++ } else {
++ if (sdebug != null) {
++ sdebug.println("WARNING: FIPS mode support can not be enabled without " +
++ "system security properties being enabled.");
++ }
++ }
+ }
+
+ /*
+diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+index 00000000000..90f6dd2ebc0
+--- /dev/null
++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,248 @@
++/*
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++final class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
++
++ static {
++ AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configureSysProps(Properties props) {
++ boolean systemSecPropsLoaded = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ systemSecPropsLoaded = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++ return systemSecPropsLoaded;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry
-
-+
-+ systemconf.c
-+
-
-
-
-@@ -29301,6 +29304,11 @@
- tool="0"
- flavor2="0">
-
-+
-+
-
-+#include
-+#include
-+#include
-+
-+#ifdef SYSCONF_NSS
-+#include
-+#endif //SYSCONF_NSS
-+
-+#include "java_security_SystemConfigurator.h"
-+
-+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-+#define MSG_MAX_SIZE 96
-+
-+static jmethodID debugPrintlnMethodID = NULL;
-+static jobject debugObj = NULL;
-+
-+static void throwIOException(JNIEnv *env, const char *msg);
-+static void dbgPrint(JNIEnv *env, const char* msg);
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnLoad
-+ */
-+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+ jclass sysConfCls, debugCls;
-+ jfieldID sdebugFld;
-+
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return JNI_EVERSION; /* JNI version not supported */
-+ }
-+
-+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
-+ if (sysConfCls == NULL) {
-+ printf("libsystemconf: SystemConfigurator class not found\n");
-+ return JNI_ERR;
-+ }
-+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
-+ "sdebug", "Lsun/security/util/Debug;");
-+ if (sdebugFld == NULL) {
-+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
-+ if (debugObj != NULL) {
-+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
-+ if (debugCls == NULL) {
-+ printf("libsystemconf: Debug class not found\n");
-+ return JNI_ERR;
-+ }
-+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
-+ "println", "(Ljava/lang/String;)V");
-+ if (debugPrintlnMethodID == NULL) {
-+ printf("libsystemconf: Debug::println(String) method not found\n");
-+ return JNI_ERR;
-+ }
-+ debugObj = (*env)->NewGlobalRef(env, debugObj);
-+ }
-+
-+ return (*env)->GetVersion(env);
-+}
-+
-+/*
-+ * Class: java_security_SystemConfigurator
-+ * Method: JNI_OnUnload
-+ */
-+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
-+{
-+ JNIEnv *env;
-+
-+ if (debugObj != NULL) {
-+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
-+ return; /* Should not happen */
-+ }
-+ (*env)->DeleteGlobalRef(env, debugObj);
-+ }
-+}
-+
-+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
-+ (JNIEnv *env, jclass cls)
-+{
-+ int fips_enabled;
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+
-+#ifdef SYSCONF_NSS
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " SECMOD_GetSystemFIPSEnabled return value");
-+ }
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-+
-+#else // SYSCONF_NSS
-+
-+ FILE *fe;
-+
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
-+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-+ " read character");
-+ }
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-+
-+#endif // SYSCONF_NSS
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2019, 2020, Red Hat, Inc.
-+ * Copyright (c) 2019, 2021, Red Hat, Inc.
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
-@@ -30,13 +30,9 @@
- import java.io.FileInputStream;
- import java.io.IOException;
-
--import java.nio.file.Files;
--import java.nio.file.Path;
--
- import java.util.Iterator;
- import java.util.Map.Entry;
- import java.util.Properties;
--import java.util.regex.Pattern;
-
- import sun.security.util.Debug;
-
-@@ -58,10 +54,21 @@
- private static final String CRYPTO_POLICIES_JAVA_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
-- private static final String CRYPTO_POLICIES_CONFIG =
-- CRYPTO_POLICIES_BASE_DIR + "/config";
-+ private static boolean systemFipsEnabled = false;
-+
-+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-+
-+ private static native boolean getSystemFIPSEnabled()
-+ throws IOException;
-
-- private static boolean systemFipsEnabled = false;
-+ static {
-+ AccessController.doPrivileged(new PrivilegedAction() {
-+ public Void run() {
-+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
-+ return null;
-+ }
-+ });
-+ }
-
- /*
- * Invoked when java.security.Security class is initialized, if
-@@ -170,16 +177,34 @@
- }
-
- /*
-- * FIPS is enabled only if crypto-policies are set to "FIPS"
-- * and the com.redhat.fips property is true.
-+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
-+ * system property is true (default) and the system is in FIPS mode.
-+ *
-+ * There are 2 possible ways in which OpenJDK detects that the system
-+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
-+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
-+ * /proc/sys/crypto/fips_enabled file is read.
