November 2022 - Arch-excludes - Fedora Mailing-Lists

Architecture specific change in rpms/python-databases.git

by githook-noreply＠fedoraproject.org

The package rpms/python-databases.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/python-databases.git/commit/?id=4.... Change: -%ifnarch %{ix86} %{arm32} Thanks. Full change: ============ commit 5a83f920bdd3b16234242437a5a95da04eca3a4c Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Wed Nov 30 11:14:29 2022 -0500 Patch for sqlalchemy >=1.42 diff --git a/513.patch b/513.patch new file mode 100644 index 0000000..d9b6cf8 --- /dev/null +++ b/513.patch @@ -0,0 +1,61 @@ +From fe18d9bfb23ff0bb64f3f9545357f708b418849d Mon Sep 17 00:00:00 2001 +From: joniumGit <52005121+joniumGit(a)users.noreply.github.com> +Date: Tue, 18 Oct 2022 12:39:38 +0300 +Subject: [PATCH] Fixes breaking changes in SQLAlchemy cursor + +- fixes #512 +--- + databases/backends/aiopg.py | 1 + + databases/backends/asyncmy.py | 1 + + databases/backends/mysql.py | 1 + + databases/backends/sqlite.py | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/databases/backends/aiopg.py b/databases/backends/aiopg.py +index 60c741a7..1d35749e 100644 +--- a/databases/backends/aiopg.py ++++ b/databases/backends/aiopg.py +@@ -221,6 +221,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + else: +diff --git a/databases/backends/asyncmy.py b/databases/backends/asyncmy.py +index e15dfa45..233d2e0e 100644 +--- a/databases/backends/asyncmy.py ++++ b/databases/backends/asyncmy.py +@@ -211,6 +211,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + else: +diff --git a/databases/backends/mysql.py b/databases/backends/mysql.py +index 2a0a8425..c7ac9f4e 100644 +--- a/databases/backends/mysql.py ++++ b/databases/backends/mysql.py +@@ -211,6 +211,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + else: +diff --git a/databases/backends/sqlite.py b/databases/backends/sqlite.py +index 9626dcf8..69ef5b51 100644 +--- a/databases/backends/sqlite.py ++++ b/databases/backends/sqlite.py +@@ -185,6 +185,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + diff --git a/python-databases.spec b/python-databases.spec index b9eab85..8bbcf10 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -26,6 +26,10 @@ Source0: %{forgeurl}/archive/%{version}/databases-%{version}.tar.gz %global with_asyncmy 1 %endif +# Fixes breaking changes in SQLAlchemy cursor +# https://github.com/encode/databases/pull/513 +Patch: %{forgeurl}/pull/513.patch + BuildRequires: python3-devel # Additional BR’s for testing, from requirements.txt only (therefore not @@ -228,6 +232,10 @@ Obsoletes: python-databases-doc < 0.5.2-4 %prep %autosetup -n databases-%{version} -p1 + +# The patch for sqlalchemy >=1.4.42 is not backwards-compatible. +sed -r -i 's/(sqlalchemy>=1\.4),/\1\.42,/' setup.py + %if !0%{?with_asyncmy} sed -r -i \ -e 's/^([[:blank:]]*)(.*import AsyncMyBackend.*)$/# \1\2\n\1pass/' \ commit efa8f018d1f0fa02f415c98e363062d5bc37f64b Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Wed Nov 30 11:03:28 2022 -0500 Fix MySQL server startup for tests diff --git a/python-databases.spec b/python-databases.spec index 66e564d..b9eab85 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -293,7 +293,7 @@ MYSQL_PID_FILE="${PWD}/mysql.pid" mkdir "${MYSQL_DATA_DIR}" mysql_install_db --datadir="${MYSQL_DATA_DIR}" --log-error="${MYSQL_LOG}" -%{_libexecdir}/mysqld --port="${MYSQL_PORT}" --ssl \ +%{_libexecdir}/mysqld --port="${MYSQL_PORT}" --skip-ssl \ --datadir="${MYSQL_DATA_DIR}" --log-error="${MYSQL_LOG}" \ --socket="${MYSQL_SOCKET}" --pid-file="${MYSQL_PID_FILE}" & : commit 96df1b9d84dc1015666eba21281872bcd1681d35 Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Sat Oct 22 09:04:34 2022 -0400 Add BR on httpx, for starlette.testclient diff --git a/python-databases.spec b/python-databases.spec index 61893df..66e564d 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -43,6 +43,8 @@ BuildRequires: python3dist(pytest) BuildRequires: python3dist(starlette) # Used only as a soft dependency of starlette BuildRequires: python3dist(requests) +# Used only as a soft dependency of starlette.testclient +BuildRequires: python3dist(httpx) %endif %if %{with mysql_tests} commit 45dc4b76b0ea364015b803e556ae2a8b7906a6e1 Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Fri Oct 21 09:36:00 2022 -0400 Better conditional for 32-bit architectures diff --git a/python-databases.spec b/python-databases.spec index 351441a..61893df 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -22,7 +22,7 @@ Source0: %{forgeurl}/archive/%{version}/databases-%{version}.tar.gz # affected platforms. We can still make the binary RPMs noarch, except for the # affected extra metapackage. %global debug_package %{nil} -%ifnarch %{ix86} %{arm32} +%if 0%{?__isa_bits} != 32 %global with_asyncmy 1 %endif

5 months, 4 weeks

1
0
0 / 0

Architecture specific change in rpms/python-databases.git

by githook-noreply＠fedoraproject.org

The package rpms/python-databases.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/python-databases.git/commit/?id=4.... Change: -%ifnarch %{ix86} %{arm32} Thanks. Full change: ============ commit 4c9d53d8b56e3e8dda77b552dee4d0a674b08764 Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Wed Nov 30 11:14:29 2022 -0500 Patch for sqlalchemy >=1.42 diff --git a/513.patch b/513.patch new file mode 100644 index 0000000..d9b6cf8 --- /dev/null +++ b/513.patch @@ -0,0 +1,61 @@ +From fe18d9bfb23ff0bb64f3f9545357f708b418849d Mon Sep 17 00:00:00 2001 +From: joniumGit <52005121+joniumGit(a)users.noreply.github.com> +Date: Tue, 18 Oct 2022 12:39:38 +0300 +Subject: [PATCH] Fixes breaking changes in SQLAlchemy cursor + +- fixes #512 +--- + databases/backends/aiopg.py | 1 + + databases/backends/asyncmy.py | 1 + + databases/backends/mysql.py | 1 + + databases/backends/sqlite.py | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/databases/backends/aiopg.py b/databases/backends/aiopg.py +index 60c741a7..1d35749e 100644 +--- a/databases/backends/aiopg.py ++++ b/databases/backends/aiopg.py +@@ -221,6 +221,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + else: +diff --git a/databases/backends/asyncmy.py b/databases/backends/asyncmy.py +index e15dfa45..233d2e0e 100644 +--- a/databases/backends/asyncmy.py ++++ b/databases/backends/asyncmy.py +@@ -211,6 +211,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + else: +diff --git a/databases/backends/mysql.py b/databases/backends/mysql.py +index 2a0a8425..c7ac9f4e 100644 +--- a/databases/backends/mysql.py ++++ b/databases/backends/mysql.py +@@ -211,6 +211,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + else: +diff --git a/databases/backends/sqlite.py b/databases/backends/sqlite.py +index 9626dcf8..69ef5b51 100644 +--- a/databases/backends/sqlite.py ++++ b/databases/backends/sqlite.py +@@ -185,6 +185,7 @@ def _compile( + compiled._result_columns, + compiled._ordered_columns, + compiled._textual_ordered_columns, ++ compiled._ad_hoc_textual, + compiled._loose_column_name_matching, + ) + diff --git a/python-databases.spec b/python-databases.spec index 34b9b55..c8a776a 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -26,6 +26,10 @@ Source0: %{forgeurl}/archive/%{version}/databases-%{version}.tar.gz %global with_asyncmy 1 %endif +# Fixes breaking changes in SQLAlchemy cursor +# https://github.com/encode/databases/pull/513 +Patch: %{forgeurl}/pull/513.patch + BuildRequires: python3-devel # Additional BR’s for testing, from requirements.txt only (therefore not @@ -228,6 +232,10 @@ Obsoletes: python-databases-doc < 0.5.2-4 %prep %autosetup -n databases-%{version} -p1 + +# The patch for sqlalchemy >=1.4.42 is not backwards-compatible. +sed -r -i 's/(sqlalchemy>=1\.4),/\1\.42,/' setup.py + %if !0%{?with_asyncmy} sed -r -i \ -e 's/^([[:blank:]]*)(.*import AsyncMyBackend.*)$/# \1\2\n\1pass/' \ commit 4957ca6ed3c65eb59d959268b55328a045fc3eef Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Wed Nov 30 11:03:28 2022 -0500 Fix MySQL server startup for tests diff --git a/python-databases.spec b/python-databases.spec index a43385b..34b9b55 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -293,7 +293,7 @@ MYSQL_PID_FILE="${PWD}/mysql.pid" mkdir "${MYSQL_DATA_DIR}" mysql_install_db --datadir="${MYSQL_DATA_DIR}" --log-error="${MYSQL_LOG}" -%{_libexecdir}/mysqld --port="${MYSQL_PORT}" --ssl \ +%{_libexecdir}/mysqld --port="${MYSQL_PORT}" --skip-ssl \ --datadir="${MYSQL_DATA_DIR}" --log-error="${MYSQL_LOG}" \ --socket="${MYSQL_SOCKET}" --pid-file="${MYSQL_PID_FILE}" & : commit 86ce2e9ca9ef30015f17537cef880b51b8451056 Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Sat Oct 22 09:04:34 2022 -0400 Add BR on httpx, for starlette.testclient diff --git a/python-databases.spec b/python-databases.spec index 2feef29..a43385b 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -43,6 +43,8 @@ BuildRequires: python3dist(pytest) BuildRequires: python3dist(starlette) # Used only as a soft dependency of starlette BuildRequires: python3dist(requests) +# Used only as a soft dependency of starlette.testclient +BuildRequires: python3dist(httpx) %endif %if %{with mysql_tests} commit 404029e1f55ca40cab2f0cba85251103d24ab6e0 Author: Benjamin A. Beasley <code(a)musicinmybrain.net> Date: Fri Oct 21 09:36:00 2022 -0400 Better conditional for 32-bit architectures diff --git a/python-databases.spec b/python-databases.spec index 2de0bfb..2feef29 100644 --- a/python-databases.spec +++ b/python-databases.spec @@ -22,7 +22,7 @@ Source0: %{forgeurl}/archive/%{version}/databases-%{version}.tar.gz # affected platforms. We can still make the binary RPMs noarch, except for the # affected extra metapackage. %global debug_package %{nil} -%ifnarch %{ix86} %{arm32} +%if 0%{?__isa_bits} != 32 %global with_asyncmy 1 %endif

5 months, 4 weeks

1
0
0 / 0

Architecture specific change in rpms/libgbinder.git

by githook-noreply＠fedoraproject.org

The package rpms/libgbinder.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/libgbinder.git/commit/?id=cb5cb54.... Change: +ExcludeArch: s390x Thanks. Full change: ============ commit e7441d69c3531e7e18c56cc3e7d1486bc5010a12 Author: Alessandro Astone <ales.astone(a)gmail.com> Date: Wed Nov 30 18:13:52 2022 +0100 Replace %define with %global diff --git a/libgbinder.spec b/libgbinder.spec index 61507f8..d4f80a7 100644 --- a/libgbinder.spec +++ b/libgbinder.spec @@ -9,7 +9,7 @@ Source0: %{url}/archive/refs/tags/%{version}.tar.gz # bugzilla 2149716 ExcludeArch: s390x -%define libglibutil_version 1.0.52 +%global libglibutil_version 1.0.52 BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(libglibutil) >= %{libglibutil_version} commit cb5cb5463ca8cbc2f3f2340247be0819e11c03a2 Author: Alessandro Astone <ales.astone(a)gmail.com> Date: Wed Nov 30 18:13:26 2022 +0100 Disable s390x build diff --git a/libgbinder.spec b/libgbinder.spec index 9950fb2..61507f8 100644 --- a/libgbinder.spec +++ b/libgbinder.spec @@ -6,6 +6,9 @@ License: BSD URL: https://github.com/mer-hybris/libgbinder Source0: %{url}/archive/refs/tags/%{version}.tar.gz +# bugzilla 2149716 +ExcludeArch: s390x + %define libglibutil_version 1.0.52 BuildRequires: pkgconfig(glib-2.0)

5 months, 4 weeks

1
0
0 / 0

Architecture specific change in rpms/libgbinder.git

by githook-noreply＠fedoraproject.org

The package rpms/libgbinder.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/libgbinder.git/commit/?id=cb5cb54.... Change: +ExcludeArch: s390x Thanks. Full change: ============ commit e7441d69c3531e7e18c56cc3e7d1486bc5010a12 Author: Alessandro Astone <ales.astone(a)gmail.com> Date: Wed Nov 30 18:13:52 2022 +0100 Replace %define with %global diff --git a/libgbinder.spec b/libgbinder.spec index 61507f8..d4f80a7 100644 --- a/libgbinder.spec +++ b/libgbinder.spec @@ -9,7 +9,7 @@ Source0: %{url}/archive/refs/tags/%{version}.tar.gz # bugzilla 2149716 ExcludeArch: s390x -%define libglibutil_version 1.0.52 +%global libglibutil_version 1.0.52 BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(libglibutil) >= %{libglibutil_version} commit cb5cb5463ca8cbc2f3f2340247be0819e11c03a2 Author: Alessandro Astone <ales.astone(a)gmail.com> Date: Wed Nov 30 18:13:26 2022 +0100 Disable s390x build diff --git a/libgbinder.spec b/libgbinder.spec index 9950fb2..61507f8 100644 --- a/libgbinder.spec +++ b/libgbinder.spec @@ -6,6 +6,9 @@ License: BSD URL: https://github.com/mer-hybris/libgbinder Source0: %{url}/archive/refs/tags/%{version}.tar.gz +# bugzilla 2149716 +ExcludeArch: s390x + %define libglibutil_version 1.0.52 BuildRequires: pkgconfig(glib-2.0)