- */
- private static boolean enableFips() throws Exception {
- boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (shouldEnable) {
-- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
-- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
-- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
-- return pattern.matcher(cryptoPoliciesConfig).find();
-+ if (sdebug != null) {
-+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
-+ }
-+ try {
-+ shouldEnable = getSystemFIPSEnabled();
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
-+ + shouldEnable);
-+ }
-+ return shouldEnable;
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
-+ sdebug.println(e.getMessage());
-+ }
-+ throw e;
-+ }
- } else {
- return false;
- }
diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch
deleted file mode 100644
index ac9bdb5..0000000
--- a/SOURCES/rh1991003-enable_fips_keys_import.patch
+++ /dev/null
@@ -1,590 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 53f32d12cc..28ab184617 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -82,6 +82,10 @@ public final class Security {
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
-+ @Override
-+ public boolean isPlainKeySupportEnabled() {
-+ return SystemConfigurator.isPlainKeySupportEnabled();
-+ }
- });
-
- // doPrivileged here because there are multiple
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 5565acb7c6..874c6221eb 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -55,6 +55,7 @@ final class SystemConfigurator {
- CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
-
- private static boolean systemFipsEnabled = false;
-+ private static boolean plainKeySupportEnabled = false;
-
- private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
-
-@@ -149,6 +150,16 @@ final class SystemConfigurator {
- }
- loadedProps = true;
- systemFipsEnabled = true;
-+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
-+ "true");
-+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
-+ if (sdebug != null) {
-+ if (plainKeySupportEnabled) {
-+ sdebug.println("FIPS support enabled with plain key support");
-+ } else {
-+ sdebug.println("FIPS support enabled without plain key support");
-+ }
-+ }
- }
- } catch (Exception e) {
- if (sdebug != null) {
-@@ -176,6 +187,19 @@ final class SystemConfigurator {
- return systemFipsEnabled;
- }
-
-+ /**
-+ * Returns {@code true} if system FIPS alignment is enabled
-+ * and plain key support is allowed. Plain key support is
-+ * enabled by default but can be disabled with
-+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
-+ *
-+ * @return a boolean indicating whether plain key support
-+ * should be enabled.
-+ */
-+ static boolean isPlainKeySupportEnabled() {
-+ return plainKeySupportEnabled;
-+ }
-+
- /*
- * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
- * system property is true (default) and the system is in FIPS mode.
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-index d8caa5640c..21bc6d0b59 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
-@@ -27,4 +27,5 @@ package jdk.internal.misc;
-
- public interface JavaSecuritySystemConfiguratorAccess {
- boolean isSystemFipsEnabled();
-+ boolean isPlainKeySupportEnabled();
- }
-diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..ff3d5e0e4a 100644
---- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-+++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
-
- import javax.net.ssl.*;
-
-+import jdk.internal.misc.SharedSecrets;
-+
- abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
- X509ExtendedKeyManager keyManager;
- boolean isInitialized;
-
-@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- KeyStoreException, NoSuchAlgorithmException,
- UnrecoverableKeyException {
- if ((ks != null) && SunJSSE.isFIPS()) {
-- if (ks.getProvider() != SunJSSE.cryptoProvider) {
-+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
-+ !plainKeySupportEnabled) {
- throw new KeyStoreException("FIPS mode: KeyStore must be "
- + "from provider " + SunJSSE.cryptoProvider.getName());
- }
-@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
- keyManager = new X509KeyManagerImpl(
- Collections.emptyList());
- } else {
-- if (SunJSSE.isFIPS() &&
-- (ks.getProvider() != SunJSSE.cryptoProvider)) {
-+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
-+ && !plainKeySupportEnabled) {
- throw new KeyStoreException(
- "FIPS mode: KeyStore must be " +
- "from provider " + SunJSSE.cryptoProvider.getName());
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-new file mode 100644
-index 0000000000..b848a1fd78
---- /dev/null
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
-@@ -0,0 +1,290 @@
-+/*
-+ * Copyright (c) 2021, Red Hat, Inc.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation. Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11;
-+
-+import java.math.BigInteger;
-+import java.security.KeyFactory;
-+import java.security.Provider;
-+import java.security.Security;
-+import java.util.HashMap;
-+import java.util.Map;
-+import java.util.concurrent.locks.ReentrantLock;
-+
-+import javax.crypto.Cipher;
-+import javax.crypto.spec.DHPrivateKeySpec;
-+import javax.crypto.spec.IvParameterSpec;
-+
-+import sun.security.jca.JCAUtil;
-+import sun.security.pkcs11.TemplateManager;
-+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
-+import sun.security.pkcs11.wrapper.CK_MECHANISM;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
-+import sun.security.pkcs11.wrapper.PKCS11Exception;
-+import sun.security.rsa.RSAUtil.KeyType;
-+import sun.security.util.Debug;
-+import sun.security.util.ECUtil;
-+
-+final class FIPSKeyImporter {
-+
-+ private static final Debug debug =
-+ Debug.getInstance("sunpkcs11");
-+
-+ private static P11Key importerKey = null;
-+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
-+ private static CK_MECHANISM importerKeyMechanism = null;
-+ private static Cipher importerCipher = null;
-+
-+ private static Provider sunECProvider = null;
-+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
-+
-+ private static KeyFactory DHKF = null;
-+ private static final ReentrantLock DHKFLock = new ReentrantLock();
-+
-+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
-+ throws PKCS11Exception {
-+ long keyID = -1;
-+ Token token = sunPKCS11.getToken();
-+ if (debug != null) {
-+ debug.println("Private or Secret key will be imported in" +
-+ " system FIPS mode.");
-+ }
-+ if (importerKey == null) {
-+ importerKeyLock.lock();
-+ try {
-+ if (importerKey == null) {
-+ if (importerKeyMechanism == null) {
-+ // Importer Key creation has not been tried yet. Try it.
-+ createImporterKey(token);
-+ }
-+ if (importerKey == null || importerCipher == null) {
-+ if (debug != null) {
-+ debug.println("Importer Key could not be" +
-+ " generated.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ if (debug != null) {
-+ debug.println("Importer Key successfully" +
-+ " generated.");
-+ }
-+ }
-+ } finally {
-+ importerKeyLock.unlock();
-+ }
-+ }
-+ long importerKeyID = importerKey.getKeyID();
-+ try {
-+ byte[] keyBytes = null;
-+ byte[] encKeyBytes = null;
-+ long keyClass = 0L;
-+ long keyType = 0L;
-+ Map attrsMap = new HashMap<>();
-+ for (CK_ATTRIBUTE attr : attributes) {
-+ if (attr.type == CKA_CLASS) {
-+ keyClass = attr.getLong();
-+ } else if (attr.type == CKA_KEY_TYPE) {
-+ keyType = attr.getLong();
-+ }
-+ attrsMap.put(attr.type, attr);
-+ }
-+ BigInteger v = null;
-+ if (keyClass == CKO_PRIVATE_KEY) {
-+ if (keyType == CKK_RSA) {
-+ if (debug != null) {
-+ debug.println("Importing an RSA private key...");
-+ }
-+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
-+ KeyType.RSA,
-+ null,
-+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ } else if (keyType == CKK_DSA) {
-+ if (debug != null) {
-+ debug.println("Importing a DSA private key...");
-+ }
-+ keyBytes = new sun.security.provider.DSAPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO
-+ ).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_EC) {
-+ if (debug != null) {
-+ debug.println("Importing an EC private key...");
-+ }
-+ if (sunECProvider == null) {
-+ sunECProviderLock.lock();
-+ try {
-+ if (sunECProvider == null) {
-+ sunECProvider = Security.getProvider("SunEC");
-+ }
-+ } finally {
-+ sunECProviderLock.unlock();
-+ }
-+ }
-+ keyBytes = ECUtil.generateECPrivateKey(
-+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ECUtil.getECParameterSpec(sunECProvider,
-+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
-+ .getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else if (keyType == CKK_DH) {
-+ if (debug != null) {
-+ debug.println("Importing a Diffie-Hellman private key...");
-+ }
-+ if (DHKF == null) {
-+ DHKFLock.lock();
-+ try {
-+ if (DHKF == null) {
-+ DHKF = KeyFactory.getInstance(
-+ "DH", P11Util.getSunJceProvider());
-+ }
-+ } finally {
-+ DHKFLock.unlock();
-+ }
-+ }
-+ DHPrivateKeySpec spec = new DHPrivateKeySpec
-+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO,
-+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
-+ ? v : BigInteger.ZERO);
-+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
-+ if (token.config.getNssNetscapeDbWorkaround() &&
-+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
-+ attrsMap.put(CKA_NETSCAPE_DB,
-+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
-+ }
-+ } else {
-+ if (debug != null) {
-+ debug.println("Unrecognized private key type.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ } else if (keyClass == CKO_SECRET_KEY) {
-+ if (debug != null) {
-+ debug.println("Importing a secret key...");
-+ }
-+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
-+ }
-+ if (keyBytes == null || keyBytes.length == 0) {
-+ if (debug != null) {
-+ debug.println("Private or secret key plain bytes could" +
-+ " not be obtained. Import failed.");
-+ }
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
-+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
-+ null);
-+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
-+ attrsMap.values().toArray(attributes);
-+ encKeyBytes = importerCipher.doFinal(keyBytes);
-+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
-+ keyClass, keyType, attributes);
-+ keyID = token.p11.C_UnwrapKey(hSession,
-+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
-+ if (debug != null) {
-+ debug.println("Imported key ID: " + keyID);
-+ }
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ } finally {
-+ importerKey.releaseKeyID();
-+ }
-+ return Long.valueOf(keyID);
-+ }
-+
-+ private static void createImporterKey(Token token) {
-+ if (debug != null) {
-+ debug.println("Generating Importer Key...");
-+ }
-+ byte[] iv = new byte[16];
-+ JCAUtil.getSecureRandom().nextBytes(iv);
-+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
-+ try {
-+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
-+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
-+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
-+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
-+ Session s = null;
-+ try {
-+ s = token.getObjSession();
-+ long keyID = token.p11.C_GenerateKey(
-+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
-+ attributes);
-+ if (debug != null) {
-+ debug.println("Importer Key ID: " + keyID);
-+ }
-+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
-+ 256 >> 3, null);
-+ } catch (PKCS11Exception e) {
-+ // best effort
-+ } finally {
-+ token.releaseSession(s);
-+ }
-+ if (importerKey != null) {
-+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-+ }
-+ } catch (Throwable t) {
-+ // best effort
-+ importerKey = null;
-+ importerCipher = null;
-+ // importerKeyMechanism value is kept initialized to indicate that
-+ // Importer Key creation has been tried and failed.