5 months, 4 weeks

1
0
0 / 0

Architecture specific change in rpms/java-17-openjdk-portable.git

by githook-noreply＠fedoraproject.org

The package rpms/java-17-openjdk-portable.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm... https://src.fedoraproject.org/cgit/rpms/java-17-openjdk-portable.git/comm.... Change: +%ifarch s390x -%ifnarch %{zero_arches} +ExcludeArch: %{ix86} -%ifarch %{ix86} +%ifarch %{ix86} +ExcludeArch: %{ix86} +%ifarch %{ix86} +%ifarch %{ssbd_arches} -%ifarch %{gdb_arches} +%ifarch noarch +%ifarch %{zero_arches} +%ifarch %{gdb_arches} +%ifnarch s390x Thanks. Full change: ============ commit 76ba5a769b01b623b9cb05b5da30325e123200e5 Merge: 3baec79 71c1e3f Author: Jiri <jvanek(a)redhat.com> Date: Wed Nov 30 16:30:57 2022 +0100 Merge remote-tracking branch 'review/fedoraPortable2' into rawhide diff --cc README.md index bbe0c33,3bfd7d2..3679291 --- a/README.md +++ b/README.md @@@ -1,3 -1,13 +1,18 @@@ +# java-17-openjdk-portable + +The java-17-openjdk-portable package ++https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs ++ + OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. + + * https://fedoraproject.org/wiki/Changes/Java17 + + For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream + release page for OpenJDK 17 and the preceding interim releases: + + * 12: https://openjdk.java.net/projects/jdk/12/ + * 13: https://openjdk.java.net/projects/jdk/13/ + * 14: https://openjdk.java.net/projects/jdk/14/ + * 15: https://openjdk.java.net/projects/jdk/15/ + * 16: https://openjdk.java.net/projects/jdk/16/ + * 17: https://openjdk.java.net/projects/jdk/17/ commit 71c1e3f09e9dddcc04e21608d981e5e198a04041 Author: Jiri <jvanek(a)redhat.com> Date: Wed Nov 30 13:25:44 2022 +0100 Returned properly nameSuffix, as .debug is correct, not -debug diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 6537058..173459c 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -1368,16 +1368,21 @@ for suffix in %{build_loop} ; do ################################################################################ pushd ${top_dir_abs_main_build_path}/images - mv %{jdkimage} %{jdkportablename -- "$suffix"} - mv %{jreimage} %{jreportablename -- "$suffix"} - tar -cJf ../../../../%{jdkportablearchive -- "$suffix"} --exclude='**.debuginfo' %{jdkportablename -- "$suffix"} - sha256sum ../../../../%{jdkportablearchive -- "$suffix"} > ../../../../%{jdkportablearchive -- "$suffix"}.sha256sum - tar -cJf ../../../../%{jreportablearchive -- "$suffix"} --exclude='**.debuginfo' %{jreportablename -- "$suffix"} - sha256sum ../../../../%{jreportablearchive -- "$suffix"} > ../../../../%{jreportablearchive -- "$suffix"}.sha256sum + if [ "x$suffix" == "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + mv %{jdkimage} %{jdkportablename -- "$nameSuffix"} + mv %{jreimage} %{jreportablename -- "$nameSuffix"} + tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"} + sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum + tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"} + sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum # copy licenses so they are avialable out of tarball - cp -rf %{jdkportablename -- "$suffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal - mv %{jdkportablename -- "$suffix"} %{jdkimage} - mv %{jreportablename -- "$suffix"} %{jreimage} + cp -rf %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal + mv %{jdkportablename -- "$nameSuffix"} %{jdkimage} + mv %{jreportablename -- "$nameSuffix"} %{jreimage} popd #images %if %{include_staticlibs} top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}} @@ -1385,9 +1390,9 @@ for suffix in %{build_loop} ; do # Static libraries (needed for building graal vm with native image) # Tar as overlay. Transform to the JDK name, since we just want to "add" # static libraries to that folder - portableJDKname=%{staticlibsportablename -- "$suffix"} - tar -cJf ../../../../%{staticlibsportablearchive -- "$suffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" - sha256sum ../../../../%{staticlibsportablearchive -- "$suffix"} > ../../../../%{staticlibsportablearchive -- "$suffix"}.sha256sum + portableJDKname=%{staticlibsportablename -- "$nameSuffix"} + tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" + sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum popd #staticlibs-images %endif ################################################################################ commit 9c0f77627afb9bed999e795dd67d9eeb32d2d935 Author: Jiri <jvanek(a)redhat.com> Date: Wed Nov 30 09:26:53 2022 +0100 Now finally installing the tarballs diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 4d92688..6537058 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -1400,11 +1400,12 @@ done # end of release / debug cycle loop %install STRIP_KEEP_SYMTAB=libjvm* -if [ "fixme" == "todo" ] ; then + for suffix in %{build_loop} ; do +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +if [ "fixme" == "todo" ] ; then #todo, extract some parts to build, drop the rest - but keep it in rpms after repack # done in build -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} %endif @@ -1524,9 +1525,39 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; +fi # fixme, todo + +################################################################################ + if [ "x$suffix" == "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + mkdir -p $RPM_BUILD_ROOT%{_jvmdir} + mv ../%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ../%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + mv ../%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ../%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ +%if %{include_staticlibs} + mv ../%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ +%endif + if [ "x$suffix" == "x" ] ; then + dnameSuffix="$nameSuffix".debuginfo +# todo handle debuginfo, see note at build (we will need to pack one stripped and one unstripped release build) +# mv ../%{jdkportablearchive -- "$dnameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ +# mv ../%{jdkportablearchive -- "$dnameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + fi +################################################################################ # end, dual install done -fi +################################################################################ +# the licenses are packed onloy once and shared +mkdir -p $RPM_BUILD_ROOT%{unpacked_licenses} +mv ../%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablearchive -- "%{normal_suffix}"} +# To show sha in the build log +for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do ls -l $file ; cat $file ; done +################################################################################ %check @@ -1616,9 +1647,9 @@ done %files devel %{_jvmdir}/%{jdkportablearchive -- %%{nil}} -%{_jvmdir}/%{jdkportablearchive -- .debuginfo} +#%{_jvmdir}/%{jdkportablearchive -- .debuginfo} %{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum -%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum +#%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum %license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %if %{include_staticlibs} commit db7c3cb247e87206b93370d953fbd7cb521ac8ca Author: Jiri <jvanek(a)redhat.com> Date: Tue Nov 29 21:08:20 2022 +0100 Fixed path to tested static libs image diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 96e6413..4d92688 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -1391,7 +1391,7 @@ for suffix in %{build_loop} ; do popd #staticlibs-images %endif ################################################################################ -# note, currently no debuginfo, consult portbale spec for external (zipped) debuginof, being tarred alone +# note, currently no debuginfo, consult portbale spec for external (zipped) debuginfo, being tarred alone ################################################################################ # build cycles @@ -1582,7 +1582,7 @@ $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})| %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} +export STATIC_LIBS_HOME=${top_dir_abs_main_build_path}/../../%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}/images/static-libs/lib/ readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c %endif commit c22c08ba1b7dce7b661b59c0ddb2bd9df964f36a Author: Jiri <jvanek(a)redhat.com> Date: Tue Nov 29 19:38:36 2022 +0100 Merge all legal to one and pack just once for all tarballs diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 3d9cac0..96e6413 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -1368,16 +1368,16 @@ for suffix in %{build_loop} ; do ################################################################################ pushd ${top_dir_abs_main_build_path}/images - mv %{jdkimage} %{jdkportablename -- "$nameSuffix"} - mv %{jreimage} %{jreportablename -- "$nameSuffix"} - tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"} - sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum - tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"} - sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum + mv %{jdkimage} %{jdkportablename -- "$suffix"} + mv %{jreimage} %{jreportablename -- "$suffix"} + tar -cJf ../../../../%{jdkportablearchive -- "$suffix"} --exclude='**.debuginfo' %{jdkportablename -- "$suffix"} + sha256sum ../../../../%{jdkportablearchive -- "$suffix"} > ../../../../%{jdkportablearchive -- "$suffix"}.sha256sum + tar -cJf ../../../../%{jreportablearchive -- "$suffix"} --exclude='**.debuginfo' %{jreportablename -- "$suffix"} + sha256sum ../../../../%{jreportablearchive -- "$suffix"} > ../../../../%{jreportablearchive -- "$suffix"}.sha256sum # copy licenses so they are avialable out of tarball - cp -r %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "$nameSuffix"}-legal - mv %{jdkportablename -- "$nameSuffix"} %{jdkimage} - mv %{jreportablename -- "$nameSuffix"} %{jreimage} + cp -rf %{jdkportablename -- "$suffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal + mv %{jdkportablename -- "$suffix"} %{jdkimage} + mv %{jreportablename -- "$suffix"} %{jreimage} popd #images %if %{include_staticlibs} top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}} @@ -1385,9 +1385,9 @@ for suffix in %{build_loop} ; do # Static libraries (needed for building graal vm with native image) # Tar as overlay. Transform to the JDK name, since we just want to "add" # static libraries to that folder - portableJDKname=%{staticlibsportablename -- "$nameSuffix"} - tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" - sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum + portableJDKname=%{staticlibsportablename -- "$suffix"} + tar -cJf ../../../../%{staticlibsportablearchive -- "$suffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" + sha256sum ../../../../%{staticlibsportablearchive -- "$suffix"} > ../../../../%{staticlibsportablearchive -- "$suffix"}.sha256sum popd #staticlibs-images %endif ################################################################################ @@ -1632,18 +1632,18 @@ done %files slowdebug %{_jvmdir}/%{jreportablearchive -- .slowdebug} %{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %files devel-slowdebug %{_jvmdir}/%{jdkportablearchive -- .slowdebug} %{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %if %{include_staticlibs} %files static-libs-slowdebug %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug} %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %endif %endif @@ -1651,18 +1651,18 @@ done %files fastdebug %{_jvmdir}/%{jreportablearchive -- .fastdebug} %{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %files devel-fastdebug %{_jvmdir}/%{jdkportablearchive -- .fastdebug} %{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %if %{include_staticlibs} %files static-libs-fastdebug %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug} %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %endif %endif commit d904c40a00511e8f39f35f100b371c273d2f5206 Author: Jiri Vanek <jvanek(a)redhat.com> Date: Mon Nov 28 17:42:31 2022 +0100 WIP added tarring diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 3f7500f..3d9cac0 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -44,7 +44,7 @@ %define __os_install_post %{nil} %endif -%global unpacked_lilcenses %{_datarootdir}/licenses +%global unpacked_licenses %{_datarootdir}/licenses # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -251,10 +251,10 @@ %global debug_symbols internal # unlike portables,the rpms have to use static_libs_target very dynamically -%global bootstrap_targets images -%global release_targets images docs-zip +%global bootstrap_targets images legacy-jre-image +%global release_targets images docs-zip legacy-jre-image # No docs nor bootcycle for debug builds -%global debug_targets images +%global debug_targets images legacy-jre-image # Target to use to just build HotSpot %global hotspot_target hotspot @@ -448,7 +448,6 @@ %global static_libs_install_dir %{static_libs_arch_dir}/glibc # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} -%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -1367,26 +1366,58 @@ for suffix in %{build_loop} ; do # Print release information cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release +################################################################################ + pushd ${top_dir_abs_main_build_path}/images + mv %{jdkimage} %{jdkportablename -- "$nameSuffix"} + mv %{jreimage} %{jreportablename -- "$nameSuffix"} + tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"} + sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum + tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"} + sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum + # copy licenses so they are avialable out of tarball + cp -r %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "$nameSuffix"}-legal + mv %{jdkportablename -- "$nameSuffix"} %{jdkimage} + mv %{jreportablename -- "$nameSuffix"} %{jreimage} + popd #images +%if %{include_staticlibs} + top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}} + pushd ${top_dir_abs_staticlibs_build_path}/images + # Static libraries (needed for building graal vm with native image) + # Tar as overlay. Transform to the JDK name, since we just want to "add" + # static libraries to that folder + portableJDKname=%{staticlibsportablename -- "$nameSuffix"} + tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" + sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum + popd #staticlibs-images +%endif +################################################################################ +# note, currently no debuginfo, consult portbale spec for external (zipped) debuginof, being tarred alone +################################################################################ + # build cycles done # end of release / debug cycle loop %install STRIP_KEEP_SYMTAB=libjvm* +if [ "fixme" == "todo" ] ; then for suffix in %{build_loop} ; do +# done in build top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} %if %{include_staticlibs} top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} %endif jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} +# tbd in rpms # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} +# tbd in rpms %if %{with_systemtap} # Install systemtap support files install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset @@ -1402,11 +1433,13 @@ pushd ${jdk_image} done %endif +# tbd in rpms # Install version-ed symlinks pushd $RPM_BUILD_ROOT%{_jvmdir} ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} popd +# todo fix in build # Install man pages install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1 for manpage in man/man1/* @@ -1422,6 +1455,7 @@ pushd ${jdk_image} popd +# done in build # Install static libs artefacts %if %{include_staticlibs} mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} @@ -1429,6 +1463,7 @@ cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} %endif +# todo fix in build if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} @@ -1438,6 +1473,7 @@ if ! echo $suffix | grep -q "debug" ; then $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ fi +# todo fix in build # Install release notes commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} install -d -m 755 ${commondocdir} @@ -1450,6 +1486,7 @@ for s in 16 24 32 48 ; do $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png done +# tbd in rpms # Install desktop files install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps} for e in jconsole$suffix ; do @@ -1457,14 +1494,17 @@ for e in jconsole$suffix ; do --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop done +# tbd in rpms # Install /etc/.java/.systemPrefs/ directory # See https://bugzilla.redhat.com/show_bug.cgi?id=741821 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs +# todo fix in build # copy samples next to demos; samples are mostly js files cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ +# tbd in rpms # moving config files to /etc mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib @@ -1478,6 +1518,7 @@ pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib popd # end moving files to /etc +# todo fix in build # stabilize permissions find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; @@ -1485,6 +1526,7 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6 # end, dual install done +fi %check @@ -1493,7 +1535,9 @@ for suffix in %{build_loop} ; do # Tests in the check stage are performed on the installed image # rpmbuild operates as follows: build -> install -> test -export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} +# however in portbales, we test built image instead of installed one +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} #check Shenandoah is enabled %if %{use_shenandoah_hotspot} @@ -1564,7 +1608,7 @@ done # main package builds always %{_jvmdir}/%{jreportablearchive -- %%{nil}} %{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %else %files # placeholder @@ -1575,31 +1619,31 @@ done %{_jvmdir}/%{jdkportablearchive -- .debuginfo} %{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum %{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %if %{include_staticlibs} %files static-libs %{_jvmdir}/%{staticlibsportablearchive -- %%{nil}} %{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}} +%license %{unpacked_licenses}/%{jdkportablearchive -- %%{nil}} %endif %if %{include_debug_build} %files slowdebug %{_jvmdir}/%{jreportablearchive -- .slowdebug} %{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug} %files devel-slowdebug %{_jvmdir}/%{jdkportablearchive -- .slowdebug} %{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug} %if %{include_staticlibs} %files static-libs-slowdebug %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug} %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- .slowdebug} %endif %endif @@ -1607,18 +1651,18 @@ done %files fastdebug %{_jvmdir}/%{jreportablearchive -- .fastdebug} %{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug} %files devel-fastdebug %{_jvmdir}/%{jdkportablearchive -- .fastdebug} %{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug} %if %{include_staticlibs} %files static-libs-fastdebug %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug} %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug} +%license %{unpacked_licenses}/%{jdkportablearchive -- .fastdebug} %endif %endif commit d29ffaf550cc6aabfbb1521c2bab28d7af2975c4 Author: Jiri Vanek <jvanek(a)redhat.com> Date: Mon Nov 28 15:45:50 2022 +0100 Aligning files and packages with future portbale version added few if el7. Note, this is nto buildbale, brekaing changes with tarball creation needs to land now diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index e129354..3f7500f 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -1,3 +1,14 @@ +#FOR TESTING ONLY! REMOVE! +%define rhel %{nil} + +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +# portable jdk 17 specific bug, _jvmdir being missing +%define _jvmdir /usr/lib/jvm +%endif + +# debug_package %%{nil} is portable-jdks specific +%define debug_package %{nil} + # RPM conditionals so as to be able to dynamically produce # slowdebug/release builds. See: # http://rpm.org/user_doc/conditional_builds.html @@ -26,6 +37,15 @@ # Build with system libraries %bcond_with system_libs + +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +# This is RHEL 7 specific as it doesn't seem to have the +# __brp_strip_static_archive macro. +%define __os_install_post %{nil} +%endif + +%global unpacked_lilcenses %{_datarootdir}/licenses + # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} %define __brp_strip_static_archive %{nil} @@ -149,7 +169,12 @@ # Set of architectures for which java has short vector math library (libsvml.so) %global svml_arches x86_64 # Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else %global gdb_arches %{jit_arches} %{zero_arches} +%endif # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -423,10 +448,30 @@ %global static_libs_install_dir %{static_libs_arch_dir}/glibc # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk %define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +# portable only declarations +%global jreimage jre +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\$_[0-9]\$*;portable%{1}.jre.;g" | sed "s;openjdkportable;el;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\$_[0-9]\$*;portable%{1}.jdk.;g" | sed "s;openjdkportable;el;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el7\$_[0-9]\$*;portable%{1}.static-libs.;g" | sed "s;openjdkportable;el;g") +%else +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\$[0-9]\$*;\\0.portable%{1}.jre;g" | sed "s;openjdkportable;el;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\$[0-9]\$*;\\0.portable%{1}.jdk;g" | sed "s;openjdkportable;el;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;fc\$[0-9]\$*;\\0.portable%{1}.static-libs;g" | sed "s;openjdkportable;el;g") +%endif +%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} +%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} +%define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} +%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} +%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on +# top of the JDK archive +%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} ################################################################# # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 @@ -470,9 +515,6 @@ %global alternatives_requires %{_sbindir}/alternatives %endif -%global family %{name}.%{_arch} -%global family_noarch %{name} - %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -593,6 +635,14 @@ Source17: nss.fips.cfg.in # Ensure translations are available for new timezones Source18: TestTranslations.java +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +# boot jdk for portable build root on +Source1001: ojdk17-aarch64-17.35.tar.gz +Source1002: ojdk17-ppc64le-17.35.tar.gz +Source1003: ojdk17-x86_64-17.35.tar.gz +Source1004: ojdk17-s390x-17.35.tar.gz +%endif + ############################################ # # RPM/distribution specific patches @@ -666,8 +716,21 @@ BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +BuildRequires: devtoolset-8-gcc +BuildRequires: devtoolset-8-gcc-c++ +%else +BuildRequires: gcc +# gcc-c++ is already needed +BuildRequires: java-%{buildjdkver}-openjdk-devel +%endif BuildRequires: gcc-c++ BuildRequires: gdb +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +# rhel7 only, portables only. Rhel8 have gtk3, rpms have runtime recommends of gtk +BuildRequires: gtk2-devel +%endif BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXi-devel @@ -679,18 +742,31 @@ BuildRequires: libXtst-devel # Requirement for setting up nss.cfg and nss.fips.cfg BuildRequires: nss-devel # Requirement for system security property test +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) BuildRequires: crypto-policies +%endif BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip +# to pack portable tarballs +BuildRequires: tar +BuildRequires: unzip +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +# No javapackages-filesystem on el7,nor is needed for portables +%else BuildRequires: javapackages-filesystem BuildRequires: java-%{buildjdkver}-openjdk-devel +%endif + # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel %endif # 2022e required as of JDK-8295173 BuildRequires: tzdata-java >= 2022e + +# cacerts build requirement in portable mode +BuildRequires: ca-certificates # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -957,6 +1033,26 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +mkdir bootjdk +pushd bootjdk +%ifarch %{aarch64} +tar --strip-components=1 -xf %{SOURCE1001} +%endif +%ifarch %{ppc64le} +tar --strip-components=1 -xf %{SOURCE1002} +%endif +%ifarch x86_64 +tar --strip-components=1 -xf %{SOURCE1003} +%endif +%ifarch s390x +tar --strip-components=1 -xf %{SOURCE1004} +%endif +BOOT_JDK=$PWD +popd +%else +BOOT_JDK=%{bootjdk} +%endif # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) @@ -1023,7 +1119,11 @@ function buildjdk() { # rather than ${link_opt} as the system versions # are always used in a system_libs build, even # for the static library build +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) + scl enable devtoolset-8 -- bash ${top_dir_abs_src_path}/configure \ +%else bash ${top_dir_abs_src_path}/configure \ +%endif %ifarch %{zero_arches} --with-jvm-variants=zero \ %endif @@ -1064,8 +1164,11 @@ function buildjdk() { --disable-warnings-as-errors cat spec.gmk - +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) + scl enable devtoolset-8 -- make \ +%else make \ +%endif LOG=trace \ WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ @@ -1456,494 +1559,70 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable # build cycles check done -%if %{include_normal_build} -# intentionally only for non-debug -%pretrans headless -p <lua> --- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue --- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre --- if copy-jdk-configs is in transaction, it installs in pretrans to temp --- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is --- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends --- whether copy-jdk-configs is installed or not. If so, then configs are copied --- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all -local posix = require "posix" - -if (os.getenv("debug") == "true") then - debug = true; - print("cjc: in spec debug is on") -else - debug = false; -end - -SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" -SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" - -local stat1 = posix.stat(SOURCE1, "type"); -local stat2 = posix.stat(SOURCE2, "type"); - - if (stat1 ~= nil) then - if (debug) then - print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") - end; - package.path = package.path .. ";" .. SOURCE1 -else - if (stat2 ~= nil) then - if (debug) then - print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") - end; - package.path = package.path .. ";" .. SOURCE2 - else - if (debug) then - print(SOURCE1 .." does NOT exists") - print(SOURCE2 .." does NOT exists") - print("No config files will be copied") - end - return - end -end -arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" -cjc = require "copy_jdk_configs.lua" -args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -cjc.mainProgram(args) - -%post -%{post_script %{nil}} - -%post headless -%{post_headless %{nil}} - -%postun -%{postun_script %{nil}} - -%postun headless -%{postun_headless %{nil}} - -%posttrans -%{posttrans_script %{nil}} - -%posttrans headless -%{alternatives_java_install %{nil}} - -%post devel -%{post_devel %{nil}} - -%postun devel -%{postun_devel %{nil}} - -%posttrans devel -%{posttrans_devel %{nil}} - -%posttrans javadoc -%{alternatives_javadoc_install %{nil}} - -%postun javadoc -%{postun_javadoc %{nil}} - -%posttrans javadoc-zip -%{alternatives_javadoczip_install %{nil}} - -%postun javadoc-zip -%{postun_javadoc_zip %{nil}} -%endif - -%if %{include_debug_build} -%post slowdebug -%{post_script -- %{debug_suffix_unquoted}} - -%post headless-slowdebug -%{post_headless -- %{debug_suffix_unquoted}} - -%posttrans headless-slowdebug -%{alternatives_java_install -- %{debug_suffix_unquoted}} - -%postun slowdebug -%{postun_script -- %{debug_suffix_unquoted}} - -%postun headless-slowdebug -%{postun_headless -- %{debug_suffix_unquoted}} - -%posttrans slowdebug -%{posttrans_script -- %{debug_suffix_unquoted}} - -%post devel-slowdebug -%{post_devel -- %{debug_suffix_unquoted}} - -%postun devel-slowdebug -%{postun_devel -- %{debug_suffix_unquoted}} - -%posttrans devel-slowdebug -%{posttrans_devel -- %{debug_suffix_unquoted}} -%endif - -%if %{include_fastdebug_build} -%post fastdebug -%{post_script -- %{fastdebug_suffix_unquoted}} - -%post headless-fastdebug -%{post_headless -- %{fastdebug_suffix_unquoted}} - -%postun fastdebug -%{postun_script -- %{fastdebug_suffix_unquoted}} - -%postun headless-fastdebug -%{postun_headless -- %{fastdebug_suffix_unquoted}} - -%posttrans fastdebug -%{posttrans_script -- %{fastdebug_suffix_unquoted}} - -%posttrans headless-fastdebug -%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} - -%post devel-fastdebug -%{post_devel -- %{fastdebug_suffix_unquoted}} - -%postun devel-fastdebug -%{postun_devel -- %{fastdebug_suffix_unquoted}} - -%posttrans devel-fastdebug -%{posttrans_devel -- %{fastdebug_suffix_unquoted}} - -%endif - %if %{include_normal_build} %files # main package builds always -%{files_jre %{nil}} +%{_jvmdir}/%{jreportablearchive -- %%{nil}} +%{_jvmdir}/%{jreportablearchive -- %%{nil}}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}} %else %files # placeholder %endif - -%if %{include_normal_build} -%files headless -# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue -# all config/noreplace files (and more) have to be declared in pretrans. See pretrans -%{files_jre_headless %{nil}} - %files devel -%{files_devel %{nil}} +%{_jvmdir}/%{jdkportablearchive -- %%{nil}} +%{_jvmdir}/%{jdkportablearchive -- .debuginfo} +%{_jvmdir}/%{jdkportablearchive -- %%{nil}}.sha256sum +%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}} %if %{include_staticlibs} %files static-libs -%{files_static_libs %{nil}} -%endif - -%files jmods -%{files_jmods %{nil}} - -%files demo -%{files_demo %{nil}} - -%files src -%{files_src %{nil}} - -%files javadoc -%{files_javadoc %{nil}} - -# This puts a huge documentation file in /usr/share -# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only -# same for debug variant -%files javadoc-zip -%{files_javadoc_zip %{nil}} +%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}} +%{_jvmdir}/%{staticlibsportablearchive -- %%{nil}}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- %%{nil}} %endif %if %{include_debug_build} %files slowdebug -%{files_jre -- %{debug_suffix_unquoted}} - -%files headless-slowdebug -%{files_jre_headless -- %{debug_suffix_unquoted}} +%{_jvmdir}/%{jreportablearchive -- .slowdebug} +%{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug} %files devel-slowdebug -%{files_devel -- %{debug_suffix_unquoted}} +%{_jvmdir}/%{jdkportablearchive -- .slowdebug} +%{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug} %if %{include_staticlibs} %files static-libs-slowdebug -%{files_static_libs -- %{debug_suffix_unquoted}} +%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug} +%{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- .slowdebug} %endif - -%files jmods-slowdebug -%{files_jmods -- %{debug_suffix_unquoted}} - -%files demo-slowdebug -%{files_demo -- %{debug_suffix_unquoted}} - -%files src-slowdebug -%{files_src -- %{debug_suffix_unquoted}} %endif %if %{include_fastdebug_build} %files fastdebug -%{files_jre -- %{fastdebug_suffix_unquoted}} - -%files headless-fastdebug -%{files_jre_headless -- %{fastdebug_suffix_unquoted}} +%{_jvmdir}/%{jreportablearchive -- .fastdebug} +%{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug} %files devel-fastdebug -%{files_devel -- %{fastdebug_suffix_unquoted}} +%{_jvmdir}/%{jdkportablearchive -- .fastdebug} +%{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug} %if %{include_staticlibs} %files static-libs-fastdebug -%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug} +%{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum +%license %{unpacked_lilcenses}/%{jdkportablearchive -- .fastdebug} %endif - -%files jmods-fastdebug -%{files_jmods -- %{fastdebug_suffix_unquoted}} - -%files demo-fastdebug -%{files_demo -- %{fastdebug_suffix_unquoted}} - -%files src-fastdebug -%{files_src -- %{fastdebug_suffix_unquoted}} - %endif %changelog -* Wed Nov 09 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.6.0.1-0.1.ea -- Update to jdk-17.0.6+1 -- Update release notes to 17.0.6+1 -- Switch to EA mode for 17.0.6 pre-release builds. -- Re-enable EA upstream status check now it is being actively maintained. -- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream -- Bump tzdata requirement to 2022e now the package is available in Fedora - -* Wed Oct 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.8-1 -- Update to jdk-17.0.5+8 (GA) -- Update release notes to 17.0.5+8 (GA) -- Switch to GA mode for final release. -- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds -- Remove freetype sources along with zlib sources - -* Fri Oct 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.7-0.2.ea -- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 -- Update CLDR data with Europe/Kyiv (JDK-8293834) -- Drop JDK-8292223 patch which we found to be unnecessary -- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream - -* Tue Oct 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.7-0.1.ea -- Update to jdk-17.0.5+7 -- Update release notes to 17.0.5+7 - -* Mon Oct 03 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.1-0.1.ea -- Update to jdk-17.0.5+1 -- Update release notes to 17.0.5+1 -- Switch to EA mode for 17.0.5 pre-release builds. -- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 -- Bump FreeType bundled version to 2.12.1 following JDK-8290334 - -* Tue Aug 30 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-3 -- Switch to static builds, reducing system dependencies and making build more portable - -* Mon Aug 29 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-2 -- Update FIPS support to bring in latest changes -- * RH2048582: Support PKCS#12 keystores -- * RH2020290: Support TLS 1.3 in FIPS mode - -* Sun Aug 21 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-1 -- Update to jdk-17.0.4.1+1 -- Update release notes to 17.0.4.1+1 -- Add patch to provide translations for Europe/Kyiv added in tzdata2022b -- Add test to ensure timezones can be translated - -* Mon Aug 15 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-2 -- Update FIPS support to bring in latest changes -- * RH2104724: Avoid import/export of DH private keys -- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -- * Build the systemconf library on all platforms - -* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-1 -- Update to jdk-17.0.4.0+8 -- Update release notes to 17.0.4.0+8 -- Switch to GA mode for release -- Exclude x86 where java_arches is undefined, in order to unbreak build - -* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea -- moved to build only on %%{java_arches} --- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs -- reverted : --- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) --- Try to build on x86 again by creating a husk of a JDK which does not depend on itself --- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable --- Replaced binaries and .so files with bash-stubs on i686 -- added ExclusiveArch: %%{java_arches} --- this now excludes i686 --- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) -- https://bugzilla.redhat.com/show_bug.cgi?id=2104128 - -* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea -- Try to build on x86 again by creating a husk of a JDK which does not depend on itself - -* Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea -- Update to jdk-17.0.3.0+7 -- Update release notes to 17.0.3.0+7 -- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable -- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 - -* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea -- Explicitly require crypto-policies during build and runtime for system security properties - -* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea -- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs - -* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea -- Add javaver- and origin-specific javadoc and javadoczip alternatives. - -* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea -- Make use of the vendor version string to store our version & release rather than an upstream release date -- Include a test in the RPM to check the build has the correct vendor information. - -* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana(a)redhat.com> - 1:17.0.4.0.1-0.2.ea -- Fix issue where CheckVendor.java test erroneously passes when it should fail. -- Add proper quoting so '&' is not treated as a special character by the shell. - -* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea -- Update to jdk-17.0.4.0+1 -- Update release notes to 17.0.4.0+1 -- Switch to EA mode for 17.0.4 pre-release builds. -- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 -- Print release file during build, which should now include a correct SOURCE value from .src-rev -- Update tarball script with IcedTea GitHub URL and .src-rev generation -- Include script to generate bug list for release notes -- Update tzdata requirement to 2022a to match JDK-8283350 -- Move EA designator check to prep so failures can be caught earlier -- Make EA designator check non-fatal while upstream is not maintaining it - -* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 -- Fix whitespace in spec file - -* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 -- Sequence spec file sections as they are run by rpmbuild (build, install then test) - -* Tue Jul 05 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 -- Turn on system security properties as part of the build's install section -- Move cacerts replacement to install section and retain original of this and tzdb.dat -- Run tests on the installed image, rather than the build image -- Introduce variables to refer to the static library installation directories -- Use relative symlinks so they work within the image -- Run debug symbols check during build stage, before the install strips them - -* Fri Jul 01 2022 Stephan Bergmann <sbergman(a)redhat.com> - 1:17.0.3.0.7-6 -- Fix flatpak builds by exempting them from bootstrap - -* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:17.0.3.0.7-5 -- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - -* Mon Jun 27 2022 Stephan Bergmann <sbergman(a)redhat.com> - 1:17.0.3.0.7-4 -- Fix flatpak builds (catering for their uncompressed manual pages) - -* Wed Jun 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-3 -- Update FIPS support to bring in latest changes -- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -- * RH2090378: Revert to disabling system security properties and FIPS mode support together -- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch -- Enable system security properties in the RPM (now disabled by default in the FIPS repo) -- Improve security properties test to check both enabled and disabled behaviour -- Run security properties test with property debugging on - -* Sun Jun 12 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-2 -- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository -- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch -- RH2023467: Enable FIPS keys export -- RH2094027: SunEC runtime permission for FIPS - -* Sun Apr 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-1 -- April 2022 security update to jdk 17.0.3+7 -- Update release notes to 17.0.3.0+7 -- Update README.md and generate_source_tarball.sh to match CentOS -- Switch to GA mode for release -- JDK-8283911 patch no longer needed now we're GA... - -* Wed Apr 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.5-0.1.ea -- Update to jdk-17.0.3.0+5 -- Update release notes to 17.0.3.0+5 - -* Fri Apr 08 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.1-0.1.ea -- Update to jdk-17.0.3.0+1 -- Update release notes to 17.0.3.0+1 -- Switch to EA mode for 17.0.3 pre-release builds. -- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value - -* Wed Apr 06 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-9 -- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode - -* Wed Mar 30 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-8 -- java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18 - -* Wed Feb 23 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-8 -- Detect NSS at runtime for FIPS detection -- Turn off build-time NSS linking and go back to an explicit Requires on NSS - -* Tue Feb 08 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-7 -- Reinstate JIT builds on x86_32. -- Add JDK-8282004 to fix missing CALL effects on x86_32. - -* Mon Feb 07 2022 Severin Gehwolf <sgehwolf(a)redhat.com> - 1:17.0.2.0.8-6 -- Re-enable gdb backtrace check. - -* Mon Feb 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-5 -- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) -- Need to support noarch for creating source RPMs for non-scratch builds. - -* Fri Feb 04 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.2.0.8-4 -- moved to become system jdk - -* Fri Feb 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-2 -- Temporarily move x86 to use Zero in order to get a working build -- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment -- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. -- Explicitly list JIT architectures rather than relying on those with slowdebug builds -- Disable the serviceability agent on Zero architectures even when the architecture itself is supported - -* Mon Jan 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.2.0.8-1.rolling -- January 2022 security update to jdk 17.0.2+8 -- Extend LTS check to exclude EPEL. -- Rename libsvml.so to libjsvml.so following JDK-8276025 -- Remove JDK-8276572 patch which is now upstream. -- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - -* Mon Jan 24 2022 Severin Gehwolf <sgehwolf(a)redhat.com> - 1:17.0.2.0.8-1.rolling -- Set LTS designator. - -* Mon Jan 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.1.0.12-16.rolling -- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent - -* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.1.0.12-15.rolling.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Jan 18 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.1.0.12-15.rolling -- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. -- Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide. - -* Thu Jan 13 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.1.0.12-14.rolling -- Fix FIPS issues in native code and with initialisation of java.security.Security - -* Thu Dec 09 2021 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.1.0.12-13.rolling -- Storing and restoring alterntives during update manually -- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE --- The move of alternatives creation to posttrans to fix: --- Bug 1200302 - dnf reinstall breaks alternatives --- Had caused the alternatives to be removed, and then created again, --- instead of being added, and then removing the old, and thus persisting --- the selection in family --- Thus this fix, is storing the family of manually selected master, and if --- stored, then it is restoring the family of the master - -* Thu Dec 09 2021 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.1.0.12-12.rolling -- Family extracted to globals - -* Thu Dec 09 2021 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.1.0.12-11.rolling -- javadoc-zip got its own provides next to plain javadoc ones - -* Thu Dec 09 2021 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.1.0.12-10.rolling -- replaced tabs by sets of spaces to make rpmlint happy - -* Mon Nov 29 2021 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.1.0.12-9.rolling -- Handle Fedora in distro conditionals that currently only pertain to RHEL. - -* Thu Nov 18 2021 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.0.0.35-8 --- inital import +* Mon Oct 31 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.5.0.8-2 +- initial import + commit c85c8f148e5efcc08a2bbf28071eb4d5bdfaa528 Author: Jiri Vanek <jvanek(a)redhat.com> Date: Fri Nov 25 14:29:40 2022 +0100 WIP - rewoking fedora spec as portable todo - tar the results diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 3fbd691..e129354 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -112,7 +112,7 @@ # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) -%global is_system_jdk 1 +%global is_system_jdk 0 %global aarch64 aarch64 arm64 armv8 # we need to distinguish between big and little endian PPC64 @@ -312,8 +312,9 @@ %global stapinstall %{nil} %endif +# always off for portable builds %ifarch %{systemtap_arches} -%global with_systemtap 1 +%global with_systemtap 0 %else %global with_systemtap 0 %endif @@ -493,797 +494,27 @@ ExclusiveArch: %{java_arches} ExcludeArch: %{ix86} %endif -# not-duplicated scriptlets for normal/debug packages -%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : - -%define save_alternatives() %{expand: - # warning! alternatives are localised! - # LANG=cs_CZ.UTF-8 alternatives --display java | head - # LANG=en_US.UTF-8 alternatives --display java | head - function nonLocalisedAlternativesDisplayOfMaster() { - LANG=en_US.UTF-8 alternatives --display "$MASTER" - } - function headOfAbove() { - nonLocalisedAlternativesDisplayOfMaster | head -n $1 - } - MASTER="%{?1}" - LOCAL_LINK="%{?2}" - FAMILY="%{?3}" - rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null - if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then - if headOfAbove 1 | grep -q manual ; then - if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then - headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" - fi - fi - fi -} - -%define save_and_remove_alternatives() %{expand: - if [ "x$debug" == "xtrue" ] ; then - set -x - fi - upgrade1_uninstal0=%{?3} - if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall - %{save_alternatives %{?1} %{?2} %{?4}} - fi - alternatives --remove "%{?1}" "%{?2}" -} - -%define set_if_needed_alternatives() %{expand: - MASTER="%{?1}" - FAMILY="%{?2}" - ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" - if [ -e "$ALTERNATIVES_FILE" ] ; then - rm "$ALTERNATIVES_FILE" - alternatives --set $MASTER $FAMILY - fi -} - - -%define post_script() %{expand: -update-desktop-database %{_datadir}/applications &> /dev/null || : -/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : -exit 0 -} - -%define alternatives_java_install() %{expand: -if [ "x$debug" == "xtrue" ] ; then - set -x -fi -PRIORITY=%{priority} -if [ "%{?1}" == %{debug_suffix} ]; then - let PRIORITY=PRIORITY-1 -fi - -ext=.gz -key=java -alternatives \\ - --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ - --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ - --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ - --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ - --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ - --slave %{_mandir}/man1/java.1$ext java.1$ext \\ - %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ - %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ - %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ - %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext - -%{set_if_needed_alternatives $key %{family}} - -for X in %{origin} %{javaver} ; do - key=jre_"$X" - alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} - %{set_if_needed_alternatives $key %{family}} -done - -key=jre_%{javaver}_%{origin} -alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} -%{set_if_needed_alternatives $key %{family}} -} - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - -update-desktop-database %{_datadir}/applications &> /dev/null || : -/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : - -# see pretrans where this file is declared -# also see that pretrans is only for non-debug -if [ ! "%{?1}" == %{debug_suffix} ]; then - if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then - sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} - fi -fi - -exit 0 -} - -%define postun_script() %{expand: -update-desktop-database %{_datadir}/applications &> /dev/null || : -if [ $1 -eq 0 ] ; then - /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null - %{update_desktop_icons} -fi -exit 0 -} - - -%define postun_headless() %{expand: - if [ "x$debug" == "xtrue" ] ; then - set -x - fi - post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy... - %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} - %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} - %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} - %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} -} - -%define posttrans_script() %{expand: -%{update_desktop_icons} -} - - -%define alternatives_javac_install() %{expand: -if [ "x$debug" == "xtrue" ] ; then - set -x -fi -PRIORITY=%{priority} -if [ "%{?1}" == %{debug_suffix} ]; then - let PRIORITY=PRIORITY-1 -fi - -ext=.gz -key=javac -alternatives \\ - --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ - --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ - --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ - --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ -%ifarch %{sa_arches} -%ifnarch %{zero_arches} - --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ -%endif -%endif - --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ - --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ - --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ - --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ - --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ - --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ - --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ - --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ - --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ - --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ - --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ - --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ - --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ - --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ - --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\ - --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ - --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ - --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ - --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ - --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ - --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ - --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ - %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ - %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ - %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ - %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ - %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ - %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ - %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ - %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ - %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ - %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ - %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ - %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\ - %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ - %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ - %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ - %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ - %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext - -%{set_if_needed_alternatives $key %{family}} - -for X in %{origin} %{javaver} ; do - key=java_sdk_"$X" - alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} - %{set_if_needed_alternatives $key %{family}} -done - -key=java_sdk_%{javaver}_%{origin} -alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} -%{set_if_needed_alternatives $key %{family}} -} - -%define post_devel() %{expand: -update-desktop-database %{_datadir}/applications &> /dev/null || : -/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : - -exit 0 -} - -%define postun_devel() %{expand: - if [ "x$debug" == "xtrue" ] ; then - set -x - fi - post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy... - %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} - %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} - %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} - %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} - -update-desktop-database %{_datadir}/applications &> /dev/null || : - -if [ $1 -eq 0 ] ; then - /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null - %{update_desktop_icons} -fi -exit 0 -} - -%define posttrans_devel() %{expand: -%{alternatives_javac_install -- %{?1}} -%{update_desktop_icons} -} - -%define alternatives_javadoc_install() %{expand: -if [ "x$debug" == "xtrue" ] ; then - set -x -fi -PRIORITY=%{priority} -if [ "%{?1}" == %{debug_suffix} ]; then - let PRIORITY=PRIORITY-1 -fi - for X in %{origin} %{javaver} ; do - key=javadocdir_"$X" - alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} - %{set_if_needed_alternatives $key %{family_noarch}} - done - - key=javadocdir_%{javaver}_%{origin} - alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} - %{set_if_needed_alternatives $key %{family_noarch}} - - key=javadocdir - alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} - %{set_if_needed_alternatives $key %{family_noarch}} -exit 0 -} - -%define postun_javadoc() %{expand: -if [ "x$debug" == "xtrue" ] ; then - set -x -fi - post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy... - %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} - %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} - %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} - %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} -exit 0 -} - -%define alternatives_javadoczip_install() %{expand: -if [ "x$debug" == "xtrue" ] ; then - set -x -fi -PRIORITY=%{priority} -if [ "%{?1}" == %{debug_suffix} ]; then - let PRIORITY=PRIORITY-1 -fi - for X in %{origin} %{javaver} ; do - key=javadoczip_"$X" - alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} - %{set_if_needed_alternatives $key %{family_noarch}} - done - - key=javadoczip_%{javaver}_%{origin} - alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} - %{set_if_needed_alternatives $key %{family_noarch}} - - # Weird legacy filename for backwards-compatibility - key=javadoczip - alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} - %{set_if_needed_alternatives $key %{family_noarch}} -exit 0 -} - -%define postun_javadoc_zip() %{expand: - if [ "x$debug" == "xtrue" ] ; then - set -x - fi - post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy... - %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} - %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} - %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} - %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} -exit 0 -} - -%define files_jre() %{expand: -%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so -} - - -%define files_jre_headless() %{expand: -%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal -%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS -%dir %{_sysconfdir}/.java/.systemPrefs -%dir %{_sysconfdir}/.java -%dir %{_jvmdir}/%{sdkdir -- %{?1}} -%{_jvmdir}/%{sdkdir -- %{?1}}/release -%{_jvmdir}/%{jrelnk -- %{?1}} -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib -%ifarch %{jit_arches} -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist -%endif -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so -%if ! %{system_libs} -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so -%endif -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so -# Some architectures don't have the serviceability agent -%ifarch %{sa_arches} -%ifnarch %{zero_arches} -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so -%endif -%endif -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so -%ifarch %{svml_arches} -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsvml.so -%endif -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc -%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ -%ifarch %{share_arches} -%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa -%endif -%dir %{etcjavasubdir} -%dir %{etcjavadir -- %{?1}} -%dir %{etcjavadir -- %{?1}}/lib -%dir %{etcjavadir -- %{?1}}/lib/security -%{etcjavadir -- %{?1}}/lib/security/cacerts -%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream -%dir %{etcjavadir -- %{?1}}/conf -%dir %{etcjavadir -- %{?1}}/conf/sdp -%dir %{etcjavadir -- %{?1}}/conf/management -%dir %{etcjavadir -- %{?1}}/conf/security -%dir %{etcjavadir -- %{?1}}/conf/security/policy -%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited -%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs -%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy - %{etcjavadir -- %{?1}}/conf/security/policy/README.txt -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security -%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg -%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access -# This is a config template, thus not config-noreplace -%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template -%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template -%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties -%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties -%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties -%{_jvmdir}/%{sdkdir -- %{?1}}/conf -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security -%if %is_system_jdk -%if %{is_release_build -- %{?1}} -%ghost %{_bindir}/java -%ghost %{_bindir}/%{alt_java_name} -%ghost %{_jvmdir}/jre -%ghost %{_bindir}/keytool -%ghost %{_bindir}/pack200 -%ghost %{_bindir}/rmid -%ghost %{_bindir}/rmiregistry -%ghost %{_bindir}/unpack200 -%ghost %{_jvmdir}/jre-%{origin} -%ghost %{_jvmdir}/jre-%{javaver} -%ghost %{_jvmdir}/jre-%{javaver}-%{origin} -%endif -%endif -# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Repla... -%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved -%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved -} - -%define files_devel() %{expand: -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage -# Some architectures don't have the serviceability agent -%ifarch %{sa_arches} -%ifnarch %{zero_arches} -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb -%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* -%endif -%endif -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver -%{_jvmdir}/%{sdkdir -- %{?1}}/include -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym -%if %{with_systemtap} -%{_jvmdir}/%{sdkdir -- %{?1}}/tapset -%endif -%{_datadir}/applications/*jconsole%{?1}.desktop -%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* - -%if %{with_systemtap} -%dir %{tapsetroot} -%dir %{tapsetdirttapset} -%dir %{tapsetdir} -%{tapsetdir}/*%{_arch}%{?1}.stp -%endif -%if %is_system_jdk -%if %{is_release_build -- %{?1}} -%ghost %{_bindir}/javac -%ghost %{_jvmdir}/java -%ghost %{_jvmdir}/%{alt_java_name} -%ghost %{_bindir}/jlink -%ghost %{_bindir}/jmod -%ghost %{_bindir}/jhsdb -%ghost %{_bindir}/jar -%ghost %{_bindir}/jarsigner -%ghost %{_bindir}/javadoc -%ghost %{_bindir}/javap -%ghost %{_bindir}/jcmd -%ghost %{_bindir}/jconsole -%ghost %{_bindir}/jdb -%ghost %{_bindir}/jdeps -%ghost %{_bindir}/jdeprscan -%ghost %{_bindir}/jimage -%ghost %{_bindir}/jinfo -%ghost %{_bindir}/jmap -%ghost %{_bindir}/jps -%ghost %{_bindir}/jrunscript -%ghost %{_bindir}/jshell -%ghost %{_bindir}/jstack -%ghost %{_bindir}/jstat -%ghost %{_bindir}/jstatd -%ghost %{_bindir}/serialver -%ghost %{_jvmdir}/java-%{origin} -%ghost %{_jvmdir}/java-%{javaver} -%ghost %{_jvmdir}/java-%{javaver}-%{origin} -%endif -%endif -} - -%define files_jmods() %{expand: -%{_jvmdir}/%{sdkdir -- %{?1}}/jmods -} - -%define files_demo() %{expand: -%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal -%{_jvmdir}/%{sdkdir -- %{?1}}/demo -%{_jvmdir}/%{sdkdir -- %{?1}}/sample -} - -%define files_src() %{expand: -%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip -} - -%define files_static_libs() %{expand: -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} -%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a -} - -%define files_javadoc() %{expand: -%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} -%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal -%if %is_system_jdk -%if %{is_release_build -- %{?1}} -%ghost %{_javadocdir}/java -%ghost %{_javadocdir}/java-%{origin} -%ghost %{_javadocdir}/java-%{javaver} -%ghost %{_javadocdir}/java-%{javaver}-%{origin} -%endif -%endif -} - -%define files_javadoc_zip() %{expand: -%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip -%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal -%if %is_system_jdk -%if %{is_release_build -- %{?1}} -%ghost %{_javadocdir}/java-zip -%ghost %{_javadocdir}/java-%{origin}.zip -%ghost %{_javadocdir}/java-%{javaver}.zip -%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip -%endif -%endif -} - +# Portables have no rpo (requires/provides), but thsoe are awesome for orientation in spec +# also scriptlets are hapily missing and files are handled old fashion # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: -Requires: fontconfig%{?