-+ }
-+ }
-+}
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 1eca1f8f0a..72674a7330 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -26,6 +26,9 @@
- package sun.security.pkcs11;
-
- import java.io.*;
-+import java.lang.invoke.MethodHandle;
-+import java.lang.invoke.MethodHandles;
-+import java.lang.invoke.MethodType;
- import java.util.*;
-
- import java.security.*;
-@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
- private static final boolean systemFipsEnabled = SharedSecrets
- .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-
-+ private static final boolean plainKeySupportEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
-+
-+ private static final MethodHandle fipsImportKey;
-+ static {
-+ MethodHandle fipsImportKeyTmp = null;
-+ if (plainKeySupportEnabled) {
-+ try {
-+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
-+ FIPSKeyImporter.class, "importKey",
-+ MethodType.methodType(Long.class, SunPKCS11.class,
-+ long.class, CK_ATTRIBUTE[].class));
-+ } catch (Throwable t) {
-+ throw new SecurityException("FIPS key importer initialization" +
-+ " failed", t);
-+ }
-+ }
-+ fipsImportKey = fipsImportKeyTmp;
-+ }
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
- // request multithreaded access first
- initArgs.flags = CKF_OS_LOCKING_OK;
- PKCS11 tmpPKCS11;
-+ MethodHandle fipsKeyImporter = null;
-+ if (plainKeySupportEnabled) {
-+ fipsKeyImporter = MethodHandles.insertArguments(
-+ fipsImportKey, 0, this);
-+ }
- try {
- tmpPKCS11 = PKCS11.getInstance(
- library, functionList, initArgs,
-- config.getOmitInitialize());
-+ config.getOmitInitialize(), fipsKeyImporter);
- } catch (PKCS11Exception e) {
- if (debug != null) {
- debug.println("Multi-threaded initialization failed: " + e);
-@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
- initArgs.flags = 0;
- }
- tmpPKCS11 = PKCS11.getInstance(library,
-- functionList, initArgs, config.getOmitInitialize());
-+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
- }
- p11 = tmpPKCS11;
-
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 04a369f453..8d2081abaa 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
-
- import java.io.File;
- import java.io.IOException;
-+import java.lang.invoke.MethodHandle;
- import java.util.*;
-
- import java.security.AccessController;
-@@ -150,16 +151,28 @@ public class PKCS11 {
-
- public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
- String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-- boolean omitInitialize) throws IOException, PKCS11Exception {
-+ boolean omitInitialize, MethodHandle fipsKeyImporter)
-+ throws IOException, PKCS11Exception {
- // we may only call C_Initialize once per native .so/.dll
- // so keep a cache using the (non-canonicalized!) path
- PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
- if (pkcs11 == null) {
-+ boolean nssFipsMode = fipsKeyImporter != null;
- if ((pInitArgs != null)
- && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
-- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
-+ fipsKeyImporter);
-+ } else {
-+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
-+ }
- } else {
-- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ if (nssFipsMode) {
-+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
-+ functionList, fipsKeyImporter);
-+ } else {
-+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
-+ }
- }
- if (omitInitialize == false) {
- try {
-@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
- super.C_GenerateRandom(hSession, randomData);
- }
- }
-+
-+// PKCS11 subclass that allows using plain private or secret keys in
-+// FIPS-configured NSS Software Tokens. Only used when System FIPS
-+// is enabled.
-+static class FIPSPKCS11 extends PKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // Creating sensitive key objects from plain key material in a
-+ // FIPS-configured NSS Software Token is not allowed. We apply
-+ // a key-unwrapping scheme to achieve so.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+// FIPSPKCS11 synchronized counterpart.
-+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
-+ private MethodHandle fipsKeyImporter;
-+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
-+ MethodHandle fipsKeyImporter) throws IOException {
-+ super(pkcs11ModulePath, functionListName);
-+ this.fipsKeyImporter = fipsKeyImporter;
-+ }
-+
-+ public synchronized long C_CreateObject(long hSession,
-+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+ // See FIPSPKCS11::C_CreateObject.
-+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
-+ try {
-+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
-+ .longValue();
-+ } catch (Throwable t) {
-+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
-+ }
-+ }
-+ return super.C_CreateObject(hSession, pTemplate);
-+ }
-+}
-+
-+private static class FIPSPKCS11Helper {
-+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
-+ for (CK_ATTRIBUTE attr : pTemplate) {
-+ if (attr.type == CKA_CLASS &&
-+ (attr.getLong() == CKO_PRIVATE_KEY ||
-+ attr.getLong() == CKO_SECRET_KEY)) {
-+ return true;
-+ }
-+ }
-+ return false;
-+ }
-+}
- }
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
deleted file mode 100644
index a443dc8..0000000
--- a/SOURCES/rh1996182-login_to_nss_software_token.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
-index 5460efcf8c..f08dc2fafc 100644
---- openjdk.orig/src/java.base/share/classes/module-info.java
-+++ openjdk/src/java.base/share/classes/module-info.java
-@@ -182,6 +182,7 @@ module java.base {
- java.security.jgss,
- java.sql,
- java.xml,
-+ jdk.crypto.cryptoki,
- jdk.jartool,
- jdk.attach,
- jdk.charsets,
-diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-index 099caac605..ffadb43eb1 100644
---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
-@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
- import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
-
- import jdk.internal.misc.InnocuousThread;
-+import jdk.internal.misc.SharedSecrets;
-+
- import sun.security.util.Debug;
- import sun.security.util.ResourcesMgr;
- import static sun.security.util.SecurityConstants.PROVIDER_VER;
-@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- */
- public final class SunPKCS11 extends AuthProvider {
-
-+ private static final boolean systemFipsEnabled = SharedSecrets
-+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
-+
- private static final long serialVersionUID = -1354835039035306505L;
-
- static final Debug debug = Debug.getInstance("sunpkcs11");
-@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
- if (nssModule != null) {
- nssModule.setProvider(this);
- }
-+ if (systemFipsEnabled) {
-+ // The NSS Software Token in FIPS 140-2 mode requires a user
-+ // login for most operations. See sftk_fipsCheck. The NSS DB
-+ // (/etc/pki/nssdb) PIN is empty.