_isa} -Requires: xorg-x11-fonts-Type1 -# Require libXcomposite explicitly since it's only dynamically loaded -# at runtime. Fixes screenshot issues. See JDK-8150954. -Requires: libXcomposite%{?_isa} -# Requires rest of java -Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -# for java-X-openjdk package's desktop binding -# Where recommendations are available, recommend Gtk+ for the Swing look and feel -%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 -Recommends: gtk3%{?_isa} -%endif - -Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} - -# Standard JPackage base provides -Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} -Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} -Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} -Provides: java%{?1} = %{epoch}:%{version}-%{release} -Provides: jre%{?1} = %{epoch}:%{version}-%{release} -%endif -} - -%define java_headless_rpo() %{expand: -# Require /etc/pki/java/cacerts -Requires: ca-certificates -# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros -Requires: javapackages-filesystem -# Require zone-info data provided by tzdata-java sub-package -# 2022e required as of JDK-8295173 -Requires: tzdata-java >= 2022e -# for support of kernel stream control -# libsctp.so.1 is being `dlopen`ed on demand -Requires: lksctp-tools%{?_isa} -%if ! 0%{?flatpak} -# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, -# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be -# considered as regression -Requires: copy-jdk-configs >= 4.0 -OrderWithRequires: copy-jdk-configs -%endif -# for printing support -Requires: cups-libs -# for system security properties -Requires: crypto-policies -# for FIPS PKCS11 provider -Requires: nss -# Post requires alternatives to install tool alternatives -Requires(post): %{alternatives_requires} -# Postun requires alternatives to uninstall tool alternatives -Requires(postun): %{alternatives_requires} -# Where suggestions are available, recommend the sctp and pcsc libraries -# for optional support of kernel stream control and card reader -%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 -Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} -%endif - -# Standard JPackage base provides -Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} -Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} -%endif } %define java_devel_rpo() %{expand: -# Requires base package -Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -# Post requires alternatives to install tool alternatives -Requires(post): %{alternatives_requires} -# Postun requires alternatives to uninstall tool alternatives -Requires(postun): %{alternatives_requires} - -# Standard JPackage devel provides -Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} -Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} -Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} -Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} -Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} -%endif } %define java_static_libs_rpo() %{expand: -Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -} - -%define java_jmods_rpo() %{expand: -# Requires devel package -# as jmods are bytecode, they should be OK without any _isa -Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} -OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} - -Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} -%endif -} - -%define java_demo_rpo() %{expand: -Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} - -Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} -%endif } -%define java_javadoc_rpo() %{expand: -OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} -# Post requires alternatives to install javadoc alternative -Requires(post): %{alternatives_requires} -# Postun requires alternatives to uninstall javadoc alternative -Requires(postun): %{alternatives_requires} - -# Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} -%endif -} - -%define java_src_rpo() %{expand: -Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} - -# Standard JPackage sources provides -Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk -Provides: java-src%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} -%endif -} # Prevent brp-java-repack-jars from being run %global __jar_repack 0 -Name: java-17-%{origin} +# portables have grown out of its component, moving back to java-x-vendor +# this expression, when declared as global, filled component with java-x-vendor portable +%define component %(echo %{name} | sed "s;-portable;;g") + +Name: java-%{javaver}-%{origin}-portable Version: %{newjavaver}.%{buildver} Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons @@ -1297,7 +528,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". Epoch: 1 -Summary: %{origin_nice} %{featurever} Runtime Environment +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition # Groups are only used up to RHEL 8 and on Fedora versions prior to F30 %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages @@ -1327,10 +558,12 @@ Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). # Systemtap tapsets. Zipped up to keep it small. -Source8: tapsets-icedtea-%{icedteaver}.tar.xz +# Disabled in portables +#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea -Source9: jconsole.desktop.in +# Disabled in portables +#Source9: jconsole.desktop.in # Release notes Source10: NEWS @@ -1339,7 +572,8 @@ Source10: NEWS Source11: nss.cfg.in # Removed libraries that we link instead -Source12: remove-intree-libraries.sh +# Disabled in portables +#Source12: remove-intree-libraries.sh # Ensure we aren't using the limited crypto policy Source13: TestCryptoLevel.java @@ -1494,78 +728,37 @@ BuildRequires: libstdc++-static %{java_rpo %{nil}} %description -The %{origin_nice} %{featurever} runtime environment. +The %{origin_nice} %{featurever} runtime environment - portable edition. %if %{include_debug_build} %package slowdebug -Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{debug_on} %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug -The %{origin_nice} %{featurever} runtime environment. +The %{origin_nice} %{featurever} runtime environment - portable edition. %{debug_warning} %endif %if %{include_fastdebug_build} %package fastdebug -Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment portable edition %{fastdebug_on} %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug -The %{origin_nice} %{featurever} runtime environment. -%{fastdebug_warning} -%endif - -%if %{include_normal_build} -%package headless -Summary: %{origin_nice} %{featurever} Headless Runtime Environment -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_headless_rpo %{nil}} - -%description headless -The %{origin_nice} %{featurever} runtime environment without audio and video support. -%endif - -%if %{include_debug_build} -%package headless-slowdebug -Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_headless_rpo -- %{debug_suffix_unquoted}} - -%description headless-slowdebug -The %{origin_nice} %{featurever} runtime environment without audio and video support. -%{debug_warning} -%endif - -%if %{include_fastdebug_build} -%package headless-fastdebug -Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} - -%description headless-fastdebug -The %{origin_nice} %{featurever} runtime environment without audio and video support. +The %{origin_nice} %{featurever} runtime environment - portable edition. %{fastdebug_warning} %endif %if %{include_normal_build} %package devel -Summary: %{origin_nice} %{featurever} Development Environment +Summary: %{origin_nice} %{featurever} Development Environment portable edition. %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1573,12 +766,12 @@ Group: Development/Languages %{java_devel_rpo %{nil}} %description devel -The %{origin_nice} %{featurever} development tools. +The %{origin_nice} %{featurever} development tools - portable edition. %endif %if %{include_debug_build} %package devel-slowdebug -Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{debug_on} %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages %endif @@ -1586,13 +779,13 @@ Group: Development/Languages %{java_devel_rpo -- %{debug_suffix_unquoted}} %description devel-slowdebug -The %{origin_nice} %{featurever} development tools. +The %{origin_nice} %{featurever} development tools - portable edition. %{debug_warning} %endif %if %{include_fastdebug_build} %package devel-fastdebug -Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +Summary: %{origin_nice} %{featurever} Runtime and Development Environment portable edition %{fastdebug_on} %if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools %endif @@ -1600,7 +793,7 @@ Group: Development/Tools %{java_devel_rpo -- %{fastdebug_suffix_unquoted}} %description devel-fastdebug -The %{origin_nice} %{featurever} development tools . +The %{origin_nice} %{featurever} development tools - portable edition. %{fastdebug_warning} %endif @@ -1608,194 +801,39 @@ The %{origin_nice} %{featurever} development tools . %if %{include_normal_build} %package static-libs -Summary: %{origin_nice} %{featurever} libraries for static linking +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition. %{java_static_libs_rpo %{nil}} %description static-libs -The %{origin_nice} %{featurever} libraries for static linking. +The %{origin_nice} %{featurever} libraries for static linking - portable edition. %endif %if %{include_debug_build} %package static-libs-slowdebug -Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_on} %{java_static_libs_rpo -- %{debug_suffix_unquoted}} %description static-libs-slowdebug -The %{origin_nice} %{featurever} libraries for static linking. +The %{origin_nice} %{featurever} libraries for static linking - portable edition. %{debug_warning} %endif %if %{include_fastdebug_build} %package static-libs-fastdebug -Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_on} %{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} %description static-libs-fastdebug -The %{origin_nice} %{featurever} libraries for static linking. +The %{origin_nice} %{featurever} libraries for static linking - portable edition. %{fastdebug_warning} %endif # staticlibs %endif -%if %{include_normal_build} -%package jmods -Summary: JMods for %{origin_nice} %{featurever} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_jmods_rpo %{nil}} - -%description jmods -The JMods for %{origin_nice} %{featurever}. -%endif - -%if %{include_debug_build} -%package jmods-slowdebug -Summary: JMods for %{origin_nice} %{featurever} %{debug_on} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_jmods_rpo -- %{debug_suffix_unquoted}} - -%description jmods-slowdebug -The JMods for %{origin_nice} %{featurever}. -%{debug_warning} -%endif - -%if %{include_fastdebug_build} -%package jmods-fastdebug -Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Tools -%endif - -%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} - -%description jmods-fastdebug -The JMods for %{origin_nice} %{featurever}. -%{fastdebug_warning} -%endif - -%if %{include_normal_build} -%package demo -Summary: %{origin_nice} %{featurever} Demos -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_demo_rpo %{nil}} - -%description demo -The %{origin_nice} %{featurever} demos. -%endif - -%if %{include_debug_build} -%package demo-slowdebug -Summary: %{origin_nice} %{featurever} Demos %{debug_on} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_demo_rpo -- %{debug_suffix_unquoted}} - -%description demo-slowdebug -The %{origin_nice} %{featurever} demos. -%{debug_warning} -%endif - -%if %{include_fastdebug_build} -%package demo-fastdebug -Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} - -%description demo-fastdebug -The %{origin_nice} %{featurever} demos. -%{fastdebug_warning} -%endif - -%if %{include_normal_build} -%package src -Summary: %{origin_nice} %{featurever} Source Bundle -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_src_rpo %{nil}} - -%description src -The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} -class library source code for use by IDE indexers and debuggers. -%endif - -%if %{include_debug_build} -%package src-slowdebug -Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_src_rpo -- %{debug_suffix_unquoted}} - -%description src-slowdebug -The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} - class library source code for use by IDE indexers and debuggers, %{for_debug}. -%endif - -%if %{include_fastdebug_build} -%package src-fastdebug -Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Development/Languages -%endif - -%{java_src_rpo -- %{fastdebug_suffix_unquoted}} - -%description src-fastdebug -The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} - class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. -%endif - -%if %{include_normal_build} -%package javadoc -Summary: %{origin_nice} %{featurever} API documentation -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Documentation -%endif -Requires: javapackages-filesystem -Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling - -%{java_javadoc_rpo -- %{nil} %{nil}} - -%description javadoc -The %{origin_nice} %{featurever} API documentation. -%endif - -%if %{include_normal_build} -%package javadoc-zip -Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive -%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) -Group: Documentation -%endif -Requires: javapackages-filesystem -Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling - -%{java_javadoc_rpo -- %{nil} -zip} -%{java_javadoc_rpo -- %{nil} %{nil}} - -%description javadoc-zip -The %{origin_nice} %{featurever} API documentation compressed in a single archive. -%endif - %prep echo "Preparing %{oj_vendor_version}" @@ -1910,21 +948,7 @@ done %endif # Prepare desktop files -# The _X_ syntax indicates variables that are replaced by make upstream -# The @X@ syntax indicates variables that are replaced by configure upstream -for suffix in %{build_loop} ; do -for file in %{SOURCE9}; do - FILE=`basename $file | sed -e s:\.in$::g` - EXT="${FILE##*.}" - NAME="${FILE%.*}" - OUTPUT_FILE=$NAME$suffix.$EXT - sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE - sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE - sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE - sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE - sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE -done -done +# Portables do not have desktop integration # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg @@ -2006,6 +1030,7 @@ function buildjdk() { %ifarch %{ppc64le} --with-jobs=1 \ %endif + --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \ --with-version-build=%{buildver} \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ @@ -2073,9 +1098,6 @@ function installjdk() { sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ ${imagepath}/conf/security/java.security - # Use system-wide tzdata - mv ${imagepath}/lib/tzdb.dat{,.upstream} - ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat # Rename OpenJDK cacerts database mv ${imagepath}/lib/security/cacerts{,.upstream} commit 57b38411b25d47c1927b6804c07421a8a35d98e4 Author: Jiri Vanek <jvanek(a)redhat.com> Date: Mon Nov 21 15:08:54 2022 +0100 Renamed specfile diff --git a/java-17-openjdk.spec b/java-17-openjdk-portable.spec similarity index 100% rename from java-17-openjdk.spec rename to java-17-openjdk-portable.spec commit 9253c5fd017a7bb658a8ab650f8d9ea6c0c0f2c7 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Wed Nov 9 02:52:39 2022 +0000 Update to jdk-17.0.6+1 Update release notes to 17.0.6+1 Switch to EA mode for 17.0.6 pre-release builds. Re-enable EA upstream status check now it is being actively maintained. Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream Bump tzdata requirement to 2022e now the package is available in Fedora diff --git a/.gitignore b/.gitignore index daec806..b6a0653 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ /openjdk-jdk17u-jdk-17.0.5+1.tar.xz /openjdk-jdk17u-jdk-17.0.5+7.tar.xz /openjdk-jdk17u-jdk-17.0.5+8.tar.xz +/openjdk-jdk17u-jdk-17.0.6+1.tar.xz diff --git a/NEWS b/NEWS index f611a71..231f074 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,187 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.6 (2023-01-17): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1706 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.6.html + +* Other changes + - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows + - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails + - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails + - JDK-8030121: java/awt/dnd/MissingDragExitEventTest/MissingDragExitEventTest.java fails + - JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails + - JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java + - JDK-8169187: [macosx] Aqua: java/awt/image/multiresolution/MultiresolutionIconTest.java + - JDK-8210558: serviceability/sa/TestJhsdbJstackLock.java fails to find '^\s+- waiting to lock <0x[0-9a-f]+> \(a java\.lang\.Class ...' + - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" + - JDK-8233557: [TESTBUG] DoubleClickTitleBarTest.java fails on macOs + - JDK-8233558: [TESTBUG] WindowOwnedByEmbeddedFrameTest.java fails on macos + - JDK-8233648: [TESTBUG] DefaultMenuBarTest.java failing on macos + - JDK-8244670: convert clhsdb "whatis" command from javascript to java + - JDK-8251466: test/java/io/File/GetXSpace.java fails on Windows with mapped network drives. + - JDK-8256811: Delayed/missed jdwp class unloading events + - JDK-8257722: Improve "keytool -printcert -jarfile" output + - JDK-8262721: Add Tests to verify single iteration loops are properly optimized + - JDK-8266082: AssertionError in Annotate.fromAnnotations with -Xdoclint + - JDK-8267138: Stray suffix when starting gtests via GTestWrapper.java + - JDK-8268033: compiler/intrinsics/bmi/verifycode/BzhiTestI2L.java fails with "fatal error: Not compilable at tier 3: CodeBuffer overflow" + - JDK-8268297: jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out + - JDK-8268779: ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" + - JDK-8269029: compiler/codegen/TestCharVect2.java fails for client VMs + - JDK-8269571: NMT should print total malloc bytes and invocation count + - JDK-8269743: test/hotspot/jtreg/vmTestbase/vm/mlvm/meth/stress/jni/nativeAndMH/Test.java crash with small heap (-Xmx50m) + - JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java does not show instruction + - JDK-8270848: Redundant unsafe opmask register allocation in some instruction patterns. + - JDK-8270947: AArch64: C1: use zero_words to initialize all objects + - JDK-8271015: Split cds/SharedBaseAddress.java test into smaller parts + - JDK-8271956: AArch64: C1 build failed after JDK-8270947 + - JDK-8272094: compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" + - JDK-8272123: Problem list 4 jtreg tests which regularly fail on macos-aarch64 + - JDK-8272776: NullPointerException not reported + - JDK-8272791: java -XX:BlockZeroingLowLimit=1 crashes after 8270947 + - JDK-8273043: [TEST_BUG] Automate NimbusJTreeSelTextColor.java + - JDK-8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints + - JDK-8273553: sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 + - JDK-8273578: javax/swing/JMenu/4515762/bug4515762.java fails on macOS 12 + - JDK-8273881: Metaspace: test repeated deallocations + - JDK-8274032: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ImageTypes.java & show test UI + - JDK-8274160: java/awt/Window/ShapedAndTranslucentWindows/Common.java delay is too high + - JDK-8274296: Update or Problem List tests which may fail with uiScale=2 on macOS + - JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening + - JDK-8275170: Some jtreg sound tests should be marked with sound keyword + - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList + - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked + - JDK-8276108: Wrong instruction generation in aarch64 backend + - JDK-8276904: Optional.toString() is unnecessarily expensive + - JDK-8277092: TestMetaspaceAllocationMT2.java#ndebug-default fails with "RuntimeException: Committed seems high: NNNN expected at most MMMM" + - JDK-8277346: ProblemList 7 serviceability/sa tests on macosx-x64 + - JDK-8277351: ProblemList runtime/jni/checked/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64 + - JDK-8277358: Accelerate CRC32-C + - JDK-8277411: C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check + - JDK-8277576: ProblemList runtime/ErrorHandling/CreateCoredumpOnCrash.java on macosx-X64 + - JDK-8277577: ProblemList compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java on linux-aarch64 + - JDK-8277578: ProblemList applications/jcstress/acqrel.java on linux-aarch64 + - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode + - JDK-8277928: Fix compilation on macosx-aarch64 after 8276108 + - JDK-8279066: entries.remove(entry) is useless in PKCS12KeyStore + - JDK-8279398: jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" + - JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail due to unexpected GC + - JDK-8280124: Reduce branches decoding latin-1 chars from UTF-8 encoded bytes + - JDK-8280234: AArch64 "core" variant does not build after JDK-8270947 + - JDK-8280511: AArch64: Combine shift and negate to a single instruction + - JDK-8280554: resourcehogs/serviceability/sa/ClhsdbRegionDetailsScanOopsForG1.java can fail if GC is triggered + - JDK-8280555: serviceability/sa/TestObjectMonitorIterate.java is failing due to ObjectMonitor referencing a null Object + - JDK-8280872: Reorder code cache segments to improve code density + - JDK-8280948: Write a regression test for JDK-4659800 + - JDK-8281296: Create a regression test for JDK-4515999 + - JDK-8282049: AArch64: Use ZR for integer zero immediate volatile stores + - JDK-8282276: Problem list failing two Robot Screen Capture tests + - JDK-8282347: AARCH64: Untaken branch in has_negatives stub + - JDK-8282402: Create a regression test for JDK-4666101 + - JDK-8282528: AArch64: Incorrect replicate2L_zero rule + - JDK-8282642: vmTestbase/gc/gctests/LoadUnloadGC2/LoadUnloadGC2.java fails intermittently with exit code 1 + - JDK-8282730: LdapLoginModule throw NPE from logout method after login failure + - JDK-8282777: Create a Regression test for JDK-4515031 + - JDK-8282857: Create a regression test for JDK-4702690 + - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 + - JDK-8283298: Make CodeCacheSegmentSize a product flag + - JDK-8283353: compiler/c2/cr6865031/Test.java and compiler/runtime/Test6826736.java fails on x86_32 + - JDK-8283383: [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name + - JDK-8284681: compiler/c2/aarch64/TestFarJump.java fails with "RuntimeException: for CodeHeap < 250MB the far jump is expected to be encoded with a single branch instruction" + - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox + - JDK-8284732: FFI_GO_CLOSURES macro not defined but required for zero build on Mac OS X + - JDK-8284752: Zero does not build on Mac OS X due to missing os::current_thread_enable_wx implementation + - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown" + - JDK-8284892: java/net/httpclient/http2/TLSConnection.java fails intermittently + - JDK-8284980: Test vmTestbase/nsk/stress/except/except010.java times out with -Xcomp -XX:+DeoptimizeALot + - JDK-8285305: Create an automated test for JDK-4495286 + - JDK-8285373: Create an automated test for JDK-4702233 + - JDK-8285612: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/ImagePrinting/ClippedImages.java + - JDK-8285687: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PageRangesDlgTest.java + - JDK-8285698: Create a test to check the focus stealing of JPopupMenu from JComboBox + - JDK-8285836: sun/net/www/http/KeepAliveCache/KeepAliveProperty.java failed with "RuntimeException: Failed in server" + - JDK-8286263: compiler/c1/TestPinnedIntrinsics.java failed with "RuntimeException: testCurrentTimeMillis failed with -3" + - JDK-8286313: [macos] Voice over reads the boolean value as null in the JTable + - JDK-8286452: The array length of testSmallConstArray should be small and const + - JDK-8286460: Remove dependence on JAR filename in CDS tests + - JDK-8286551: JDK-8286460 causes tests to fail to compile in Tier2 + - JDK-8286663: Resolve IDE warnings in WTrayIconPeer and SystemTray + - JDK-8286772: java/awt/dnd/DropTargetInInternalFrameTest/DropTargetInInternalFrameTest.html times out and fails in Windows + - JDK-8287076: Document.normalizeDocument() produces different results + - JDK-8287349: AArch64: Merge LDR instructions to improve C1 OSR performance + - JDK-8287425: Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path + - JDK-8287609: macOS: SIGSEGV at [CoreFoundation] CFArrayGetCount / sun.font.CFont.getTableBytesNative + - JDK-8287826: javax/accessibility/4702233/AccessiblePropertiesTest.java fails to compile + - JDK-8288302: Shenandoah: SIGSEGV in vm maybe related to jit compiling xerces + - JDK-8288377: [REDO] DST not applying properly with zone id offset set with TZ env variable + - JDK-8288445: AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding + - JDK-8288651: CDS test HelloUnload.java should not use literal string as ClassLoader name + - JDK-8289044: ARM32: missing LIR_Assembler::cmove metadata type support + - JDK-8289146: containers/docker/TestMemoryWithCgroupV1.java fails on linux ppc64le machine with missing Memory and Swap Limit output + - JDK-8289257: Some custom loader tests failed due to symbol refcount not decremented + - JDK-8289559: java/awt/a11y/AccessibleJPopupMenuTest.java test fails with java.lang.NullPointerException + - JDK-8289562: Change bugs.java.com and bugreport.java.com URL's to https + - JDK-8290207: Missing notice in dom.md + - JDK-8290209: jcup.md missing additional text + - JDK-8290451: Incorrect result when switching to C2 OSR compilation from C1 + - JDK-8290529: C2: assert(BoolTest(btest).is_canonical()) failure + - JDK-8290532: Adjust PKCS11Exception and handle more PKCS11 error codes + - JDK-8290687: serviceability/sa/TestClassDump.java could leave files owned by root on macOS + - JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" + - JDK-8290711: assert(false) failed: infinite loop in PhaseIterGVN::optimize + - JDK-8290781: Segfault at PhaseIdealLoop::clone_loop_handle_data_uses + - JDK-8290908: misc tests fail: assert(!thread->owns_locks()) failed: must release all locks when leaving VM + - JDK-8291456: com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 + - JDK-8291459: JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) + - JDK-8291599: Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 + - JDK-8291650: Add delay to ClassUnloadEventTest before exiting to give time for JVM to send all events before VMDeath + - JDK-8291775: C2: assert(r != __null && r->is_Region()) failed: this phi must have a region + - JDK-8292083: Detected container memory limit may exceed physical machine memory + - JDK-8292158: AES-CTR cipher state corruption with AVX-512 + - JDK-8292385: assert(ctrl == kit.control()) failed: Control flow was added although the intrinsic bailed out + - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory + - JDK-8292586: simplify cleanups in NTLMAuthSequence getCredentialsHandle + - JDK-8292682: Code change of JDK-8282730 not updated to reflect CSR update + - JDK-8292778: EncodingSupport_md.c convertUtf8ToPlatformString wrong placing of free + - JDK-8292816: GPL Classpath exception missing from assemblyprefix.h + - JDK-8292866: Java_sun_awt_shell_Win32ShellFolder2_getLinkLocation check MultiByteToWideChar return value for failures + - JDK-8292879: com/sun/jdi/ClassUnloadEventTest.java failed due to classes not unloading + - JDK-8292880: Improve debuggee logging for com/sun/jdi/ClassUnloadEventTest.java + - JDK-8292888: Bump update version for OpenJDK: jdk-17.0.6 + - JDK-8292899: CustomTzIDCheckDST.java testcase failed on AIX platform + - JDK-8292903: enhance round_up_power_of_2 assertion output + - JDK-8293044: C1: Missing access check on non-accessible class + - JDK-8293232: Fix race condition in pkcs11 SessionManager + - JDK-8293319: [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if + - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present + - JDK-8293489: Accept CAs with BasicConstraints without pathLenConstraint + - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts + - JDK-8293578: Duplicate ldc generated by javac + - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" + - JDK-8293659: Improve UnsatisfiedLinkError error message to include dlopen error details + - JDK-8293672: Update freetype md file + - JDK-8293701: jdeps InverseDepsAnalyzer runs into NoSuchElementException: No value present + - JDK-8293808: mscapi destroyKeyContainer enhance KeyStoreException: Access is denied exception + - JDK-8293816: CI: ciBytecodeStream::get_klass() is not consistent + - JDK-8293826: Closed test fails after JDK-8276108 on aarch64 + - JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening + - JDK-8293891: gc/g1/mixedgc/TestOldGenCollectionUsage.java (still) assumes that GCs take 1ms minimum + - JDK-8293998: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8294357: (tz) Update Timezone Data to 2022d + - JDK-8294578: [PPC64] C2: Missing is_oop information when using disjoint compressed oops mode + - JDK-8294740: Add cgroups keyword to TestDockerBasic.java + - JDK-8294837: unify Windows 2019 version check in os_windows and java_props_md + - JDK-8294840: langtools OptionalDependencyTest.java use File.pathSeparator + - JDK-8295173: (tz) Update Timezone Data to 2022e + - JDK-8295288: Some vm_flags tests associate with a wrong BugID + - JDK-8295412: support latest VS2022 MSC_VER in abstract_vm_version.cpp + - JDK-8295429: Update harfbuzz md file + - JDK-8295469: S390X: Optimized builds are broken + - JDK-8295641: Fix DEFAULT_PROMOTED_VERSION_PRE=ea for -dev + New in release OpenJDK 17.0.5 (2022-10-18): =========================================== Live versions of these release notes can be found at: diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 6fc0908..3fbd691 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -321,7 +321,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 5 +%global updatever 6 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -368,7 +368,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 +%global buildver 1 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -395,7 +395,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -1160,9 +1160,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2022d required as of JDK-8294357 -# Should be bumped to 2022e once available (JDK-8295173) -Requires: tzdata-java >= 2022d +# 2022e required as of JDK-8295173 +Requires: tzdata-java >= 2022e # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1423,10 +1422,6 @@ Patch1001: fips-17u-%{fipsver}.patch ############################################# # JDK-8293834: Update CLDR data following tzdata 2022c update Patch2001: jdk8293834-kyiv_cldr_update.patch -# JDK-8294357: (tz) Update Timezone Data to 2022d -Patch2002: jdk8294357-tzdata2022d.patch -# JDK-8295173: (tz) Update Timezone Data to 2022e -Patch2003: jdk8295173-tzdata2022e.patch BuildRequires: autoconf BuildRequires: automake @@ -1460,9 +1455,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022d required as of JDK-8294357 -# Should be bumped to 2022e once available (JDK-8295173) -BuildRequires: tzdata-java >= 2022d +# 2022e required as of JDK-8295173 +BuildRequires: tzdata-java >= 2022e # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1862,8 +1856,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # tzdata updates targetted for 17.0.6 %patch2001 -p1 -%patch2002 -p1 -%patch2003 -p1 popd # openjdk %patch600 @@ -1885,8 +1877,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then echo "WARNING: Designator mismatch"; echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; - # Don't fail at present as upstream are not maintaining the value correctly - #exit 17 + exit 17 fi # Extract systemtap tapsets @@ -2687,6 +2678,14 @@ cjc.mainProgram(args) %endif %changelog +* Wed Nov 09 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.6.0.1-0.1.ea +- Update to jdk-17.0.6+1 +- Update release notes to 17.0.6+1 +- Switch to EA mode for 17.0.6 pre-release builds. +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Bump tzdata requirement to 2022e now the package is available in Fedora + * Wed Oct 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.8-1 - Update to jdk-17.0.5+8 (GA) - Update release notes to 17.0.5+8 (GA) diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch deleted file mode 100644 index 9eb6727..0000000 --- a/jdk8294357-tzdata2022d.patch +++ /dev/null @@ -1,303 +0,0 @@ -commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce -Author: Goetz Lindenmaier <goetz(a)openjdk.org> -Date: Wed Oct 5 07:13:43 2022 +0000 - - 8294357: (tz) Update Timezone Data to 2022d - - Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54 - -diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION -index decb8716b22..889d0e6dad7 100644 ---- a/make/data/tzdata/VERSION -+++ b/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022c -+tzdata2022d -diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia -index 3a150b0f36b..f9df7432947 100644 ---- a/make/data/tzdata/asia -+++ b/make/data/tzdata/asia -@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # The winter time in 2015 started on October 23 at 01:00. - # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY - # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 --# --# From Paul Eggert (2019-04-10): --# For now, guess spring-ahead transitions are at 00:00 on the Saturday --# preceding March's last Sunday (i.e., Sat>=24). - - # From P Chan (2021-10-18): - # http://wafa.ps/Pages/Details/34701 -@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 - # From Heba Hamad (2022-03-10): - # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. - -+# From Heba Hamad (2022-08-30): -+# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by -+# 60 minutes backwards. Also the state of Palestine adopted the summer -+# and winter time for the years: 2023,2024,2025,2026 ... -+# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001... -+# (2022-08-31): ... the Saturday before the last Sunday in March and October -+# at 2:00 AM ,for the years from 2023 to 2026. -+# (2022-09-05): https://mtit.pna.ps/Site/New/1453 -+# -+# From Paul Eggert (2022-08-31): -+# For now, assume that this rule will also be used after 2026. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EgyptAsia 1957 only - May 10 0:00 1:00 S - Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - -@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - - Rule Palestine 2014 only - Oct 24 0:00 0 - - Rule Palestine 2015 only - Mar 28 0:00 1:00 S - Rule Palestine 2015 only - Oct 23 1:00 0 - --Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S --Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - -+Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S -+Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - - Rule Palestine 2019 only - Mar 29 0:00 1:00 S --Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - --Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S -+Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - -+Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S - Rule Palestine 2020 only - Oct 24 1:00 0 - --Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - --Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S -+Rule Palestine 2021 only - Oct 29 1:00 0 - -+Rule Palestine 2022 only - Mar 27 0:00 1:00 S -+Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - -+Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Gaza 2:17:52 - LMT 1900 Oct -diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward -index d4a29e8cf29..7765d99aedf 100644 ---- a/make/data/tzdata/backward -+++ b/make/data/tzdata/backward -@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe -index 879b5337536..accc845dbaf 100644 ---- a/make/data/tzdata/europe -+++ b/make/data/tzdata/europe -@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 - # From Alexander Krivenyshev (2014-03-17): - # time change at 2:00 (2am) on March 30, 2014 - # https://vz.ru/news/2014/3/17/677464.html --# From Paul Eggert (2014-03-30): --# Simferopol and Sevastopol reportedly changed their central town clocks --# late the previous day, but this appears to have been ceremonial --# and the discrepancies are small enough to not worry about. -+# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): -+# The clocks at the railway station in Simferopol were put forward from 22:00 -+# to 24:00 the previous day in a "symbolic ceremony"; however, per -+# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings -+# time switch at 2am" on Sunday. -+# https://www.business-standard.com/article/pti-stories/crimea-to-set-clock... -+# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-swit... -+# https://www.bbc.com/news/av/world-europe-26806583 - 2:00 EU EE%sT 2014 Mar 30 2:00 - 4:00 - MSK 2014 Oct 26 2:00s - 3:00 - MSK -@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # US colleague David Cochrane) are still trying to get more - # information upon these local deviations from Kiev rules. - # --# From Paul Eggert (2022-02-08): --# For now, assume that Ukraine's other three zones followed the same rules, -+# From Paul Eggert (2022-08-27): -+# For now, assume that Ukraine's zones all followed the same rules, - # except that Crimea switched to Moscow time in 1994 as described elsewhere. - - # From Igor Karpov, who works for the Ukrainian Ministry of Justice, -@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. - # * Ukrainian Government's Resolution of 20.03.1992, No. 139. - # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm - --# From Paul Eggert (2022-04-12): --# As is usual in tzdb, Ukrainian zones use the most common English spellings. --# In particular, tzdb's name Europe/Kyiv uses the most common spelling in --# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, --# "Kyiv" is now more common due to widespread reporting of the current conflict. --# Conversely, tzdb continues to use the names Europe/Uzhgorod and --# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is --# certainly wrong as a transliteration of the Czech "Praha". --# English-language spelling of Ukrainian names is in flux, and --# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more --# common in English; in the meantime, do not change these --# English spellings as that means less disruption for our users. -- - # Zone NAME STDOFF RULES FORMAT [UNTIL] --# This represents most of Ukraine. See above for the spelling of "Kyiv". - Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time - 2:00 - EET 1930 Jun 21 -@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 - 2:00 1:00 EEST 1991 Sep 29 3:00 - 2:00 C-Eur EE%sT 1996 May 13 - 2:00 EU EE%sT --# Transcarpathia used CET 1990/1991. --# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but --# "Uzhgorod" is more common in English. --Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct -- 1:00 - CET 1940 -- 1:00 C-Eur CE%sT 1944 Oct -- 1:00 1:00 CEST 1944 Oct 26 -- 1:00 - CET 1945 Jun 29 -- 3:00 Russia MSK/MSD 1990 -- 3:00 - MSK 1990 Jul 1 2:00 -- 1:00 - CET 1991 Mar 31 3:00 -- 2:00 - EET 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT --# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. --# "Zaporizhzhia" is the transliteration of the Ukrainian name, but --# "Zaporozh'ye" is more common in English. Use the common English --# spelling, except omit the apostrophe as it is not allowed in --# portable Posix file names. --Zone Europe/Zaporozhye 2:20:40 - LMT 1880 -- 2:20 - +0220 1924 May 2 -- 2:00 - EET 1930 Jun 21 -- 3:00 - MSK 1941 Aug 25 -- 1:00 C-Eur CE%sT 1943 Oct 25 -- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 -- 2:00 E-Eur EE%sT 1992 Mar 20 -- 2:00 C-Eur EE%sT 1996 May 13 -- 2:00 EU EE%sT - - # Vatican City - # See Europe/Rome. -diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica -index 13ec081c7e0..3c0e0e2061c 100644 ---- a/make/data/tzdata/southamerica -+++ b/make/data/tzdata/southamerica -@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 - # for America/Santiago will start on midnight of September 11th; - # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) - # will keep UTC -3 "indefinitely"... This is because on September 4th --# we will have a voting whether to approve a new Constitution.... --# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sab... -+# we will have a voting whether to approve a new Constitution. -+# -+# From Eduardo Romero Urra (2022-08-17): -+# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/... -+# -+# From Paul Eggert (2022-08-17): -+# Although the presidential decree stops at fall 2026, assume that -+# similar DST rules will continue thereafter. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Chile 1927 1931 - Sep 1 0:00 1:00 - -diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab -index 51b65fa273c..ee025196e50 100644 ---- a/make/data/tzdata/zone.tab -+++ b/make/data/tzdata/zone.tab -@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti - TW +2503+12130 Asia/Taipei - TZ -0648+03917 Africa/Dar_es_Salaam - UA +5026+03031 Europe/Kyiv Ukraine (most areas) --UA +4837+02218 Europe/Uzhgorod Transcarpathia --UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk - UG +0019+03225 Africa/Kampala - UM +2813-17722 Pacific/Midway Midway Islands - UM +1917+16637 Pacific/Wake Wake Island -diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java -index 15c2f0d1275..6f6e190efcd 100644 ---- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java -+++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java -@@ -574,12 +574,8 @@ public final class ZoneInfoFile { - // we can then pass in the dom = -1, dow > 0 into ZoneInfo - // - // hacking, assume the >=24 is the result of ZRB optimization for -- // "last", it works for now. From tzdata2020d this hacking -- // will not work for Asia/Gaza and Asia/Hebron which follow -- // Palestine DST rules. -- if (dom < 0 || dom >= 24 && -- !(zoneId.equals("Asia/Gaza") || -- zoneId.equals("Asia/Hebron"))) { -+ // "last", it works for now. -+ if (dom < 0 || dom >= 24) { - params[1] = -1; - params[2] = toCalendarDOW[dow]; - } else { -@@ -601,7 +597,6 @@ public final class ZoneInfoFile { - params[7] = 0; - } else { - // hacking: see comment above -- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e - if (dom < 0 || dom >= 24) { - params[6] = -1; - params[7] = toCalendarDOW[dow]; -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -index c32bee39fba..71470168456 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022c -+tzdata2022d -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -index a5e6428a3f5..e3ce742f887 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt -@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT - Link Europe/London Europe/Belfast - Link Europe/Kyiv Europe/Kiev - Link Europe/Chisinau Europe/Tiraspol -+Link Europe/Kyiv Europe/Uzhgorod -+Link Europe/Kyiv Europe/Zaporozhye - Link Europe/London GB - Link Europe/London GB-Eire - Link Etc/GMT GMT+0 -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -index fc148537f1f..b3823958ae4 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -163,11 +163,9 @@ Europe/Simferopol MSK - Europe/Sofia EET EEST - Europe/Tallinn EET EEST - Europe/Tirane CET CEST --Europe/Uzhgorod EET EEST - Europe/Vienna CET CEST - Europe/Vilnius EET EEST - Europe/Warsaw CET CEST --Europe/Zaporozhye EET EEST - Europe/Zurich CET CEST - HST HST - MET MET MEST -diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -index 7b50c342a0d..a7d14f1aa21 100644 ---- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -+++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -@@ -176,11 +176,12 @@ public class TestZoneInfo310 { - * save time in IANA tzdata. This bug is tracked via JDK-8223388. - * - * These are the zones/rules that employ negative DST in vanguard -- * format (as of 2019a): -+ * format (as of 2019a), Palestine added in 2022d: - * - * - Rule "Eire" - * - Rule "Morocco" - * - Rule "Namibia" -+ * - Rule "Palestine" - * - Zone "Europe/Prague" - * - * Tehran/Iran rule has rules beyond 2037, in which javazic assumes -@@ -196,6 +197,8 @@ public class TestZoneInfo310 { - zid.equals("Europe/Dublin") || // uses "Eire" rule - zid.equals("Europe/Prague") || - zid.equals("Asia/Tehran") || // last rule mismatch -+ zid.equals("Asia/Gaza") || // uses "Palestine" rule -+ zid.equals("Asia/Hebron") || // uses "Palestine" rule - zid.equals("Iran")) { // last rule mismatch - continue; - } diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch deleted file mode 100644 index 8ffd2ee..0000000 --- a/jdk8295173-tzdata2022e.patch +++ /dev/null @@ -1,420 +0,0 @@ -commit d159a377e0243bd2c80593689fd7cd20b2b578f7 -Author: duke <duke(a)openjdk.org> -Date: Fri Oct 14 03:37:19 2022 +0000 - - Backport 21407dec0156301871a83328615e4d975c4287c4 - -diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION -index 889d0e6dad7..b8cb36e69f4 100644 ---- a/make/data/tzdata/VERSION -+++ b/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2022d -+tzdata2022e -diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia -index f9df7432947..5b2337fd0b6 100644 ---- a/make/data/tzdata/asia -+++ b/make/data/tzdata/asia -@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u - # From the Arabic version, it seems to say it would be at midnight - # (assume 24:00) on the last Thursday in February, starting from 2022. - -+# From Issam Al-Zuwairi (2022-10-05): -+# The Council of Ministers in Jordan decided Wednesday 5th October 2022, -+# that daylight saving time (DST) will be throughout the year.... -+# -+# From Brian Inglis (2022-10-06): -+# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news -+# -+# From Paul Eggert (2022-10-05): -+# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. -+ - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Jordan 1973 only - Jun 6 0:00 1:00 S - Rule Jordan 1973 1975 - Oct 1 0:00 0 - -@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - - Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - - Rule Jordan 2013 only - Dec 20 0:00 0 - - Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S --Rule Jordan 2014 max - Oct lastFri 0:00s 0 - --Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S -+Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - -+Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Amman 2:23:44 - LMT 1931 -- 2:00 Jordan EE%sT -+ 2:00 Jordan EE%sT 2022 Oct 28 0:00s -+ 3:00 - +03 - - - # Kazakhstan -@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - - # Our brief summary: - # https://www.timeanddate.com/news/time/syria-dst-2012.html - --# From Arthur David Olson (2012-03-27): --# Assume last Friday in March going forward XXX. -+# From Steffen Thorsen (2022-10-05): -+# Syria is adopting year-round DST, starting this autumn.... -+# From https://www.enabbaladi.net/archives/607812 -+# "This [the decision] came after the weekly government meeting today, -+# Tuesday 4 October ..." -+# -+# From Paul Eggert (2022-10-05): -+# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 -+# (non-DST) at the point where DST would otherwise have ended. - - Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S - Rule Syria 2008 only - Nov 1 0:00 0 - - Rule Syria 2009 only - Mar lastFri 0:00 1:00 S - Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S --Rule Syria 2012 max - Mar lastFri 0:00 1:00 S --Rule Syria 2009 max - Oct lastFri 0:00 0 - -+Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S -+Rule Syria 2009 2022 - Oct lastFri 0:00 0 - - - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq -- 2:00 Syria EE%sT -+ 2:00 Syria EE%sT 2022 Oct 28 0:00 -+ 3:00 - +03 - - # Tajikistan - # From Shanks & Pottenger. -diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe -index accc845dbaf..2832c4b9763 100644 ---- a/make/data/tzdata/europe -+++ b/make/data/tzdata/europe -@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u - 0:00 Spain WE%sT 1940 Mar 16 23:00 - 1:00 Spain CE%sT 1979 - 1:00 EU CE%sT --Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 -+Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u - 0:00 - WET 1918 May 6 23:00 - 0:00 1:00 WEST 1918 Oct 7 23:00 - 0:00 - WET 1924 -diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica -index 114cef14cce..ce4ee74582c 100644 ---- a/make/data/tzdata/northamerica -+++ b/make/data/tzdata/northamerica -@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D - Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S - Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 -+Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Chicago C%sT 1936 Mar 1 2:00 - -5:00 - EST 1936 Nov 15 2:00 -@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 - -6:00 Chicago C%sT 1967 - -6:00 US C%sT - # Oliver County, ND switched from mountain to central time on 1992-10-25. --Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 -+Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1992 Oct 25 2:00 - -6:00 US C%sT - # Morton County, ND, switched from mountain to central time on -@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 - # Jones, Mellette, and Todd Counties in South Dakota; - # but in practice these other counties were already observing central time. - # See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>. --Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 -+Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2003 Oct 26 2:00 - -6:00 US C%sT - -@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 - # largest city in Mercer County). Google Maps places Beulah's city hall - # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". - --Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 -+Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 2010 Nov 7 2:00 - -6:00 US C%sT - -@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S - Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D - Rule Denver 1965 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 -+Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1920 - -7:00 Denver M%sT 1942 - -7:00 US M%sT 1946 -@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D - Rule CA 1950 1961 - Sep lastSun 2:00 0 S - Rule CA 1962 1966 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 -+Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1946 - -8:00 CA P%sT 1967 - -8:00 US P%sT -@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 - # Go with the Arizona State Library instead. - - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 -+Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u - -7:00 US M%sT 1944 Jan 1 0:01 - -7:00 - MST 1944 Apr 1 0:01 - -7:00 US M%sT 1944 Oct 1 0:01 -@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston - # switched four weeks late in 1974. - # - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 -+Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u - -8:00 US P%sT 1923 May 13 2:00 - -7:00 US M%sT 1974 - -7:00 - MST 1974 Feb 3 2:00 -@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D - Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S - Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 -+Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1920 - -6:00 Indianapolis C%sT 1942 - -6:00 US C%sT 1946 -@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S - Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D - Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 -+Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1951 - -6:00 Marengo C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S - Rule Vincennes 1961 only - Sep lastSun 2:00 0 S - Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 -+Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Vincennes C%sT 1964 Apr 26 2:00 - -5:00 - EST 1969 -@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S - Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D - Rule Perry 1961 1963 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 -+Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Perry C%sT 1964 Apr 26 2:00 - -5:00 - EST 1967 Oct 29 2:00 -@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S - Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D - Rule Pike 1961 1964 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 -+Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1955 - -6:00 Pike C%sT 1965 Apr 25 2:00 - -5:00 - EST 1966 Oct 30 2:00 -@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S - Rule Starke 1957 1958 - Sep lastSun 2:00 0 S - Rule Starke 1959 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 -+Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1947 - -6:00 Starke C%sT 1962 Apr 29 2:00 - -5:00 - EST 1963 Oct 27 2:00 -@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S - Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S - Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 -+Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 Pulaski C%sT 1961 Apr 30 2:00 - -5:00 - EST 1969 -@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 - # - # Switzerland County, Indiana, did not observe DST from 1973 through 2005. - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 -+Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1954 Apr 25 2:00 - -5:00 - EST 1969 - -5:00 US E%sT 1973 -@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D - Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S - Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 -+Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1921 - -6:00 Louisville C%sT 1942 - -6:00 US C%sT 1946 -@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 - # Federal Register 65, 160 (2000-08-17), pp 50154-50158. - # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm - # --Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 -+Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u - -6:00 US C%sT 1946 - -6:00 - CST 1968 - -6:00 US C%sT 2000 Oct 29 2:00 -@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 - # longitude they are located at. - - # Rule NAME FROM TO - IN ON AT SAVE LETTER/S -+Rule Mexico 1931 only - May 1 23:00 1:00 D -+Rule Mexico 1931 only - Oct 1 0:00 0 S - Rule Mexico 1939 only - Feb 5 0:00 1:00 D - Rule Mexico 1939 only - Jun 25 0:00 0 S - Rule Mexico 1940 only - Dec 9 0:00 1:00 D -@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D - Rule Mexico 2002 max - Oct lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] - # Quintana Roo; represented by Cancún --Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 -+Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 Mexico E%sT 1998 Aug 2 2:00 - -6:00 Mexico C%sT 2015 Feb 1 2:00 - -5:00 - EST - # Campeche, Yucatán; represented by Mérida --Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 -+Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1981 Dec 23 - -5:00 - EST 1982 Dec 2 - -6:00 Mexico C%sT -@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 - # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, - # 2016-03-12 - # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-h... --Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 -+Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT 2010 - -6:00 US C%sT - # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) --Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 -+Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u - -6:00 - CST 1988 - -6:00 US C%sT 1989 - -6:00 Mexico C%sT - # Central Mexico --Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 -+Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 Mexico C%sT 2001 Sep 30 2:00 - -6:00 - CST 2002 Feb 20 - -6:00 Mexico C%sT -@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 - # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, - # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. - # (See the 2016-03-12 El Universal source mentioned above.) --Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 -+Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT 2010 - -7:00 US M%sT - # Chihuahua (away from US border) --Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 -+Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1996 - -6:00 Mexico C%sT 1998 - -6:00 - CST 1998 Apr Sun>=1 3:00 - -7:00 Mexico M%sT - # Sonora --Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 -+Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 - # Use "Bahia_Banderas" to keep the name to fourteen characters. - - # Mazatlán --Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 -+Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 - -7:00 Mexico M%sT - - # Bahía de Banderas --Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 -+Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1927 Jun 10 23:00 - -6:00 - CST 1930 Nov 15 -- -7:00 - MST 1931 May 1 23:00 -- -6:00 - CST 1931 Oct -- -7:00 - MST 1932 Apr 1 -+ -7:00 Mexico M%sT 1932 Apr 1 - -6:00 - CST 1942 Apr 24 - -7:00 - MST 1949 Jan 14 - -8:00 - PST 1970 -@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 - -6:00 Mexico C%sT - - # Baja California --Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 -+Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u - -7:00 - MST 1924 - -8:00 - PST 1927 Jun 10 23:00 - -7:00 - MST 1930 Nov 15 -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -index 71470168456..0cad939008f 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION -@@ -1 +1 @@ --tzdata2022d -+tzdata2022e -diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -index b3823958ae4..2f2786f1c69 100644 ---- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -+++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt -@@ -97,9 +97,7 @@ America/Winnipeg CST CDT - America/Yakutat AKST AKDT - America/Yellowknife MST MDT - Antarctica/Macquarie AEST AEDT --Asia/Amman EET EEST - Asia/Beirut EET EEST --Asia/Damascus EET EEST - Asia/Famagusta EET EEST - Asia/Gaza EET EEST - Asia/Hebron EET EEST diff --git a/sources b/sources index e7c6383..a4137ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.5+8.tar.xz) = 1acbda948374d7834347c9b98cfc25a7db24a5656e4466792831015158bdf24026a35a2cdbb8993c09e906a5f305b9e7749fa36b4dae3e75800a8976a2cb2b82 +SHA512 (openjdk-jdk17u-jdk-17.0.6+1.tar.xz) = eceba28c43d2b5b3172df828faca2a8068067d133a14ca003978bae6405c0ac00d34dafa0f1b123049b13df1555b1b38af0ae89969ac927c1a2a441ed0b3febc commit c0f97cd3e33641d659af543f4a57e74a7bcfb099 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Wed Oct 19 21:21:26 2022 +0100 Update to jdk-17.0.5+8 (GA) Update release notes to 17.0.5+8 (GA) Switch to GA mode for final release. The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds Remove freetype sources along with zlib sources diff --git a/.gitignore b/.gitignore index 8a7b642..daec806 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ /openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz /openjdk-jdk17u-jdk-17.0.5+1.tar.xz /openjdk-jdk17u-jdk-17.0.5+7.tar.xz +/openjdk-jdk17u-jdk-17.0.5+8.tar.xz diff --git a/NEWS b/NEWS index 277319c..f611a71 100644 --- a/NEWS +++ b/NEWS @@ -7,8 +7,22 @@ New in release OpenJDK 17.0.5 (2022-10-18): =========================================== Live versions of these release notes can be found at: * https://bitly.com/openjdk1705 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.txt + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.html +* Security fixes + - JDK-8282252: Improve BigInteger/Decimal validation + - JDK-8285662: Better permission resolution + - JDK-8286077, CVE-2022-21618: Wider MultiByte conversions + - JDK-8286511: Improve macro allocation + - JDK-8286519: Better memory handling + - JDK-8286526, CVE-2022-21619: Improve NTLM support + - JDK-8286910, CVE-2022-21624: Improve JNDI lookups + - JDK-8286918, CVE-2022-21628: Better HttpServer service + - JDK-8287446: Enhance icon presentations + - JDK-8288508: Enhance ECDSA usage + - JDK-8289366, CVE-2022-39399: Improve HTTP/2 client usage + - JDK-8289853: Update HarfBuzz to 4.4.1 + - JDK-8290334: Update FreeType to 2.12.1 * Other changes - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 @@ -211,7 +225,6 @@ Live versions of these release notes can be found at: - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter - - JDK-8289853: Update HarfBuzz to 4.4.1 - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 - JDK-8289910: unify os::message_box across posix platforms - JDK-8290000: Bump macOS GitHub actions to macOS 11 @@ -219,12 +232,12 @@ Live versions of these release notes can be found at: - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - - JDK-8290334: Update FreeType to 2.12.1 - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle - JDK-8290456: remove os::print_statistics() - JDK-8291595: [17u] Delete files missed in backport of 8269039 - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr - JDK-8292579: (tz) Update Timezone Data to 2022c + - JDK-8295056: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.5 Notes on individual issues: =========================== diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 1dcf98c..6fc0908 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -368,8 +368,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 2 +%global buildver 8 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -395,7 +395,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -1985,7 +1985,9 @@ function buildjdk() { local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} - if [ "x${link_opt}" = "xbundled" ] ; then + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then libc_link_opt="static"; else libc_link_opt="dynamic"; @@ -2002,6 +2004,10 @@ function buildjdk() { mkdir -p ${outputdir} pushd ${outputdir} + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build bash ${top_dir_abs_src_path}/configure \ %ifarch %{zero_arches} --with-jvm-variants=zero \ @@ -2022,8 +2028,8 @@ function buildjdk() { --with-native-debug-symbols="%{debug_symbols}" \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=${link_opt} \ - --with-freetype=${link_opt} \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ --with-libjpeg=${link_opt} \ --with-giflib=${link_opt} \ --with-libpng=${link_opt} \ @@ -2681,6 +2687,13 @@ cjc.mainProgram(args) %endif %changelog +* Wed Oct 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. +- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds +- Remove freetype sources along with zlib sources + * Fri Oct 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.7-0.2.ea - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 - Update CLDR data with Europe/Kyiv (JDK-8293834) diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh index e999c7e..25c2fc8 100644 --- a/remove-intree-libraries.sh +++ b/remove-intree-libraries.sh @@ -5,6 +5,7 @@ TREE=${1} TYPE=${2} ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ @@ -31,15 +32,21 @@ cd ${TREE} echo "Removing built-in libs (they will be linked)" -# On full runs, allow for zlib having already been deleted by minimal +# On full runs, allow for zlib & freetype having already been deleted by minimal echo "Removing zlib" if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then echo "${ZIP_SRC} does not exist. Refusing to proceed." exit 1 fi rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} -# Minimal is limited to just zlib so finish here +# Minimal is limited to just zlib and freetype so finish here if test "x${TYPE}" = "xminimal"; then echo "Finished."; exit 0; diff --git a/sources b/sources index d0a250a..e7c6383 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.5+7.tar.xz) = 43eb77ba56756748ce39e245824ca7d68c7cfe01fd4e72599e1b73f85bd522beadb3651029457c2b6dbb0080daf3d0550350929090e36fce8fc7892163222bc7 +SHA512 (openjdk-jdk17u-jdk-17.0.5+8.tar.xz) = 1acbda948374d7834347c9b98cfc25a7db24a5656e4466792831015158bdf24026a35a2cdbb8993c09e906a5f305b9e7749fa36b4dae3e75800a8976a2cb2b82 commit 48de3d829af74724145d4561d610479f8eddb7f4 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Fri Oct 14 18:51:06 2022 +0100 Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 Update CLDR data with Europe/Kyiv (JDK-8293834) Drop JDK-8292223 patch which we found to be unnecessary Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream diff --git a/TestTranslations.java b/TestTranslations.java index cf83303..dbea417 100644 --- a/TestTranslations.java +++ b/TestTranslations.java @@ -15,20 +15,125 @@ You should have received a copy of the GNU Affero General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ +import java.text.DateFormatSymbols; + +import java.time.ZoneId; +import java.time.format.TextStyle; + import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import java.util.Locale; -import java.util.ResourceBundle; - -import sun.util.resources.LocaleData; -import sun.util.locale.provider.LocaleProviderAdapter; +import java.util.Objects; +import java.util.TimeZone; public class TestTranslations { + + private static Map<Locale,String[]> KYIV; + + static { + Map<Locale,String[]> map = new HashMap<Locale,String[]>(); + map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET", + "Eastern European Summer Time", "GMT+03:00", "EEST", + "Eastern European Time", "GMT+02:00", "EET"}); + map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET", + "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST", + "heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"}); + map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ", + "Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ", + "Osteurop\u00e4ische Zeit", "OEZ", "OEZ"}); + KYIV = Collections.unmodifiableMap(map); + } + + public static void main(String[] args) { - for (String zone : args) { - System.out.printf("Translations for %s\n", zone); - for (Locale l : Locale.getAvailableLocales()) { - ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l); - System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone))); + if (args.length < 1) { + System.err.println("Test must be started with the name of the locale provider."); + System.exit(1); + } + + String localeProvider = args[0]; + System.out.println("Checking sanity of full zone string set..."); + boolean invalid = Arrays.stream(Locale.getAvailableLocales()) + .peek(l -> System.out.println("Locale: " + l)) + .map(l -> DateFormatSymbols.getInstance(l).getZoneStrings()) + .flatMap(zs -> Arrays.stream(zs)) + .flatMap(names -> Arrays.stream(names)) + .filter(name -> Objects.isNull(name) || name.isEmpty()) + .findAny() + .isPresent(); + if (invalid) { + System.err.println("Zone string for a locale returned null or empty string"); + System.exit(2); + } + + for (Locale l : KYIV.keySet()) { + String[] expected = KYIV.get(l); + for (String id : new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" }) { + String expectedShortStd = null; + String expectedShortDST = null; + String expectedShortGen = null; + + System.out.printf("Checking locale %s for %s...\n", l, id); + + if ("JRE".equals(localeProvider)) { + expectedShortStd = expected[2]; + expectedShortDST = expected[5]; + expectedShortGen = expected[8]; + } else if ("CLDR".equals(localeProvider)) { + expectedShortStd = expected[1]; + expectedShortDST = expected[4]; + expectedShortGen = expected[7]; + } else { + System.err.printf("Invalid locale provider %s\n", localeProvider); + System.exit(3); + } + System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n", + localeProvider, expectedShortStd, expectedShortDST, expectedShortGen); + + String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l); + String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l); + String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l); + String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l); + String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l); + String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l); + + if (!expected[0].equals(longStd)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longStd, expected[0]); + System.exit(4); + } + + if (!expectedShortStd.equals(shortStd)) { + System.err.printf("Short standard display name for %s in %s was %s, expected %s\n", + id, l, shortStd, expectedShortStd); + System.exit(5); + } + + if (!expected[3].equals(longDST)) { + System.err.printf("Long DST display name for %s in %s was %s, expected %s\n", + id, l, longDST, expected[3]); + System.exit(6); + } + + if (!expectedShortDST.equals(shortDST)) { + System.err.printf("Short DST display name for %s in %s was %s, expected %s\n", + id, l, shortDST, expectedShortDST); + System.exit(7); + } + + if (!expected[6].equals(longGen)) { + System.err.printf("Long standard display name for %s in %s was %s, expected %s\n", + id, l, longGen, expected[6]); + System.exit(8); + } + + if (!expectedShortGen.equals(shortGen)) { + System.err.printf("Short generic display name for %s in %s was %s, expected %s\n", + id, l, shortGen, expectedShortGen); + System.exit(9); + } } } } diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a424c92..1dcf98c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -369,7 +369,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1160,8 +1160,9 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2022a required as of JDK-8283350 in 17.0.4 -Requires: tzdata-java >= 2022a +# 2022d required as of JDK-8294357 +# Should be bumped to 2022e once available (JDK-8295173) +Requires: tzdata-java >= 2022d # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1378,8 +1379,6 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch -# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b -Patch7: jdk8292223-tzdata2022b-kyiv.patch # Crypto policy and FIPS support patches # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u @@ -1417,6 +1416,18 @@ Patch1001: fips-17u-%{fipsver}.patch # ############################################# +############################################# +# +# OpenJDK patches targetted for 17.0.6 +# +############################################# +# JDK-8293834: Update CLDR data following tzdata 2022c update +Patch2001: jdk8293834-kyiv_cldr_update.patch +# JDK-8294357: (tz) Update Timezone Data to 2022d +Patch2002: jdk8294357-tzdata2022d.patch +# JDK-8295173: (tz) Update Timezone Data to 2022e +Patch2003: jdk8295173-tzdata2022e.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: alsa-lib-devel @@ -1449,8 +1460,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2022a required as of JDK-8283350 in 17.0.4 -BuildRequires: tzdata-java >= 2022a +# 2022d required as of JDK-8294357 +# Should be bumped to 2022e once available (JDK-8295173) +BuildRequires: tzdata-java >= 2022d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1844,11 +1856,14 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch6 -p1 -%patch7 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# tzdata updates targetted for 17.0.6 +%patch2001 -p1 +%patch2002 -p1 +%patch2003 -p1 popd # openjdk %patch600 @@ -2395,12 +2410,9 @@ $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" # Check translations are available for new timezones -$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \ - --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ - -d . %{SOURCE18} -$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \ - --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ - $(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv" +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE +$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) @@ -2669,6 +2681,12 @@ cjc.mainProgram(args) %endif %changelog +* Fri Oct 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.7-0.2.ea +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream + * Tue Oct 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.7-0.1.ea - Update to jdk-17.0.5+7 - Update release notes to 17.0.5+7 diff --git a/jdk8292223-tzdata2022b-kyiv.patch b/jdk8292223-tzdata2022b-kyiv.patch deleted file mode 100644 index 1107b82..0000000 --- a/jdk8292223-tzdata2022b-kyiv.patch +++ /dev/null @@ -1,132 +0,0 @@ -diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -index 8759aab3995..11ccbf73839 100644 ---- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle { - {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00", - "Kirov Daylight Time", "GMT+03:00", - "Kirov Time", "GMT+03:00"}}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -index f007c1a8d3b..617268e4cf3 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -index 386414e16e6..14c5d89b9c5 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -index d23f5fd49e6..44117125619 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -index b4f57d4568c..efa818f3865 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -index 1a10a9f96dc..7c0565461ad 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -index 9a2d9e5c57c..8a2c805997f 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -index de5e5c82daa..e3c06417f09 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -index b53de4d8c89..3e46b6a063e 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -index 7797cda19d5..590908409a8 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -index 2cd10554853..23c5f180b6d 100644 ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle { - {"Europe/Jersey", GMTBST}, - {"Europe/Kaliningrad", EET}, - {"Europe/Kiev", EET}, -+ {"Europe/Kyiv", EET}, - {"Europe/Lisbon", WET}, - {"Europe/Ljubljana", CET}, - {"Europe/London", GMTBST}, diff --git a/jdk8293834-kyiv_cldr_update.patch b/jdk8293834-kyiv_cldr_update.patch new file mode 100644 index 0000000..b8dda24 --- /dev/null +++ b/jdk8293834-kyiv_cldr_update.patch @@ -0,0 +1,51 @@ +diff --git a/make/data/cldr/common/bcp47/timezone.xml b/make/data/cldr/common/bcp47/timezone.xml +index 41ff6d236c8..e703020dcdd 100644 +--- a/make/data/cldr/common/bcp47/timezone.xml ++++ b/make/data/cldr/common/bcp47/timezone.xml +@@ -393,7 +393,7 @@ For terms of use, see http://www.unicode.org/copyright.html + <type name="tvfun" description="Funafuti, Tuvalu" alias="Pacific/Funafuti"/> + <type name="twtpe" description="Taipei, Taiwan" alias="Asia/Taipei ROC"/> + <type name="tzdar" description="Dar es Salaam, Tanzania" alias="Africa/Dar_es_Salaam"/> +- <type name="uaiev" description="Kiev, Ukraine" alias="Europe/Kiev"/> ++ <type name="uaiev" description="Kyiv, Ukraine" alias="Europe/Kiev Europe/Kyiv"/> + <type name="uaozh" description="Zaporizhia (Zaporozhye), Ukraine" alias="Europe/Zaporozhye"/> + <type name="uasip" description="Simferopol, Ukraine" alias="Europe/Simferopol"/> + <type name="uauzh" description="Uzhhorod (Uzhgorod), Ukraine" alias="Europe/Uzhgorod"/> +diff --git a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java +index eb56c087ad6..e398af3c151 100644 +--- a/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java ++++ b/test/jdk/sun/util/resources/cldr/TimeZoneNamesTest.java +@@ -23,7 +23,7 @@ + + /* + * @test +- * @bug 8181157 8202537 8234347 8236548 8261279 ++ * @bug 8181157 8202537 8234347 8236548 8261279 8293834 + * @modules jdk.localedata + * @summary Checks CLDR time zone names are generated correctly at runtime + * @run testng/othervm -Djava.locale.providers=CLDR TimeZoneNamesTest +@@ -102,6 +102,24 @@ public class TimeZoneNamesTest { + "UTC+04:00", + "heure : Astrakhan", + "UTC+04:00"}, ++ {"Europe/Kyiv", Locale.US, "Eastern European Standard Time", ++ "GMT+02:00", ++ "Eastern European Summer Time", ++ "GMT+03:00", ++ "Eastern European Time", ++ "GMT+02:00"}, ++ {"Europe/Kyiv", Locale.FRANCE, "heure normale d\u2019Europe de l\u2019Est", ++ "UTC+02:00", ++ "heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", ++ "UTC+03:00", ++ "heure d\u2019Europe de l\u2019Est", ++ "UTC+02:00"}, ++ {"Europe/Kyiv", Locale.GERMANY, "Osteurop\u00e4ische Normalzeit", ++ "OEZ", ++ "Osteurop\u00e4ische Sommerzeit", ++ "OESZ", ++ "Osteurop\u00e4ische Zeit", ++ "OEZ"}, + {"Europe/Saratov", Locale.US, "Saratov Standard Time", + "GMT+04:00", + "Saratov Daylight Time", diff --git a/jdk8294357-tzdata2022d.patch b/jdk8294357-tzdata2022d.patch new file mode 100644 index 0000000..9eb6727 --- /dev/null +++ b/jdk8294357-tzdata2022d.patch @@ -0,0 +1,303 @@ +commit 3d93fdc583ed1c03ecf355b64d41c5f5fe4c07ce +Author: Goetz Lindenmaier <goetz(a)openjdk.org> +Date: Wed Oct 5 07:13:43 2022 +0000 + + 8294357: (tz) Update Timezone Data to 2022d + + Backport-of: f01573368f905f27d26f1d07d9cfd26dcc736a54 + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +index decb8716b22..889d0e6dad7 100644 +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022c ++tzdata2022d +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +index 3a150b0f36b..f9df7432947 100644 +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -3398,10 +3398,6 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # The winter time in 2015 started on October 23 at 01:00. + # https://wafa.ps/ar_page.aspx?id=CgpCdYa670694628582aCgpCdY + # http://www.palestinecabinet.gov.ps/portal/meeting/details/27583 +-# +-# From Paul Eggert (2019-04-10): +-# For now, guess spring-ahead transitions are at 00:00 on the Saturday +-# preceding March's last Sunday (i.e., Sat>=24). + + # From P Chan (2021-10-18): + # http://wafa.ps/Pages/Details/34701 +@@ -3418,6 +3414,18 @@ Zone Asia/Karachi 4:28:12 - LMT 1907 + # From Heba Hamad (2022-03-10): + # summer time will begin in Palestine from Sunday 03-27-2022, 00:00 AM. + ++# From Heba Hamad (2022-08-30): ++# winter time will begin in Palestine from Saturday 10-29, 02:00 AM by ++# 60 minutes backwards. Also the state of Palestine adopted the summer ++# and winter time for the years: 2023,2024,2025,2026 ... ++# https://mm.icann.org/pipermail/tz/attachments/20220830/9f024566/Time-0001... ++# (2022-08-31): ... the Saturday before the last Sunday in March and October ++# at 2:00 AM ,for the years from 2023 to 2026. ++# (2022-09-05): https://mtit.pna.ps/Site/New/1453 ++# ++# From Paul Eggert (2022-08-31): ++# For now, assume that this rule will also be used after 2026. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S + Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - +@@ -3448,14 +3456,16 @@ Rule Palestine 2013 only - Sep 27 0:00 0 - + Rule Palestine 2014 only - Oct 24 0:00 0 - + Rule Palestine 2015 only - Mar 28 0:00 1:00 S + Rule Palestine 2015 only - Oct 23 1:00 0 - +-Rule Palestine 2016 2018 - Mar Sat>=24 1:00 1:00 S +-Rule Palestine 2016 2018 - Oct Sat>=24 1:00 0 - ++Rule Palestine 2016 2018 - Mar Sat<=30 1:00 1:00 S ++Rule Palestine 2016 2018 - Oct Sat<=30 1:00 0 - + Rule Palestine 2019 only - Mar 29 0:00 1:00 S +-Rule Palestine 2019 only - Oct Sat>=24 0:00 0 - +-Rule Palestine 2020 2021 - Mar Sat>=24 0:00 1:00 S ++Rule Palestine 2019 only - Oct Sat<=30 0:00 0 - ++Rule Palestine 2020 2021 - Mar Sat<=30 0:00 1:00 S + Rule Palestine 2020 only - Oct 24 1:00 0 - +-Rule Palestine 2021 max - Oct Fri>=23 1:00 0 - +-Rule Palestine 2022 max - Mar Sun>=25 0:00 1:00 S ++Rule Palestine 2021 only - Oct 29 1:00 0 - ++Rule Palestine 2022 only - Mar 27 0:00 1:00 S ++Rule Palestine 2022 max - Oct Sat<=30 2:00 0 - ++Rule Palestine 2023 max - Mar Sat<=30 2:00 1:00 S + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Gaza 2:17:52 - LMT 1900 Oct +diff --git a/make/data/tzdata/backward b/make/data/tzdata/backward +index d4a29e8cf29..7765d99aedf 100644 +--- a/make/data/tzdata/backward ++++ b/make/data/tzdata/backward +@@ -113,6 +113,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +index 879b5337536..accc845dbaf 100644 +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -2638,10 +2638,14 @@ Zone Europe/Simferopol 2:16:24 - LMT 1880 + # From Alexander Krivenyshev (2014-03-17): + # time change at 2:00 (2am) on March 30, 2014 + # https://vz.ru/news/2014/3/17/677464.html +-# From Paul Eggert (2014-03-30): +-# Simferopol and Sevastopol reportedly changed their central town clocks +-# late the previous day, but this appears to have been ceremonial +-# and the discrepancies are small enough to not worry about. ++# From Tim Parenti (2022-07-01), per Paul Eggert (2014-03-30): ++# The clocks at the railway station in Simferopol were put forward from 22:00 ++# to 24:00 the previous day in a "symbolic ceremony"; however, per ++# contemporaneous news reports, "ordinary Crimeans [made] the daylight savings ++# time switch at 2am" on Sunday. ++# https://www.business-standard.com/article/pti-stories/crimea-to-set-clock... ++# https://www.reuters.com/article/us-ukraine-crisis-crimea-time/crimea-swit... ++# https://www.bbc.com/news/av/world-europe-26806583 + 2:00 EU EE%sT 2014 Mar 30 2:00 + 4:00 - MSK 2014 Oct 26 2:00s + 3:00 - MSK +@@ -3774,8 +3778,8 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # US colleague David Cochrane) are still trying to get more + # information upon these local deviations from Kiev rules. + # +-# From Paul Eggert (2022-02-08): +-# For now, assume that Ukraine's other three zones followed the same rules, ++# From Paul Eggert (2022-08-27): ++# For now, assume that Ukraine's zones all followed the same rules, + # except that Crimea switched to Moscow time in 1994 as described elsewhere. + + # From Igor Karpov, who works for the Ukrainian Ministry of Justice, +@@ -3845,21 +3849,7 @@ Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. + # * Ukrainian Government's Resolution of 20.03.1992, No. 139. + # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm + +-# From Paul Eggert (2022-04-12): +-# As is usual in tzdb, Ukrainian zones use the most common English spellings. +-# In particular, tzdb's name Europe/Kyiv uses the most common spelling in +-# English for Ukraine's capital. Although tzdb's former name was Europe/Kiev, +-# "Kyiv" is now more common due to widespread reporting of the current conflict. +-# Conversely, tzdb continues to use the names Europe/Uzhgorod and +-# Europe/Zaporozhye; this is similar to tzdb's use of Europe/Prague, which is +-# certainly wrong as a transliteration of the Czech "Praha". +-# English-language spelling of Ukrainian names is in flux, and +-# some day "Uzhhorod" or "Zaporizhzhia" may become substantially more +-# common in English; in the meantime, do not change these +-# English spellings as that means less disruption for our users. +- + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-# This represents most of Ukraine. See above for the spelling of "Kyiv". + Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:02:04 - KMT 1924 May 2 # Kyiv Mean Time + 2:00 - EET 1930 Jun 21 +@@ -3869,34 +3859,6 @@ Zone Europe/Kyiv 2:02:04 - LMT 1880 + 2:00 1:00 EEST 1991 Sep 29 3:00 + 2:00 C-Eur EE%sT 1996 May 13 + 2:00 EU EE%sT +-# Transcarpathia used CET 1990/1991. +-# "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but +-# "Uzhgorod" is more common in English. +-Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct +- 1:00 - CET 1940 +- 1:00 C-Eur CE%sT 1944 Oct +- 1:00 1:00 CEST 1944 Oct 26 +- 1:00 - CET 1945 Jun 29 +- 3:00 Russia MSK/MSD 1990 +- 3:00 - MSK 1990 Jul 1 2:00 +- 1:00 - CET 1991 Mar 31 3:00 +- 2:00 - EET 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT +-# Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991. +-# "Zaporizhzhia" is the transliteration of the Ukrainian name, but +-# "Zaporozh'ye" is more common in English. Use the common English +-# spelling, except omit the apostrophe as it is not allowed in +-# portable Posix file names. +-Zone Europe/Zaporozhye 2:20:40 - LMT 1880 +- 2:20 - +0220 1924 May 2 +- 2:00 - EET 1930 Jun 21 +- 3:00 - MSK 1941 Aug 25 +- 1:00 C-Eur CE%sT 1943 Oct 25 +- 3:00 Russia MSK/MSD 1991 Mar 31 2:00 +- 2:00 E-Eur EE%sT 1992 Mar 20 +- 2:00 C-Eur EE%sT 1996 May 13 +- 2:00 EU EE%sT + + # Vatican City + # See Europe/Rome. +diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica +index 13ec081c7e0..3c0e0e2061c 100644 +--- a/make/data/tzdata/southamerica ++++ b/make/data/tzdata/southamerica +@@ -1332,8 +1332,14 @@ Zone America/Rio_Branco -4:31:12 - LMT 1914 + # for America/Santiago will start on midnight of September 11th; + # and will end on April 1st, 2023. Magallanes region (America/Punta_Arenas) + # will keep UTC -3 "indefinitely"... This is because on September 4th +-# we will have a voting whether to approve a new Constitution.... +-# https://www.interior.gob.cl/noticias/2022/08/09/comunicado-el-proximo-sab... ++# we will have a voting whether to approve a new Constitution. ++# ++# From Eduardo Romero Urra (2022-08-17): ++# https://www.diariooficial.interior.gob.cl/publicaciones/2022/08/13/43327/... ++# ++# From Paul Eggert (2022-08-17): ++# Although the presidential decree stops at fall 2026, assume that ++# similar DST rules will continue thereafter. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - +diff --git a/make/data/tzdata/zone.tab b/make/data/tzdata/zone.tab +index 51b65fa273c..ee025196e50 100644 +--- a/make/data/tzdata/zone.tab ++++ b/make/data/tzdata/zone.tab +@@ -424,8 +424,6 @@ TV -0831+17913 Pacific/Funafuti + TW +2503+12130 Asia/Taipei + TZ -0648+03917 Africa/Dar_es_Salaam + UA +5026+03031 Europe/Kyiv Ukraine (most areas) +-UA +4837+02218 Europe/Uzhgorod Transcarpathia +-UA +4750+03510 Europe/Zaporozhye Zaporozhye and east Lugansk + UG +0019+03225 Africa/Kampala + UM +2813-17722 Pacific/Midway Midway Islands + UM +1917+16637 Pacific/Wake Wake Island +diff --git a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +index 15c2f0d1275..6f6e190efcd 100644 +--- a/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java ++++ b/src/java.base/share/classes/sun/util/calendar/ZoneInfoFile.java +@@ -574,12 +574,8 @@ public final class ZoneInfoFile { + // we can then pass in the dom = -1, dow > 0 into ZoneInfo + // + // hacking, assume the >=24 is the result of ZRB optimization for +- // "last", it works for now. From tzdata2020d this hacking +- // will not work for Asia/Gaza and Asia/Hebron which follow +- // Palestine DST rules. +- if (dom < 0 || dom >= 24 && +- !