-+ Session session = null;
-+ try {
-+ session = token.getOpSession();
-+ p11.C_Login(session.id(), CKU_USER, new char[] {});
-+ } catch (PKCS11Exception p11e) {
-+ if (debug != null) {
-+ debug.println("Error during token login: " +
-+ p11e.getMessage());
-+ }
-+ throw p11e;
-+ } finally {
-+ token.releaseSession(session);
-+ }
-+ }
- } catch (Exception e) {
- if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
- throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
deleted file mode 100644
index 9490624..0000000
--- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
-Author: Andrew Hughes
-Date: Tue Jan 18 02:00:55 2022 +0000
-
- RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
-
-diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-index 2ec51d57806..8489b940c43 100644
---- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-+++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
-@@ -36,6 +36,7 @@ import java.io.FilePermission;
- import java.io.ObjectInputStream;
- import java.io.RandomAccessFile;
- import java.security.ProtectionDomain;
-+import java.security.Security;
- import java.security.Signature;
-
- /** A repository of "shared secrets", which are a mechanism for
-@@ -368,6 +369,9 @@ public class SharedSecrets {
- }
-
- public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
-+ if (javaSecuritySystemConfiguratorAccess == null) {
-+ unsafe.ensureClassInitialized(Security.class);
-+ }
- return javaSecuritySystemConfiguratorAccess;
- }
- }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
deleted file mode 100644
index b8c8ba5..0000000
--- a/SOURCES/rh2021263-fips_missing_native_returns.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
-Author: Fridrich Strba
-Date: Mon Jan 17 19:44:03 2022 +0000
-
- RH2021263: Return in C code after having generated Java exception
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 6f4656bfcb6..34d0ff0ce91 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
-+ return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
deleted file mode 100644
index b5351a8..0000000
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
-Author: Andrew Hughes
-Date: Tue Jan 18 02:09:27 2022 +0000
-
- RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
-
-diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
-index 28ab1846173..f9726741afd 100644
---- openjdk.orig/src/java.base/share/classes/java/security/Security.java
-+++ openjdk/src/java.base/share/classes/java/security/Security.java
-@@ -61,10 +61,6 @@ public final class Security {
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-- /* System property file*/
-- private static final String SYSTEM_PROPERTIES =
-- "/etc/crypto-policies/back-ends/java.config";
--
- /* The java.security properties */
- private static Properties props;
-
-@@ -206,22 +202,36 @@ public final class Security {
- }
- }
-
-+ if (!loadedProps) {
-+ initializeStatic();
-+ if (sdebug != null) {
-+ sdebug.println("unable to load security properties " +
-+ "-- using defaults");
-+ }
-+ }
-+
- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
- "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
-- if (SystemConfigurator.configure(props)) {
-- loadedProps = true;
-+ if (!SystemConfigurator.configureSysProps(props)) {
-+ if (sdebug != null) {
-+ sdebug.println("WARNING: System properties could not be loaded.");
-+ }
- }
- }
-
-- if (!loadedProps) {
-- initializeStatic();
-+ // FIPS support depends on the contents of java.security so
-+ // ensure it has loaded first
-+ if (loadedProps) {
-+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
- if (sdebug != null) {
-- sdebug.println("unable to load security properties " +
-- "-- using defaults");
-+ if (fipsEnabled) {
-+ sdebug.println("FIPS support enabled.");
-+ } else {
-+ sdebug.println("FIPS support disabled.");
-+ }
- }
- }
--
- }
-
- /*
-diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-index 874c6221ebe..b7ed41acf0f 100644
---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
-+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
-@@ -76,7 +76,7 @@ final class SystemConfigurator {
- * java.security.disableSystemPropertiesFile property is not set and
- * security.useSystemPropertiesFile is true.
- */
-- static boolean configure(Properties props) {
-+ static boolean configureSysProps(Properties props) {
- boolean loadedProps = false;
-
- try (BufferedInputStream bis =
-@@ -96,11 +96,19 @@ final class SystemConfigurator {
- e.printStackTrace();
- }
- }
-+ return loadedProps;
-+ }
-+
-+ /*
-+ * Invoked at the end of java.security.Security initialisation
-+ * if java.security properties have been loaded
-+ */
-+ static boolean configureFIPS(Properties props) {
-+ boolean loadedProps = false;
-
- try {
- if (enableFips()) {
- if (sdebug != null) { sdebug.println("FIPS mode detected"); }
-- loadedProps = false;
- // Remove all security providers
- Iterator> i = props.entrySet().iterator();
- while (i.hasNext()) {
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
deleted file mode 100644
index dd30384..0000000
--- a/SOURCES/rh2052829-fips_runtime_nss_detection.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-commit e2be09f982af1cc05f5e6556d51900bca4757416
-Author: Andrew Hughes
-Date: Mon Feb 28 05:30:32 2022 +0000
-
- RH2051605: Detect NSS at Runtime for FIPS detection
-
-diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-index 34d0ff0ce91..8dcb7d9073f 100644
---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
-+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
-@@ -23,25 +23,99 @@
- * questions.
- */
-
--#include
- #include
- #include
-+#include "jvm_md.h"
- #include
-
- #ifdef SYSCONF_NSS
- #include
-+#else
-+#include
- #endif //SYSCONF_NSS
-
- #include "java_security_SystemConfigurator.h"
-
-+#define MSG_MAX_SIZE 256
- #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
--#define MSG_MAX_SIZE 96
-
-+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
-+
-+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
- static jmethodID debugPrintlnMethodID = NULL;
- static jobject debugObj = NULL;
-
--static void throwIOException(JNIEnv *env, const char *msg);
--static void dbgPrint(JNIEnv *env, const char* msg);
-+static void dbgPrint(JNIEnv *env, const char* msg)
-+{
-+ jstring jMsg;
-+ if (debugObj != NULL) {
-+ jMsg = (*env)->NewStringUTF(env, msg);
-+ CHECK_NULL(jMsg);
-+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+}
-+
-+static void throwIOException(JNIEnv *env, const char *msg)
-+{
-+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
-+ if (cls != 0)
-+ (*env)->ThrowNew(env, cls, msg);
-+}
-+
-+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
-+{
-+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-+ dbgPrint(env, msg);
-+ } else {
-+ dbgPrint(env, "systemconf: cannot render message");
-+ }
-+}
-+
-+// Only used when NSS is not linked at build time
-+#ifndef SYSCONF_NSS
-+
-+static void *nss_handle;
-+
-+static jboolean loadNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
-+ if (nss_handle == NULL) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ dlerror(); /* Clear errors */
-+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
-+ if ((errmsg = dlerror()) != NULL) {
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ return JNI_FALSE;
-+ }
-+ return JNI_TRUE;
-+}
-+
-+static void closeNSS(JNIEnv *env)
-+{
-+ char msg[MSG_MAX_SIZE];
-+ int msg_bytes;
-+ const char* errmsg;
-+
-+ if (dlclose(nss_handle) != 0) {
-+ errmsg = dlerror();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
-+ errmsg);
-+ handle_msg(env, msg, msg_bytes);
-+ }
-+}
-+
-+#endif
-
- /*
- * Class: java_security_SystemConfigurator
-@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
- debugObj = (*env)->NewGlobalRef(env, debugObj);
- }
-
-+#ifdef SYSCONF_NSS
-+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
-+#else
-+ if (loadNSS(env) == JNI_FALSE) {
-+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
-+ }
-+#endif
-+
- return (*env)->GetVersion(env);
- }
-
-@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
- if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
- return; /* Should not happen */
- }
-+#ifndef SYSCONF_NSS
-+ closeNSS(env);
-+#endif
- (*env)->DeleteGlobalRef(env, debugObj);
- }
- }
-@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
- char msg[MSG_MAX_SIZE];
- int msg_bytes;
-
--#ifdef SYSCONF_NSS
--
-- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-- fips_enabled = SECMOD_GetSystemFIPSEnabled();
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-+ if (getSystemFIPSEnabled != NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
-+ fips_enabled = (*getSystemFIPSEnabled)();
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " SECMOD_GetSystemFIPSEnabled return value");
-- }
-- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
--
--#else // SYSCONF_NSS
-+ FILE *fe;
-
-- FILE *fe;
--
-- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
-+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
-+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
- throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- fips_enabled = fgetc(fe);
-- fclose(fe);
-- if (fips_enabled == EOF) {
-+ }
-+ fips_enabled = fgetc(fe);
-+ fclose(fe);
-+ if (fips_enabled == EOF) {
- throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
- return JNI_FALSE;
-- }
-- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-- " read character is '%c'", fips_enabled);
-- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
-- dbgPrint(env, msg);
-- } else {
-- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
-- " read character");
-- }
-- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
--
--#endif // SYSCONF_NSS
--}
--
--static void throwIOException(JNIEnv *env, const char *msg)
--{
-- jclass cls = (*env)->FindClass(env, "java/io/IOException");
-- if (cls != 0)
-- (*env)->ThrowNew(env, cls, msg);
--}
--
--static void dbgPrint(JNIEnv *env, const char* msg)
--{
-- jstring jMsg;
-- if (debugObj != NULL) {
-- jMsg = (*env)->NewStringUTF(env, msg);
-- CHECK_NULL(jMsg);
-- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
-+ }
-+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
-+ " read character is '%c'", fips_enabled);
-+ handle_msg(env, msg, msg_bytes);
-+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
- }
- }
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index a9022b3..b48f7fe 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -25,6 +25,8 @@
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
+# Build with system libraries
+%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@@ -41,6 +43,16 @@
%global build_hotspot_first 0
%endif
+%if %{with system_libs}
+%global system_libs 1
+%global link_type system
+%global freetype_lib %{nil}
+%else
+%global system_libs 0
+%global link_type bundled
+%global freetype_lib |libfreetype[.]so.*
+%endif
+
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@@ -197,11 +209,15 @@
%global staticlibs_loop %{nil}
%endif
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
+%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@@ -315,12 +331,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
-%global updatever 15
+%global updatever 17
%global patchver 0
-# If you bump featurever, you must bump also vendor_version_string
-# Used via new version scheme. JDK 11 was
-# GA'ed in September 2018 => 18.9
-%global vendor_version_string 18.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@@ -353,17 +365,20 @@
%endif
%endif
%endif
+%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
+# Define current Git revision for the FIPS support patches
+%global fipsver 9087e80d0ab
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver 10
-%global rpmrelease 3
+%global buildver 7
+%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@@ -379,12 +394,11 @@
%endif
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-# Omit trailing 0 in filenames when the patch version is 0
-%if 0%{?patchver} > 0
-%global filever %{newjavaver}
-%else
-%global filever %{featurever}.%{interimver}.%{updatever}
-%endif
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+
+# The tag used to create the OpenJDK tarball
+%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
%global javaver %{featurever}
@@ -392,7 +406,7 @@
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
# - N%%{?extraver}{?dist} for GA releases
-%global is_ga 1
+%global is_ga 0
%if %{is_ga}
%global ea_designator ""
%global ea_designator_zip ""
@@ -423,7 +437,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
-%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@@ -847,6 +861,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%if ! %{system_libs}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@@ -1127,8 +1144,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
-# 2021e required as of JDK-8275766 in January 2022 CPU
-Requires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+Requires: tzdata-java >= 2022a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@@ -1141,6 +1158,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for system security properties
+Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@@ -1286,7 +1305,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
+Source0: openjdk-jdk%{featurever}u-%{vcstag}-4curve.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@@ -1320,6 +1339,9 @@ Source16: CheckVendor.java
# nss fips configuration file
Source17: nss.fips.cfg.in
+# Ensure translations are available for new timezones
+Source18: TestTranslations.java
+
############################################
#
# RPM/distribution specific patches
@@ -1336,29 +1358,31 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
-
-# FIPS support patches
+# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b
+Patch4: jdk8292223-tzdata2022b-kyiv.patch
+
+# Crypto policy and FIPS support patches
+# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips
+# as follows: git diff %%{vcstag} src make > fips-11u-$(git show -s --format=%h HEAD).patch
+# Diff is limited to src and make subdirectories to exclude .github changes
+# Fixes currently included:
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
-Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
-Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
-Patch1009: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-Patch1011: rh1991003-enable_fips_keys_import.patch
-# RH2021263: Resolve outstanding FIPS issues
-Patch1014: rh2021263-fips_ensure_security_initialised.patch
-Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Return in C code after having generated Java exception
+# RH2052819: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
# RH2052819: Fix FIPS reliance on crypto policies
-Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
-# RH2052829: Detect NSS at Runtime for FIPS detection
-Patch1017: rh2052829-fips_runtime_nss_detection.patch
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+Patch1001: fips-11u-%{fipsver}.patch
#############################################
#
@@ -1378,10 +1402,6 @@ Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# PR3695: Allow use of system crypto policy to be disabled by the user
-Patch7: pr3695-toggle_system_crypto_policy.patch
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch8: jdk8275535-rh2053256-ldap_auth.patch
@@ -1394,8 +1414,6 @@ Patch8: jdk8275535-rh2053256-ldap_auth.patch
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
-# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
-Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
@@ -1416,14 +1434,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
-BuildRequires: freetype-devel
-BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
-BuildRequires: harfbuzz-devel
-BuildRequires: lcms2-devel
-BuildRequires: libjpeg-devel
-BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
@@ -1434,6 +1446,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
+# Requirement for system security property test
+BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1444,8 +1458,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
-# 2021e required as of JDK-8275766 in January 2022 CPU
-BuildRequires: tzdata-java >= 2021e
+# 2022a required as of JDK-8283350 in 11.0.16
+BuildRequires: tzdata-java >= 2022a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1454,6 +1468,30 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
+%if %{system_libs}
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+%else
+# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
+Provides: bundled(freetype) = 2.12.1
+# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
+Provides: bundled(giflib) = 5.2.1
+# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
+Provides: bundled(harfbuzz) = 4.4.1
+# Version in src/java.desktop/share/native/liblcms/lcms2.h
+Provides: bundled(lcms2) = 2.12.0
+# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
+Provides: bundled(libjpeg) = 6b
+# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
+Provides: bundled(libpng) = 1.6.37
+# We link statically against libstdc++ to increase portability
+BuildRequires: libstdc++-static
+%endif
+
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@@ -1749,6 +1787,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
+echo "Preparing %{oj_vendor_version}"
+
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@@ -1787,8 +1827,11 @@ if [ $prioritylength -ne 8 ] ; then
fi
# OpenJDK patches
+
+%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name}
+%endif
# Patch the JDK
pushd %{top_level_dir_name}
@@ -1796,25 +1839,14 @@ pushd %{top_level_dir_name}
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch7 -p1
+# Add crypto policy and FIPS support
+%patch1001 -p1
+# nss.cfg PKCS11 support; must come last as it also alters java.security
+%patch1000 -p1
popd # openjdk
-%patch101
-
-%patch1000
%patch600
-%patch1001
-%patch1002
%patch1003
-%patch1004
-%patch1007
-%patch1008
-%patch1009
-%patch1011
-%patch1014
-%patch1015
-%patch1016
-%patch1017
%patch8
@@ -1914,6 +1946,12 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
+ if [ "x${link_opt}" = "xbundled" ] ; then
+ libc_link_opt="static";
+ else
+ libc_link_opt="dynamic";
+ fi
+
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
@@ -1935,7 +1973,7 @@ function buildjdk() {
--with-version-build=%{buildver} \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
- --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
@@ -1945,13 +1983,14 @@ function buildjdk() {
--with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \
--enable-unlimited-crypto \
- --with-zlib=system \
+ --with-zlib=${link_opt} \
+ --with-freetype=${link_opt} \
--with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \
--with-libpng=${link_opt} \
--with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \
- --with-stdc++lib=dynamic \
+ --with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \
@@ -2013,6 +2052,10 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Turn on system security properties
+ sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
+ ${imagepath}/conf/security/java.security
+
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
@@ -2023,6 +2066,10 @@ function installjdk() {
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
+
+ # Print release information
+ cat ${imagepath}/release
+
fi
}
@@ -2054,12 +2101,13 @@ for suffix in %{build_loop} ; do
bootinstalldir=boot${installdir}
if test "x${loop}" = "x%{main_suffix}" ; then
+ link_opt="%{link_type}"
+%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
- # Use system libraries
- link_opt="system"
+%endif
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
# slower builds.
@@ -2080,9 +2128,11 @@ for suffix in %{build_loop} ; do
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
+%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
+%endif
else
# Use bundled libraries for building statically
link_opt="bundled"
@@ -2123,13 +2173,18 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
-# Check system crypto (policy) can be disabled
+# Check system crypto (policy) is active and can be disabled
+# Test takes a single argument - true or false - to state whether system
+# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
-$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
+export SEC_DEBUG="-Djava.security.debug=properties"
+$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
+$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
-$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@@ -2141,6 +2196,14 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
+# Check translations are available for new timezones
+$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \
+ --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
+ -d . %{SOURCE18}
+$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \
+ --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \
+ $(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv"
+
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@@ -2618,6 +2681,74 @@ end
%endif
%changelog
+* Wed Oct 05 2022 Andrew Hughes - 1:11.0.17.0.7-0.2.ea
+- Update to jdk-11.0.17+7
+- Update release notes to 11.0.17+7
+- Resolves: rhbz#2130374
+
+* Tue Sep 06 2022 Andrew Hughes - 1:11.0.17.0.1-0.2.ea
+- Update to jdk-11.0.17+1
+- Update release notes to 11.0.17+1
+- Switch to EA mode for 11.0.17 pre-release builds.
+- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
+- Bump FreeType bundled version to 2.12.1 following JDK-8290334
+- Related: rhbz#2130374
+
+* Tue Aug 30 2022 Andrew Hughes - 1:11.0.16.1.1-3
+- Switch to static builds, reducing system dependencies and making build more portable
+- Resolves: rhbz#2121266
+
+* Wed Aug 24 2022 Andrew Hughes - 1:11.0.16.1.1-2
+- Update to jdk-11.0.16.1+1
+- Update release notes to 11.0.16.1+1
+- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
+- Add test to ensure timezones can be translated
+- Resolves: rhbz#2119527
+
+* Fri Jul 22 2022 Andrew Hughes - 1:11.0.16.0.8-2
+- Update to jdk-11.0.16+8
+- Update release notes to 11.0.16+8
+- Switch to GA mode for release
+- Resolves: rhbz#2106515
+
+* Sat Jul 16 2022 Andrew Hughes - 1:11.0.16.0.7-0.1.ea
+- Update to jdk-11.0.16+7
+- Update release notes to 11.0.16+7
+- Switch to EA mode for 11.0.16 pre-release builds.
+- Use same tarball naming style as java-17-openjdk and java-latest-openjdk
+- Drop JDK-8257794 patch now upstreamed
+- Print release file during build, which should now include a correct SOURCE value from .src-rev
+- Update tarball script with IcedTea GitHub URL and .src-rev generation
+- Use "git apply" with patches in the tarball script to allow binary diffs
+- Include script to generate bug list for release notes
+- Update tzdata requirement to 2022a to match JDK-8283350
+- Make use of the vendor version string to store our version & release rather than an upstream release date
+- Explicitly require crypto-policies during build and runtime for system security properties
+- Resolves: rhbz#2083298
+
+* Thu Jul 14 2022 Jiri Vanek - 1:11.0.16.0.7-0.1.ea
+- Add additional patch during tarball generation to align tests with ECC changes
+- Related: rhbz#2083298
+
+* Fri Jul 08 2022 Andrew Hughes - 1:11.0.15.0.10-6
+- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
+- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+- * RH2090378: Revert to disabling system security properties and FIPS mode support together
+- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
+- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
+- Improve security properties test to check both enabled and disabled behaviour
+- Run security properties test with property debugging on
+- Resolves: rhbz#2099838
+- Resolves: rhbz#2090378
+
+* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:11.0.15.0.10-5
+- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
+- Resolves: rhbz#2102430
+
+* Thu Jun 30 2022 Stephan Bergmann - 1:11.0.15.0.10-4
+- Fix flatpak builds by exempting them from bootstrap
+- Resolves: rhbz#2102731
+
* Sun Apr 24 2022 Andrew Hughes - 1:11.0.15.0.10-3
- Update to jdk-11.0.15.0+10
- Update release notes to 11.0.15.0+10