(zoneId.equals("Asia/Gaza") || +- zoneId.equals("Asia/Hebron"))) { ++ // "last", it works for now. ++ if (dom < 0 || dom >= 24) { + params[1] = -1; + params[2] = toCalendarDOW[dow]; + } else { +@@ -601,7 +597,6 @@ public final class ZoneInfoFile { + params[7] = 0; + } else { + // hacking: see comment above +- // No need of hacking for Asia/Gaza and Asia/Hebron from tz2021e + if (dom < 0 || dom >= 24) { + params[6] = -1; + params[7] = toCalendarDOW[dow]; +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +index c32bee39fba..71470168456 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022c ++tzdata2022d +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +index a5e6428a3f5..e3ce742f887 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/aliases.txt +@@ -183,6 +183,8 @@ Link Etc/UTC Etc/UCT + Link Europe/London Europe/Belfast + Link Europe/Kyiv Europe/Kiev + Link Europe/Chisinau Europe/Tiraspol ++Link Europe/Kyiv Europe/Uzhgorod ++Link Europe/Kyiv Europe/Zaporozhye + Link Europe/London GB + Link Europe/London GB-Eire + Link Etc/GMT GMT+0 +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +index fc148537f1f..b3823958ae4 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -163,11 +163,9 @@ Europe/Simferopol MSK + Europe/Sofia EET EEST + Europe/Tallinn EET EEST + Europe/Tirane CET CEST +-Europe/Uzhgorod EET EEST + Europe/Vienna CET CEST + Europe/Vilnius EET EEST + Europe/Warsaw CET CEST +-Europe/Zaporozhye EET EEST + Europe/Zurich CET CEST + HST HST + MET MET MEST +diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java +index 7b50c342a0d..a7d14f1aa21 100644 +--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java ++++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java +@@ -176,11 +176,12 @@ public class TestZoneInfo310 { + * save time in IANA tzdata. This bug is tracked via JDK-8223388. + * + * These are the zones/rules that employ negative DST in vanguard +- * format (as of 2019a): ++ * format (as of 2019a), Palestine added in 2022d: + * + * - Rule "Eire" + * - Rule "Morocco" + * - Rule "Namibia" ++ * - Rule "Palestine" + * - Zone "Europe/Prague" + * + * Tehran/Iran rule has rules beyond 2037, in which javazic assumes +@@ -196,6 +197,8 @@ public class TestZoneInfo310 { + zid.equals("Europe/Dublin") || // uses "Eire" rule + zid.equals("Europe/Prague") || + zid.equals("Asia/Tehran") || // last rule mismatch ++ zid.equals("Asia/Gaza") || // uses "Palestine" rule ++ zid.equals("Asia/Hebron") || // uses "Palestine" rule + zid.equals("Iran")) { // last rule mismatch + continue; + } diff --git a/jdk8295173-tzdata2022e.patch b/jdk8295173-tzdata2022e.patch new file mode 100644 index 0000000..8ffd2ee --- /dev/null +++ b/jdk8295173-tzdata2022e.patch @@ -0,0 +1,420 @@ +commit d159a377e0243bd2c80593689fd7cd20b2b578f7 +Author: duke <duke(a)openjdk.org> +Date: Fri Oct 14 03:37:19 2022 +0000 + + Backport 21407dec0156301871a83328615e4d975c4287c4 + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +index 889d0e6dad7..b8cb36e69f4 100644 +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2022d ++tzdata2022e +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +index f9df7432947..5b2337fd0b6 100644 +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -2254,6 +2254,17 @@ Zone Asia/Tokyo 9:18:59 - LMT 1887 Dec 31 15:00u + # From the Arabic version, it seems to say it would be at midnight + # (assume 24:00) on the last Thursday in February, starting from 2022. + ++# From Issam Al-Zuwairi (2022-10-05): ++# The Council of Ministers in Jordan decided Wednesday 5th October 2022, ++# that daylight saving time (DST) will be throughout the year.... ++# ++# From Brian Inglis (2022-10-06): ++# https://petra.gov.jo/Include/InnerPage.jsp?ID=45567&lang=en&name=en_news ++# ++# From Paul Eggert (2022-10-05): ++# Like Syria, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. ++ + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Jordan 1973 only - Jun 6 0:00 1:00 S + Rule Jordan 1973 1975 - Oct 1 0:00 0 - +@@ -2285,11 +2296,12 @@ Rule Jordan 2005 only - Sep lastFri 0:00s 0 - + Rule Jordan 2006 2011 - Oct lastFri 0:00s 0 - + Rule Jordan 2013 only - Dec 20 0:00 0 - + Rule Jordan 2014 2021 - Mar lastThu 24:00 1:00 S +-Rule Jordan 2014 max - Oct lastFri 0:00s 0 - +-Rule Jordan 2022 max - Feb lastThu 24:00 1:00 S ++Rule Jordan 2014 2022 - Oct lastFri 0:00s 0 - ++Rule Jordan 2022 only - Feb lastThu 24:00 1:00 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Amman 2:23:44 - LMT 1931 +- 2:00 Jordan EE%sT ++ 2:00 Jordan EE%sT 2022 Oct 28 0:00s ++ 3:00 - +03 + + + # Kazakhstan +@@ -3838,19 +3850,27 @@ Rule Syria 2007 only - Nov Fri>=1 0:00 0 - + # Our brief summary: + # https://www.timeanddate.com/news/time/syria-dst-2012.html + +-# From Arthur David Olson (2012-03-27): +-# Assume last Friday in March going forward XXX. ++# From Steffen Thorsen (2022-10-05): ++# Syria is adopting year-round DST, starting this autumn.... ++# From https://www.enabbaladi.net/archives/607812 ++# "This [the decision] came after the weekly government meeting today, ++# Tuesday 4 October ..." ++# ++# From Paul Eggert (2022-10-05): ++# Like Jordan, model this as a transition from EEST +03 (DST) to plain +03 ++# (non-DST) at the point where DST would otherwise have ended. + + Rule Syria 2008 only - Apr Fri>=1 0:00 1:00 S + Rule Syria 2008 only - Nov 1 0:00 0 - + Rule Syria 2009 only - Mar lastFri 0:00 1:00 S + Rule Syria 2010 2011 - Apr Fri>=1 0:00 1:00 S +-Rule Syria 2012 max - Mar lastFri 0:00 1:00 S +-Rule Syria 2009 max - Oct lastFri 0:00 0 - ++Rule Syria 2012 2022 - Mar lastFri 0:00 1:00 S ++Rule Syria 2009 2022 - Oct lastFri 0:00 0 - + + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Asia/Damascus 2:25:12 - LMT 1920 # Dimashq +- 2:00 Syria EE%sT ++ 2:00 Syria EE%sT 2022 Oct 28 0:00 ++ 3:00 - +03 + + # Tajikistan + # From Shanks & Pottenger. +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +index accc845dbaf..2832c4b9763 100644 +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -3417,7 +3417,7 @@ Zone Europe/Madrid -0:14:44 - LMT 1901 Jan 1 0:00u + 0:00 Spain WE%sT 1940 Mar 16 23:00 + 1:00 Spain CE%sT 1979 + 1:00 EU CE%sT +-Zone Africa/Ceuta -0:21:16 - LMT 1900 Dec 31 23:38:44 ++Zone Africa/Ceuta -0:21:16 - LMT 1901 Jan 1 0:00u + 0:00 - WET 1918 May 6 23:00 + 0:00 1:00 WEST 1918 Oct 7 23:00 + 0:00 - WET 1924 +diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica +index 114cef14cce..ce4ee74582c 100644 +--- a/make/data/tzdata/northamerica ++++ b/make/data/tzdata/northamerica +@@ -462,7 +462,7 @@ Rule Chicago 1922 1966 - Apr lastSun 2:00 1:00 D + Rule Chicago 1922 1954 - Sep lastSun 2:00 0 S + Rule Chicago 1955 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 ++Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Chicago C%sT 1936 Mar 1 2:00 + -5:00 - EST 1936 Nov 15 2:00 +@@ -471,7 +471,7 @@ Zone America/Chicago -5:50:36 - LMT 1883 Nov 18 12:09:24 + -6:00 Chicago C%sT 1967 + -6:00 US C%sT + # Oliver County, ND switched from mountain to central time on 1992-10-25. +-Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 ++Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1992 Oct 25 2:00 + -6:00 US C%sT + # Morton County, ND, switched from mountain to central time on +@@ -481,7 +481,7 @@ Zone America/North_Dakota/Center -6:45:12 - LMT 1883 Nov 18 12:14:48 + # Jones, Mellette, and Todd Counties in South Dakota; + # but in practice these other counties were already observing central time. + # See <http://www.epa.gov/fedrgstr/EPA-IMPACT/2003/October/Day-28/i27056.htm>. +-Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 ++Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2003 Oct 26 2:00 + -6:00 US C%sT + +@@ -498,7 +498,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT 1883 Nov 18 12:14:21 + # largest city in Mercer County). Google Maps places Beulah's city hall + # at 47° 15' 51" N, 101° 46' 40" W, which yields an offset of 6h47'07". + +-Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 12:12:53 ++Zone America/North_Dakota/Beulah -6:47:07 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 2010 Nov 7 2:00 + -6:00 US C%sT + +@@ -530,7 +530,7 @@ Rule Denver 1921 only - May 22 2:00 0 S + Rule Denver 1965 1966 - Apr lastSun 2:00 1:00 D + Rule Denver 1965 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04 ++Zone America/Denver -6:59:56 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1920 + -7:00 Denver M%sT 1942 + -7:00 US M%sT 1946 +@@ -583,7 +583,7 @@ Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D + Rule CA 1950 1961 - Sep lastSun 2:00 0 S + Rule CA 1962 1966 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 12:07:02 ++Zone America/Los_Angeles -7:52:58 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1946 + -8:00 CA P%sT 1967 + -8:00 US P%sT +@@ -845,7 +845,7 @@ Zone Pacific/Honolulu -10:31:26 - LMT 1896 Jan 13 12:00 + # Go with the Arizona State Library instead. + + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 11:31:42 ++Zone America/Phoenix -7:28:18 - LMT 1883 Nov 18 19:00u + -7:00 US M%sT 1944 Jan 1 0:01 + -7:00 - MST 1944 Apr 1 0:01 + -7:00 US M%sT 1944 Oct 1 0:01 +@@ -873,7 +873,7 @@ Link America/Phoenix America/Creston + # switched four weeks late in 1974. + # + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Boise -7:44:49 - LMT 1883 Nov 18 12:15:11 ++Zone America/Boise -7:44:49 - LMT 1883 Nov 18 20:00u + -8:00 US P%sT 1923 May 13 2:00 + -7:00 US M%sT 1974 + -7:00 - MST 1974 Feb 3 2:00 +@@ -945,7 +945,7 @@ Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D + Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S + Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 12:15:22 ++Zone America/Indiana/Indianapolis -5:44:38 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1920 + -6:00 Indianapolis C%sT 1942 + -6:00 US C%sT 1946 +@@ -965,7 +965,7 @@ Rule Marengo 1951 only - Sep lastSun 2:00 0 S + Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D + Rule Marengo 1954 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 12:14:37 ++Zone America/Indiana/Marengo -5:45:23 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1951 + -6:00 Marengo C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -989,7 +989,7 @@ Rule Vincennes 1960 only - Oct lastSun 2:00 0 S + Rule Vincennes 1961 only - Sep lastSun 2:00 0 S + Rule Vincennes 1962 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 12:09:53 ++Zone America/Indiana/Vincennes -5:50:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Vincennes C%sT 1964 Apr 26 2:00 + -5:00 - EST 1969 +@@ -1009,7 +1009,7 @@ Rule Perry 1955 1960 - Sep lastSun 2:00 0 S + Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D + Rule Perry 1961 1963 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 12:12:57 ++Zone America/Indiana/Tell_City -5:47:03 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Perry C%sT 1964 Apr 26 2:00 + -5:00 - EST 1967 Oct 29 2:00 +@@ -1026,7 +1026,7 @@ Rule Pike 1955 1960 - Sep lastSun 2:00 0 S + Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D + Rule Pike 1961 1964 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 12:10:53 ++Zone America/Indiana/Petersburg -5:49:07 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1955 + -6:00 Pike C%sT 1965 Apr 25 2:00 + -5:00 - EST 1966 Oct 30 2:00 +@@ -1048,7 +1048,7 @@ Rule Starke 1955 1956 - Oct lastSun 2:00 0 S + Rule Starke 1957 1958 - Sep lastSun 2:00 0 S + Rule Starke 1959 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 12:13:30 ++Zone America/Indiana/Knox -5:46:30 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1947 + -6:00 Starke C%sT 1962 Apr 29 2:00 + -5:00 - EST 1963 Oct 27 2:00 +@@ -1064,7 +1064,7 @@ Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S + Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S + Rule Pulaski 1957 1960 - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 ++Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 Pulaski C%sT 1961 Apr 30 2:00 + -5:00 - EST 1969 +@@ -1075,7 +1075,7 @@ Zone America/Indiana/Winamac -5:46:25 - LMT 1883 Nov 18 12:13:35 + # + # Switzerland County, Indiana, did not observe DST from 1973 through 2005. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 12:19:44 ++Zone America/Indiana/Vevay -5:40:16 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1954 Apr 25 2:00 + -5:00 - EST 1969 + -5:00 US E%sT 1973 +@@ -1111,7 +1111,7 @@ Rule Louisville 1950 1961 - Apr lastSun 2:00 1:00 D + Rule Louisville 1950 1955 - Sep lastSun 2:00 0 S + Rule Louisville 1956 1961 - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 ++Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1921 + -6:00 Louisville C%sT 1942 + -6:00 US C%sT 1946 +@@ -1145,7 +1145,7 @@ Zone America/Kentucky/Louisville -5:43:02 - LMT 1883 Nov 18 12:16:58 + # Federal Register 65, 160 (2000-08-17), pp 50154-50158. + # https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm + # +-Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 12:20:36 ++Zone America/Kentucky/Monticello -5:39:24 - LMT 1883 Nov 18 18:00u + -6:00 US C%sT 1946 + -6:00 - CST 1968 + -6:00 US C%sT 2000 Oct 29 2:00 +@@ -2640,6 +2640,8 @@ Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + # longitude they are located at. + + # Rule NAME FROM TO - IN ON AT SAVE LETTER/S ++Rule Mexico 1931 only - May 1 23:00 1:00 D ++Rule Mexico 1931 only - Oct 1 0:00 0 S + Rule Mexico 1939 only - Feb 5 0:00 1:00 D + Rule Mexico 1939 only - Jun 25 0:00 0 S + Rule Mexico 1940 only - Dec 9 0:00 1:00 D +@@ -2656,13 +2658,13 @@ Rule Mexico 2002 max - Apr Sun>=1 2:00 1:00 D + Rule Mexico 2002 max - Oct lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] + # Quintana Roo; represented by Cancún +-Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 0:12:56 ++Zone America/Cancun -5:47:04 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 Mexico E%sT 1998 Aug 2 2:00 + -6:00 Mexico C%sT 2015 Feb 1 2:00 + -5:00 - EST + # Campeche, Yucatán; represented by Mérida +-Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 ++Zone America/Merida -5:58:28 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1981 Dec 23 + -5:00 - EST 1982 Dec 2 + -6:00 Mexico C%sT +@@ -2676,23 +2678,21 @@ Zone America/Merida -5:58:28 - LMT 1922 Jan 1 0:01:32 + # See: Inicia mañana Horario de Verano en zona fronteriza, El Universal, + # 2016-03-12 + # http://www.eluniversal.com.mx/articulo/estados/2016/03/12/inicia-manana-h... +-Zone America/Matamoros -6:40:00 - LMT 1921 Dec 31 23:20:00 ++Zone America/Matamoros -6:30:00 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT 2010 + -6:00 US C%sT + # Durango; Coahuila, Nuevo León, Tamaulipas (away from US border) +-Zone America/Monterrey -6:41:16 - LMT 1921 Dec 31 23:18:44 ++Zone America/Monterrey -6:41:16 - LMT 1922 Jan 1 6:00u + -6:00 - CST 1988 + -6:00 US C%sT 1989 + -6:00 Mexico C%sT + # Central Mexico +-Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 ++Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 Mexico C%sT 2001 Sep 30 2:00 + -6:00 - CST 2002 Feb 20 + -6:00 Mexico C%sT +@@ -2700,35 +2700,29 @@ Zone America/Mexico_City -6:36:36 - LMT 1922 Jan 1 0:23:24 + # This includes the municipalities of Janos, Ascensión, Juárez, Guadalupe, + # Práxedis G Guerrero, Coyame del Sotol, Ojinaga, and Manuel Benavides. + # (See the 2016-03-12 El Universal source mentioned above.) +-Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 0:02:20 ++Zone America/Ojinaga -6:57:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT 2010 + -7:00 US M%sT + # Chihuahua (away from US border) +-Zone America/Chihuahua -7:04:20 - LMT 1921 Dec 31 23:55:40 ++Zone America/Chihuahua -7:04:20 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1996 + -6:00 Mexico C%sT 1998 + -6:00 - CST 1998 Apr Sun>=1 3:00 + -7:00 Mexico M%sT + # Sonora +-Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 ++Zone America/Hermosillo -7:23:52 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2763,24 +2757,20 @@ Zone America/Hermosillo -7:23:52 - LMT 1921 Dec 31 23:36:08 + # Use "Bahia_Banderas" to keep the name to fourteen characters. + + # Mazatlán +-Zone America/Mazatlan -7:05:40 - LMT 1921 Dec 31 23:54:20 ++Zone America/Mazatlan -7:05:40 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 + -7:00 Mexico M%sT + + # Bahía de Banderas +-Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 ++Zone America/Bahia_Banderas -7:01:00 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1927 Jun 10 23:00 + -6:00 - CST 1930 Nov 15 +- -7:00 - MST 1931 May 1 23:00 +- -6:00 - CST 1931 Oct +- -7:00 - MST 1932 Apr 1 ++ -7:00 Mexico M%sT 1932 Apr 1 + -6:00 - CST 1942 Apr 24 + -7:00 - MST 1949 Jan 14 + -8:00 - PST 1970 +@@ -2788,7 +2778,7 @@ Zone America/Bahia_Banderas -7:01:00 - LMT 1921 Dec 31 23:59:00 + -6:00 Mexico C%sT + + # Baja California +-Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 0:11:56 ++Zone America/Tijuana -7:48:04 - LMT 1922 Jan 1 7:00u + -7:00 - MST 1924 + -8:00 - PST 1927 Jun 10 23:00 + -7:00 - MST 1930 Nov 15 +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +index 71470168456..0cad939008f 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/VERSION ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/VERSION +@@ -1 +1 @@ +-tzdata2022d ++tzdata2022e +diff --git a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +index b3823958ae4..2f2786f1c69 100644 +--- a/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt ++++ b/test/jdk/java/util/TimeZone/TimeZoneData/displaynames.txt +@@ -97,9 +97,7 @@ America/Winnipeg CST CDT + America/Yakutat AKST AKDT + America/Yellowknife MST MDT + Antarctica/Macquarie AEST AEDT +-Asia/Amman EET EEST + Asia/Beirut EET EEST +-Asia/Damascus EET EEST + Asia/Famagusta EET EEST + Asia/Gaza EET EEST + Asia/Hebron EET EEST commit 344ea34bdd0b0e21960190665e23be94a90b8bd4 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Tue Oct 4 02:28:50 2022 +0100 Update to jdk-17.0.5+7 Update release notes to 17.0.5+7 diff --git a/.gitignore b/.gitignore index 18fa8bb..8a7b642 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /openjdk-jdk17u-jdk-17.0.4+8.tar.xz /openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz /openjdk-jdk17u-jdk-17.0.5+1.tar.xz +/openjdk-jdk17u-jdk-17.0.5+7.tar.xz diff --git a/NEWS b/NEWS index d278173..277319c 100644 --- a/NEWS +++ b/NEWS @@ -10,9 +10,11 @@ Live versions of these release notes can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.txt * Other changes + - JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 - JDK-7131823: bug in GIFImageReader - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac + - JDK-8028265: Add legacy tz tests to OpenJDK - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java @@ -20,7 +22,10 @@ Live versions of these release notes can be found at: - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values + - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch + - JDK-8223543: [TESTBUG] Regression test java/awt/Graphics2D/DrawString/LCDTextSrcEa.java has issues - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + - JDK-8227651: Tests fail with SSLProtocolException: Input record too big - JDK-8240903: Add test to check that jmod hashes are reproducible - JDK-8254318: Remove .hgtags - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline @@ -36,6 +41,7 @@ Live versions of these release notes can be found at: - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest - JDK-8271344: Windows product version issue - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + - JDK-8272417: ZGC: fastdebug build crashes when printing ClassLoaderData - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) @@ -46,6 +52,7 @@ Live versions of these release notes can be found at: - JDK-8274597: Some of the dnd tests time out and fail intermittently - JDK-8274856: Failing jpackage tests with fastdebug/release build - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + - JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold - JDK-8276837: [macos]: Error when signing the additional launcher - JDK-8277429: Conflicting jpackage static library name @@ -55,6 +62,7 @@ Live versions of these release notes can be found at: - JDK-8278311: Debian packaging doesn't work - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS + - JDK-8279032: compiler/loopopts/TestSkeletonPredicateNegation.java times out with -XX:TieredStopAtLevel < 4 - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 - JDK-8279622: C2: miscompilation of map pattern as a vector reduction - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl @@ -62,6 +70,7 @@ Live versions of these release notes can be found at: - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed - JDK-8280863: Update build README to reflect that MSYS2 is supported - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + - JDK-8280944: Enable Unix domain sockets in Windows Selector notification mechanism - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix - JDK-8281181: Do not use CPU Shares to compute active processor count - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 @@ -93,8 +102,11 @@ Live versions of these release notes can be found at: - JDK-8282933: Create a test for JDK-4529616 - JDK-8282936: Write a regression test for JDK-4615365 - JDK-8282937: Write a regression test for JDK-4820080 + - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions - JDK-8283015: Create a test for JDK-4715496 - JDK-8283087: Create a test or JDK-4715503 + - JDK-8283245: Create a test for JDK-4670319 + - JDK-8283277: ISO 4217 Amendment 171 Update - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) - JDK-8283457: [macos] libpng build failures with Xcode13.3 - JDK-8283493: Create an automated regression test for RFE 4231298 @@ -103,16 +115,21 @@ Live versions of these release notes can be found at: - JDK-8283597: [REDO] Invalid generic signature for redefined classes - JDK-8283621: Write a regression test for CCC4400728 - JDK-8283623: Create an automated regression test for JDK-4525475 + - JDK-8283624: Create an automated regression test for RFE-4390885 + - JDK-8283712: Create a manual test framework class - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt + - JDK-8284077: Create an automated test for JDK-4170173 - JDK-8284294: Create an automated regression test for RFE 4138746 - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 - JDK-8284521: Write an automated regression test for RFE 4371575 + - JDK-8284535: Fix PrintLatinCJKTest.java test that is failing with Parse Exception - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset - JDK-8284686: Interval of < 1 ms disables ExecutionSample events @@ -120,6 +137,7 @@ Live versions of these release notes can be found at: - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 - JDK-8284898: Enhance PassFailJFrame - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + - JDK-8284950: CgroupV1 detection code should consider memory.swappiness - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist - JDK-8285081: Improve XPath operators count accuracy @@ -127,7 +145,10 @@ Live versions of these release notes can be found at: - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity - JDK-8285380: Fix typos in security - JDK-8285398: Cache the results of constraint checks + - JDK-8285617: Fix java/awt/print/PrinterJob/ImagePrinting/PrintARGBImage.java manual test + - JDK-8285693: Create an automated test for JDK-4702199 - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + - JDK-8285730: unify _WIN32_WINNT settings - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java @@ -155,6 +176,7 @@ Live versions of these release notes can be found at: - JDK-8287366: Improve test failure reporting in GHA - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + - JDK-8287463: JFR: Disable TestDevNull.java on Windows - JDK-8287663: Add a regression test for JDK-8287073 - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run - JDK-8287724: Fix various issues with msys2 @@ -166,24 +188,32 @@ Live versions of these release notes can be found at: - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier + - JDK-8288000: compiler/loopopts/TestOverUnrolling2.java fails with release VMs - JDK-8288003: log events for os::dll_unload - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + - JDK-8288399: MacOS debug symbol files not always deterministic in reproducible builds - JDK-8288467: remove memory_operand assert for spilled instructions - JDK-8288499: Restore cancel-in-progress in GHA - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small + - JDK-8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 - JDK-8288992: AArch64: CMN should be handled the same way as CMP + - JDK-8289127: Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible - JDK-8289147: unify os::infinite_sleep on posix platforms - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion + - JDK-8289471: Issue in Initialization of keys in ErrorMsg.java and XPATHErrorResources.java - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc - JDK-8289486: Improve XSLT XPath operators count efficiency + - JDK-8289549: ISO 4217 Amendment 172 Update - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl + - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter - JDK-8289853: Update HarfBuzz to 4.4.1 - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + - JDK-8289910: unify os::message_box across posix platforms - JDK-8290000: Bump macOS GitHub actions to macOS 11 - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown @@ -191,6 +221,10 @@ Live versions of these release notes can be found at: - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" - JDK-8290334: Update FreeType to 2.12.1 - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle + - JDK-8290456: remove os::print_statistics() + - JDK-8291595: [17u] Delete files missed in backport of 8269039 + - JDK-8291633: Build failures with GCC 11, Alpine 3 due to incompatible casts from nullptr + - JDK-8292579: (tz) Update Timezone Data to 2022c Notes on individual issues: =========================== @@ -211,6 +245,23 @@ respectively. More information about them can be found on the Networking Properties page: https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc.... +security-libs/javax.crypto: + +JDK-6782021: Windows KeyStore Updated to Include Access to the Local Machine Location +===================================================================================== +The Windows KeyStore support in the SunMSCAPI provider has been +expanded to include access to the local machine location. The new +keystore types are: + +* "Windows-MY-LOCALMACHINE" +* "Windows-ROOT-LOCALMACHINE" + +The following keystore types were also added, allowing developers to +make it clear they map to the current user: + +* "Windows-MY-CURRENTUSER" (same as "Windows-MY") +* "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") + hotspot/runtime: JDK-8281181: CPU Shares Ignored When Computing Active Processor Count diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7e9d93e..a424c92 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -368,7 +368,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 +%global buildver 7 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -2669,6 +2669,10 @@ cjc.mainProgram(args) %endif %changelog +* Tue Oct 04 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.7-0.1.ea +- Update to jdk-17.0.5+7 +- Update release notes to 17.0.5+7 + * Mon Oct 03 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.1-0.1.ea - Update to jdk-17.0.5+1 - Update release notes to 17.0.5+1 diff --git a/sources b/sources index ccc402e..d0a250a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.5+1.tar.xz) = fb8a70c13220bb2091d618c186912f9a11741effee769eee33e20239d439176a9a3a0321316fb0778d14e08a662b282a9f4c7fb2d64ad45e7b582dcf9f2187a1 +SHA512 (openjdk-jdk17u-jdk-17.0.5+7.tar.xz) = 43eb77ba56756748ce39e245824ca7d68c7cfe01fd4e72599e1b73f85bd522beadb3651029457c2b6dbb0080daf3d0550350929090e36fce8fc7892163222bc7 commit 3e49d2c00a1317e128ae6c5d9ef46e9bfdea36e1 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Mon Oct 3 04:09:32 2022 +0100 Update to jdk-17.0.5+1 Update release notes to 17.0.5+1 Switch to EA mode for 17.0.5 pre-release builds. Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 Bump FreeType bundled version to 2.12.1 following JDK-8290334 diff --git a/.gitignore b/.gitignore index 5df29a7..18fa8bb 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ /openjdk-jdk17u-jdk-17.0.4+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+8.tar.xz /openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz +/openjdk-jdk17u-jdk-17.0.5+1.tar.xz diff --git a/NEWS b/NEWS index ed5ebeb..d278173 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,279 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.5 (2022-10-18): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1705 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.5.txt + +* Other changes + - JDK-6854300: [TEST_BUG] java/awt/event/MouseEvent/SpuriousExitEnter/SpuriousExitEnter_3.java fails in jdk6u14 & jdk7 + - JDK-7131823: bug in GIFImageReader + - JDK-8017175: [TESTBUG] javax/swing/JPopupMenu/4634626/bug4634626.java sometimes failed on mac + - JDK-8028998: [TEST_BUG] [macosx] java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java failed + - JDK-8079267: [TEST_BUG] Test java/awt/Frame/MiscUndecorated/RepaintTest.java fails + - JDK-8159694: HiDPI, Unity, java/awt/dnd/DropTargetEnterExitTest/MissedDragExitTest.java + - JDK-8169468: NoResizeEventOnDMChangeTest.java fails because FS Window didn't receive all resizes! + - JDK-8172065: javax/swing/JTree/4908142/bug4908142.java The selected index should be "aad" + - JDK-8178969: [TESTBUG] Wrong reporting of gc/g1/humongousObjects/TestHeapCounters test. + - JDK-8211002: test/jdk/java/lang/Math/PowTests.java skips testing for non-corner-case values + - JDK-8225122: Test AncestorResized.java fails when Windows desktop is scaled. + - JDK-8240903: Add test to check that jmod hashes are reproducible + - JDK-8254318: Remove .hgtags + - JDK-8255724: [XRender] the BlitRotateClippedArea test fails on Linux in the XR pipeline + - JDK-8256844: Make NMT late-initializable + - JDK-8257534: misc tests failed with "NoClassDefFoundError: Could not initialize class java.util.concurrent.ThreadLocalRandom" + - JDK-8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class + - JDK-8264792: The NumberFormat for locale sq_XK formats price incorrectly. + - JDK-8265360: several compiler/whitebox tests fail with "private compiler.whitebox.SimpleTestCaseHelper(int) must be compiled" + - JDK-8269039: Disable SHA-1 Signed JARs + - JDK-8269556: sun/tools/jhsdb/JShellHeapDumpTest.java fails with RuntimeException 'JShellToolProvider' missing from stdout/stderr + - JDK-8270090: C2: LCM may prioritize CheckCastPP nodes over projections + - JDK-8270312: Error: Not a test or directory containing tests: java/awt/print/PrinterJob/XparColor.java + - JDK-8271078: jdk/incubator/vector/Float128VectorTests.java failed a subtest + - JDK-8271344: Windows product version issue + - JDK-8272352: Java launcher can not parse Chinese character when system locale is set to UTF-8 + - JDK-8272736: [JVMCI] Add API for reading and writing JVMCI thread locals + - JDK-8272815: jpackage --type rpm produces an error: Invalid or unsupported type: [null] + - JDK-8273040: Turning off JpAllowDowngrades (or Upgrades) + - JDK-8273115: CountedLoopEndNode::stride_con crash in debug build with -XX:+TraceLoopOpts + - JDK-8273506: java Robot API did the 'm' keypress and caused /awt/event/KeyEvent/KeyCharTest/KeyCharTest.html is timing out on macOS 12 + - JDK-8274434: move os::get_default_process_handle and os::dll_lookup to os_posix for POSIX platforms + - JDK-8274517: java/util/DoubleStreamSums/CompensatedSums.java fails with expected [true] but found [false] + - JDK-8274597: Some of the dnd tests time out and fail intermittently + - JDK-8274856: Failing jpackage tests with fastdebug/release build + - JDK-8275689: [TESTBUG] Use color tolerance only for XRender in BlitRotateClippedArea test + - JDK-8276546: [IR Framework] Whitelist and ignore CompileThreshold + - JDK-8276837: [macos]: Error when signing the additional launcher + - JDK-8277429: Conflicting jpackage static library name + - JDK-8277493: [REDO] Quarantined jpackage apps are labeled as "damaged" + - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable + - JDK-8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript + - JDK-8278311: Debian packaging doesn't work + - JDK-8278609: [macos] accessibility frame is misplaced on a secondary monitor on macOS + - JDK-8278612: [macos] test/jdk/java/awt/dnd/RemoveDropTargetCrashTest crashes with VoiceOver on macOS + - JDK-8279370: jdk.jpackage/share/native/applauncher/JvmLauncher.cpp fails to build with GCC 6.3.0 + - JDK-8279622: C2: miscompilation of map pattern as a vector reduction + - JDK-8280233: Temporarily disable Unix domain sockets in Windows PipeImpl + - JDK-8280550: SplittableRandom#nextDouble(double,double) can return result >= bound + - JDK-8280696: C2 compilation hits assert(is_dominator(c, n_ctrl)) failed + - JDK-8280863: Update build README to reflect that MSYS2 is supported + - JDK-8280913: Create a regression test for JRootPane.setDefaultButton() method + - JDK-8280950: RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix + - JDK-8281181: Do not use CPU Shares to compute active processor count + - JDK-8281183: RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 + - JDK-8281297: TestStressG1Humongous fails with guarantee(is_range_uncommitted) + - JDK-8281535: Create a regression test for JDK-4670051 + - JDK-8281569: Create tests for Frame.setMinimumSize() method + - JDK-8281628: KeyAgreement : generateSecret intermittently not resetting + - JDK-8281738: Create a regression test for checking the 'Space' key activation of focused Button + - JDK-8281745: Create a regression test for JDK-4514331 + - JDK-8281988: Create a regression test for JDK-4618767 + - JDK-8282007: Assorted enhancements to jpackage testing framework + - JDK-8282046: Create a regression test for JDK-8000326 + - JDK-8282214: Upgrade JQuery to version 3.6.0 + - JDK-8282234: Create a regression test for JDK-4532513 + - JDK-8282280: Update Xerces to Version 2.12.2 + - JDK-8282306: os::is_first_C_frame(frame*) crashes on invalid link access + - JDK-8282343: Create a regression test for JDK-4518432 + - JDK-8282351: jpackage does not work if class file has `$$` in the name on windows + - JDK-8282407: Missing ')' in MacResources.properties + - JDK-8282467: add extra diagnostics for JDK-8268184 + - JDK-8282477: [x86, aarch64] vmassert(_last_Java_pc == NULL, "already walkable"); fails with async profiler + - JDK-8282538: PKCS11 tests fail on CentOS Stream 9 + - JDK-8282548: Create a regression test for JDK-4330998 + - JDK-8282555: Missing memory edge when spilling MoveF2I, MoveD2L etc + - JDK-8282640: Create a test for JDK-4740761 + - JDK-8282778: Create a regression test for JDK-4699544 + - JDK-8282789: Create a regression test for the JTree usecase of JDK-4618767 + - JDK-8282860: Write a regression test for JDK-4164779 + - JDK-8282933: Create a test for JDK-4529616 + - JDK-8282936: Write a regression test for JDK-4615365 + - JDK-8282937: Write a regression test for JDK-4820080 + - JDK-8283015: Create a test for JDK-4715496 + - JDK-8283087: Create a test or JDK-4715503 + - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) + - JDK-8283457: [macos] libpng build failures with Xcode13.3 + - JDK-8283493: Create an automated regression test for RFE 4231298 + - JDK-8283507: Create a regression test for RFE 4287690 + - JDK-8283562: JDK-8282306 breaks gtests on zero + - JDK-8283597: [REDO] Invalid generic signature for redefined classes + - JDK-8283621: Write a regression test for CCC4400728 + - JDK-8283623: Create an automated regression test for JDK-4525475 + - JDK-8283723: Update Visual Studio 2022 to version 17.1.0 for Oracle builds on Windows + - JDK-8283803: Remove jtreg tag manual=yesno for java/awt/print/PrinterJob/PrintGlyphVectorTest.java and fix test + - JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee + - JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4 + - JDK-8284014: Menu items with submenus in JPopupMenu are not spoken on macOS + - JDK-8284067: jpackage'd launcher reports non-zero exit codes with error prompt + - JDK-8284294: Create an automated regression test for RFE 4138746 + - JDK-8284358: Unreachable loop is not removed from C2 IR, leading to a broken graph + - JDK-8284367: JQuery UI upgrade from 1.12.1 to 1.13.1 + - JDK-8284521: Write an automated regression test for RFE 4371575 + - JDK-8284675: "jpackage.exe" creates application launcher without Windows Application Manfiest + - JDK-8284680: sun.font.FontConfigManager.getFontConfig() leaks charset + - JDK-8284686: Interval of < 1 ms disables ExecutionSample events + - JDK-8284694: Avoid evaluating SSLAlgorithmConstraints twice + - JDK-8284883: JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 + - JDK-8284898: Enhance PassFailJFrame + - JDK-8284944: assert(cnt++ < 40) failed: infinite cycle in loop optimization + - JDK-8284956: Potential leak awtImageData/color_data when initializes X11GraphicsEnvironment + - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist + - JDK-8285081: Improve XPath operators count accuracy + - JDK-8285097: Duplicate XML keys in XPATHErrorResources.java and XSLTErrorResources.java + - JDK-8285301: C2: assert(!requires_atomic_access) failed: can't ensure atomicity + - JDK-8285380: Fix typos in security + - JDK-8285398: Cache the results of constraint checks + - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg' is null + - JDK-8285820: C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 + - JDK-8285923: [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities + - JDK-8286114: [test] show real exception in bomb call in sun/rmi/runtime/Log/checkLogging/CheckLogging.java + - JDK-8286122: [macos]: App bundle cannot upload to Mac App Store due to info.plist embedded in java exe + - JDK-8286177: C2: "failed: non-reduction loop contains reduction nodes" assert failure + - JDK-8286211: Update PCSC-Lite for Suse Linux to 1.9.5 + - JDK-8286266: [macos] Voice over moving JTable column to be the first column JVM crashes + - JDK-8286277: CDS VerifyError when calling clone() on object array + - JDK-8286314: Trampoline not created for far runtime targets outside small CodeCache + - JDK-8286429: jpackageapplauncher build fails intermittently in Tier[45] + - JDK-8286573: Remove the unnecessary method Attr#attribTopLevel and its usage + - JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled + - JDK-8286625: C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect + - JDK-8286638: C2: CmpU needs to do more precise over/underflow analysis + - JDK-8286869: unify os::dir_is_empty across posix platforms + - JDK-8286870: Memory leak with RepeatCompilation + - JDK-8287016: Bump update version for OpenJDK: jdk-17.0.5 + - JDK-8287073: NPE from CgroupV2Subsystem.getInstance() + - JDK-8287091: aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn + - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + - JDK-8287113: JFR: Periodic task thread uses period for method sampling events + - JDK-8287125: [macos] Multiple jpackage tests fail/timeout on same host + - JDK-8287202: GHA: Add macOS aarch64 to the list of default platforms for workflow_dispatch event + - JDK-8287223: C1: Inlining attempt through MH::invokeBasic() with null receiver + - JDK-8287366: Improve test failure reporting in GHA + - JDK-8287396: LIR_Opr::vreg_number() and data() can return negative number + - JDK-8287432: C2: assert(tn->in(0) != __null) failed: must have live top node + - JDK-8287663: Add a regression test for JDK-8287073 + - JDK-8287672: jtreg test com/sun/jndi/ldap/LdapPoolTimeoutTest.java fails intermittently in nightly run + - JDK-8287724: Fix various issues with msys2 + - JDK-8287735: Provide separate event category for dll operations + - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + - JDK-8287824: The MTPerLineTransformValidation tests has a typo in the @run tag + - JDK-8287895: Some langtools tests fail on msys2 + - JDK-8287896: PropertiesTest.sh fail on msys2 + - JDK-8287902: UnreadableRB case in MissingResourceCauseTest is not working reliably on Windows + - JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests + - JDK-8287917: System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier + - JDK-8288003: log events for os::dll_unload + - JDK-8288303: C1: Miscompilation due to broken Class.getModifiers intrinsic + - JDK-8288360: CI: ciInstanceKlass::implementor() is not consistent for well-known classes + - JDK-8288467: remove memory_operand assert for spilled instructions + - JDK-8288499: Restore cancel-in-progress in GHA + - JDK-8288599: com/sun/management/OperatingSystemMXBean/TestTotalSwap.java: Expected total swap size ... but getTotalSwapSpaceSize returned ... + - JDK-8288754: GCC 12 fails to build zReferenceProcessor.cpp + - JDK-8288781: C1: LIR_OpVisitState::maxNumberOfOperands too small + - JDK-8288992: AArch64: CMN should be handled the same way as CMP + - JDK-8289147: unify os::infinite_sleep on posix platforms + - JDK-8289197: [17u] Push of backport of 8286177 did not remove assertion + - JDK-8289477: Memory corruption with CPU_ALLOC, CPU_FREE on muslc + - JDK-8289486: Improve XSLT XPath operators count efficiency + - JDK-8289569: [test] java/lang/ProcessBuilder/Basic.java fails on Alpine/musl + - JDK-8289697: buffer overflow in MTLVertexCache.m: MTLVertexCache_AddGlyphQuad + - JDK-8289799: Build warning in methodData.cpp memset zero-length parameter + - JDK-8289853: Update HarfBuzz to 4.4.1 + - JDK-8289856: [PPC64] SIGSEGV in C2Compiler::init_c2_runtime() after JDK-8289060 + - JDK-8290000: Bump macOS GitHub actions to macOS 11 + - JDK-8290004: [PPC64] JfrGetCallTrace: assert(_pc != nullptr) failed: must have PC + - JDK-8290020: Deadlock in leakprofiler::emit_events during shutdown + - JDK-8290082: [PPC64] ZGC C2 load barrier stub needs to preserve vector registers + - JDK-8290246: test fails "assert(init != __null) failed: initialization not found" + - JDK-8290334: Update FreeType to 2.12.1 + - JDK-8290417: CDS cannot archive lamda proxy with useImplMethodHandle + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable +=========================================================================== +Two system properties have been added which control the keep alive +behavior of HttpURLConnection in the case where the server does not +specify a keep alive time. Two properties are defined for controlling +connections to servers and proxies separately. They are: + +* `http.keepAlive.time.server` +* `http.keepAlive.time.proxy` + +respectively. More information about them can be found on the +Networking Properties page: +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html. + +hotspot/runtime: + +JDK-8281181: CPU Shares Ignored When Computing Active Processor Count +===================================================================== +Previous JDK releases used an incorrect interpretation of the Linux +cgroups parameter "cpu.shares". This might cause the JVM to use fewer +CPUs than available, leading to an under utilization of CPU resources +when the JVM is used inside a container. + +Starting from this JDK release, by default, the JVM no longer +considers "cpu.shares" when deciding the number of threads to be used +by the various thread pools. The `-XX:+UseContainerCpuShares` +command-line option can be used to revert to the previous +behavior. This option is deprecated and may be removed in a future JDK +release. + +security-libs/java.security: + +JDK-8269039: Disabled SHA-1 Signed JARs +======================================= +JARs signed with SHA-1 algorithms are now restricted by default and +treated as if they were unsigned. This applies to the algorithms used +to digest, sign, and optionally timestamp the JAR. It also applies to +the signature and digest algorithms of the certificates in the +certificate chain of the code signer and the Timestamp Authority, and +any CRLs or OCSP responses that are used to verify if those +certificates have been revoked. These restrictions also apply to +signed JCE providers. + +To reduce the compatibility risk for JARs that have been previously +timestamped, there is one exception to this policy: + +- Any JAR signed with SHA-1 algorithms and timestamped prior to + January 01, 2019 will not be restricted. + +This exception may be removed in a future JDK release. To determine if +your signed JARs are affected by this change, run: + +$ jarsigner -verify -verbose -certs` + +on the signed JAR, and look for instances of "SHA1" or "SHA-1" and +"disabled" and a warning that the JAR will be treated as unsigned in +the output. + +For example: + + Signed by "CN="Signer"" + Digest algorithm: SHA-1 (disabled) + Signature algorithm: SHA1withRSA (disabled), 2048-bit key + + WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: + + jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 + +JARs affected by these new restrictions should be replaced or +re-signed with stronger algorithms. + +Users can, *at their own risk*, remove these restrictions by modifying +the `java.security` configuration file (or override it by using the +`java.security.properties` system property) and removing "SHA1 usage +SignedJAR & denyAfter 2019-01-01" from the +`jdk.certpath.disabledAlgorithms` security property and "SHA1 +denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security +property. + New in release OpenJDK 17.0.4.1 (2022-08-16): =========================================== Live versions of these release notes can be found at: diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index cbef4a4..7e9d93e 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -321,8 +321,8 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 4 -%global patchver 1 +%global updatever 5 +%global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -369,7 +369,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 3 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -395,7 +395,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -1468,11 +1468,11 @@ BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else # Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.12.0 +Provides: bundled(freetype) = 2.12.1 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 2.8.0 +Provides: bundled(harfbuzz) = 4.4.1 # Version in src/java.desktop/share/native/liblcms/lcms2.h Provides: bundled(lcms2) = 2.12.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h @@ -2669,6 +2669,13 @@ cjc.mainProgram(args) %endif %changelog +* Mon Oct 03 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.5.0.1-0.1.ea +- Update to jdk-17.0.5+1 +- Update release notes to 17.0.5+1 +- Switch to EA mode for 17.0.5 pre-release builds. +- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 +- Bump FreeType bundled version to 2.12.1 following JDK-8290334 + * Tue Aug 30 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-3 - Switch to static builds, reducing system dependencies and making build more portable diff --git a/sources b/sources index 2008902..ccc402e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz) = 50bf07932e3aec20b4b5d51c01fe095a67b0186a4bc0bed6c8acfacde3673b97f0f177e0f3c372bf1a494c99e61475b4af66261be15f33bb4be8b14671952419 +SHA512 (openjdk-jdk17u-jdk-17.0.5+1.tar.xz) = fb8a70c13220bb2091d618c186912f9a11741effee769eee33e20239d439176a9a3a0321316fb0778d14e08a662b282a9f4c7fb2d64ad45e7b582dcf9f2187a1 commit b6fe10006550dde2aee2763c06dd2f0143850dfa Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Thu Sep 1 02:59:35 2022 +0100 Switch to static builds, reducing system dependencies and making build more portable diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a7e9c14..cbef4a4 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -23,6 +23,8 @@ %bcond_without staticlibs # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -39,6 +41,16 @@ %global build_hotspot_first 0 %endif +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -357,7 +369,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -419,7 +431,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -857,6 +869,9 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%if ! %{system_libs} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so @@ -1411,14 +1426,8 @@ BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel BuildRequires: fontconfig-devel -BuildRequires: freetype-devel -BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: harfbuzz-devel -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXi-devel @@ -1450,6 +1459,30 @@ BuildRequires: systemtap-sdt-devel %endif BuildRequires: make +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h +Provides: bundled(freetype) = 2.12.0 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 2.8.0 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.12.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} @@ -1799,8 +1832,11 @@ if [ $prioritylength -ne 8 ] ; then fi # OpenJDK patches + +%if %{system_libs} # Remove libraries that are linked by both static and dynamic builds sh %{SOURCE12} %{top_level_dir_name} +%endif # Patch the JDK pushd %{top_level_dir_name} @@ -1934,6 +1970,12 @@ function buildjdk() { local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} + if [ "x${link_opt}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + echo "Using output directory: ${outputdir}"; echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version @@ -1965,13 +2007,14 @@ function buildjdk() { --with-native-debug-symbols="%{debug_symbols}" \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ + --with-zlib=${link_opt} \ + --with-freetype=${link_opt} \ --with-libjpeg=${link_opt} \ --with-giflib=${link_opt} \ --with-libpng=${link_opt} \ --with-lcms=${link_opt} \ --with-harfbuzz=${link_opt} \ - --with-stdc++lib=dynamic \ + --with-stdc++lib=${libc_link_opt} \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-ldflags="%{ourldflags}" \ @@ -2138,12 +2181,13 @@ for suffix in %{build_loop} ; do bootbuilddir=boot${builddir} if test "x${loop}" = "x%{main_suffix}" ; then + link_opt="%{link_type}" +%if %{system_libs} # Copy the source tree so we can remove all in-tree libraries cp -a %{top_level_dir_name} %{top_level_dir_name_backup} # Remove all libraries that are linked sh %{SOURCE12} %{top_level_dir_name} full - # Use system libraries - link_opt="system" +%endif # Debug builds don't need same targets as release for # build speed-up. We also avoid bootstrapping these # slower builds. @@ -2161,9 +2205,11 @@ for suffix in %{build_loop} ; do else buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} fi +%if %{system_libs} # Restore original source tree we modified by removing full in-tree sources rm -rf %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif else # Use bundled libraries for building statically link_opt="bundled" @@ -2623,6 +2669,9 @@ cjc.mainProgram(args) %endif %changelog +* Tue Aug 30 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-3 +- Switch to static builds, reducing system dependencies and making build more portable + * Mon Aug 29 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-2 - Update FIPS support to bring in latest changes - * RH2048582: Support PKCS#12 keystores commit ea9509f5cadcf50044fda1098ddbc07a08e3ed49 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Mon Aug 29 04:59:50 2022 +0100 Update FIPS support to bring in latest changes * RH2048582: Support PKCS#12 keystores * RH2020290: Support TLS 1.3 in FIPS mode diff --git a/fips-17u-bb46af07cb9.patch b/fips-17u-0bd5ca9ccc5.patch similarity index 60% rename from fips-17u-bb46af07cb9.patch rename to fips-17u-0bd5ca9ccc5.patch index 8954cf1..86fb1ab 100644 --- a/fips-17u-bb46af07cb9.patch +++ b/fips-17u-0bd5ca9ccc5.patch @@ -157,6 +157,310 @@ index 5658ff342e5..c8bc5bde1e1 100644 ################################################################################ # Create the symbols file for static builds. +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +index 1fd6230d83b..683e3dd3a8d 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java +@@ -25,13 +25,12 @@ + + package com.sun.crypto.provider; + +-import java.util.Arrays; +- + import javax.crypto.SecretKey; + import javax.crypto.spec.SecretKeySpec; +-import javax.crypto.spec.PBEParameterSpec; ++import javax.crypto.spec.PBEKeySpec; + import java.security.*; + import java.security.spec.*; ++import sun.security.util.PBEUtil; + + /** + * This is an implementation of the HMAC algorithms as defined +@@ -108,79 +107,15 @@ abstract class HmacPKCS12PBECore extends HmacCore { + */ + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- char[] passwdChars; +- byte[] salt = null; +- int iCount = 0; +- if (key instanceof javax.crypto.interfaces.PBEKey) { +- javax.crypto.interfaces.PBEKey pbeKey = +- (javax.crypto.interfaces.PBEKey) key; +- passwdChars = pbeKey.getPassword(); +- salt = pbeKey.getSalt(); // maybe null if unspecified +- iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified +- } else if (key instanceof SecretKey) { +- byte[] passwdBytes; +- if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || +- (passwdBytes = key.getEncoded()) == null) { +- throw new InvalidKeyException("Missing password"); +- } +- passwdChars = new char[passwdBytes.length]; +- for (int i=0; i<passwdChars.length; i++) { +- passwdChars[i] = (char) (passwdBytes[i] & 0x7f); +- } +- Arrays.fill(passwdBytes, (byte)0x00); +- } else { +- throw new InvalidKeyException("SecretKey of PBE type required"); +- } +- ++ PBEKeySpec keySpec = PBEUtil.getPBAKeySpec(key, params); + byte[] derivedKey; + try { +- if (params == null) { +- // should not auto-generate default values since current +- // javax.crypto.Mac api does not have any method for caller to +- // retrieve the generated defaults. +- if ((salt == null) || (iCount == 0)) { +- throw new InvalidAlgorithmParameterException +- ("PBEParameterSpec required for salt and iteration count"); +- } +- } else if (!(params instanceof PBEParameterSpec)) { +- throw new InvalidAlgorithmParameterException +- ("PBEParameterSpec type required"); +- } else { +- PBEParameterSpec pbeParams = (PBEParameterSpec) params; +- // make sure the parameter values are consistent +- if (salt != null) { +- if (!Arrays.equals(salt, pbeParams.getSalt())) { +- throw new InvalidAlgorithmParameterException +- ("Inconsistent value of salt between key and params"); +- } +- } else { +- salt = pbeParams.getSalt(); +- } +- if (iCount != 0) { +- if (iCount != pbeParams.getIterationCount()) { +- throw new InvalidAlgorithmParameterException +- ("Different iteration count between key and params"); +- } +- } else { +- iCount = pbeParams.getIterationCount(); +- } +- } +- // For security purpose, we need to enforce a minimum length +- // for salt; just require the minimum salt length to be 8-byte +- // which is what PKCS#5 recommends and openssl does. +- if (salt.length < 8) { +- throw new InvalidAlgorithmParameterException +- ("Salt must be at least 8 bytes long"); +- } +- if (iCount <= 0) { +- throw new InvalidAlgorithmParameterException +- ("IterationCount must be a positive number"); +- } +- derivedKey = PKCS12PBECipherCore.derive(passwdChars, salt, +- iCount, engineGetMacLength(), PKCS12PBECipherCore.MAC_KEY, +- algorithm, bl); ++ derivedKey = PKCS12PBECipherCore.derive( ++ keySpec.getPassword(), keySpec.getSalt(), ++ keySpec.getIterationCount(), engineGetMacLength(), ++ PKCS12PBECipherCore.MAC_KEY, algorithm, bl); + } finally { +- Arrays.fill(passwdChars, '\0'); ++ keySpec.clearPassword(); + } + SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1"); + super.engineInit(cipherKey, null); +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java b/src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java +index db56dfcd505..07e34e95c05 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java +@@ -27,10 +27,11 @@ package com.sun.crypto.provider; + + import java.security.*; + import java.security.spec.*; +-import java.util.Arrays; + import javax.crypto.*; + import javax.crypto.spec.*; + ++import sun.security.util.PBEUtil; ++ + /** + * This class represents password-based encryption as defined by the PKCS #5 + * standard. +@@ -54,9 +55,8 @@ abstract class PBES2Core extends CipherSpi { + private final PBKDF2Core kdf; + private final String pbeAlgo; + private final String cipherAlgo; +- private int iCount = DEFAULT_COUNT; +- private byte[] salt = null; +- private IvParameterSpec ivSpec = null; ++ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( ++ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); + + /** + * Creates an instance of PBE Scheme 2 according to the selected +@@ -129,32 +129,8 @@ abstract class PBES2Core extends CipherSpi { + } + + protected AlgorithmParameters engineGetParameters() { +- AlgorithmParameters params = null; +- if (salt == null) { +- // generate random salt and use default iteration count +- salt = new byte[DEFAULT_SALT_LENGTH]; +- SunJCE.getRandom().nextBytes(salt); +- iCount = DEFAULT_COUNT; +- } +- if (ivSpec == null) { +- // generate random IV +- byte[] ivBytes = new byte[blkSize]; +- SunJCE.getRandom().nextBytes(ivBytes); +- ivSpec = new IvParameterSpec(ivBytes); +- } +- PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, iCount, ivSpec); +- try { +- params = AlgorithmParameters.getInstance(pbeAlgo, +- SunJCE.getInstance()); +- params.init(pbeSpec); +- } catch (NoSuchAlgorithmException nsae) { +- // should never happen +- throw new RuntimeException("SunJCE called, but not configured"); +- } catch (InvalidParameterSpecException ipse) { +- // should never happen +- throw new RuntimeException("PBEParameterSpec not supported"); +- } +- return params; ++ return pbes2Helper.getAlgorithmParameters( ++ blkSize, pbeAlgo, SunJCE.getInstance(), SunJCE.getRandom()); + } + + protected void engineInit(int opmode, Key key, SecureRandom random) +@@ -174,105 +150,8 @@ abstract class PBES2Core extends CipherSpi { + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { + +- if (key == null) { +- throw new InvalidKeyException("Null key"); +- } +- +- byte[] passwdBytes = key.getEncoded(); +- char[] passwdChars = null; +- PBEKeySpec pbeSpec; +- try { +- if ((passwdBytes == null) || +- !(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3))) { +- throw new InvalidKeyException("Missing password"); +- } +- +- // TBD: consolidate the salt, ic and IV parameter checks below +- +- // Extract salt and iteration count from the key, if present +- if (key instanceof javax.crypto.interfaces.PBEKey) { +- salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); +- if (salt != null && salt.length < 8) { +- throw new InvalidAlgorithmParameterException( +- "Salt must be at least 8 bytes long"); +- } +- iCount = ((javax.crypto.interfaces.PBEKey)key).getIterationCount(); +- if (iCount == 0) { +- iCount = DEFAULT_COUNT; +- } else if (iCount < 0) { +- throw new InvalidAlgorithmParameterException( +- "Iteration count must be a positive number"); +- } +- } +- +- // Extract salt, iteration count and IV from the params, if present +- if (params == null) { +- if (salt == null) { +- // generate random salt and use default iteration count +- salt = new byte[DEFAULT_SALT_LENGTH]; +- random.nextBytes(salt); +- iCount = DEFAULT_COUNT; +- } +- if ((opmode == Cipher.ENCRYPT_MODE) || +- (opmode == Cipher.WRAP_MODE)) { +- // generate random IV +- byte[] ivBytes = new byte[blkSize]; +- random.nextBytes(ivBytes); +- ivSpec = new IvParameterSpec(ivBytes); +- } +- } else { +- if (!(params instanceof PBEParameterSpec)) { +- throw new InvalidAlgorithmParameterException +- ("Wrong parameter type: PBE expected"); +- } +- // salt and iteration count from the params take precedence +- byte[] specSalt = ((PBEParameterSpec) params).getSalt(); +- if (specSalt != null && specSalt.length < 8) { +- throw new InvalidAlgorithmParameterException( +- "Salt must be at least 8 bytes long"); +- } +- salt = specSalt; +- int specICount = ((PBEParameterSpec) params).getIterationCount(); +- if (specICount == 0) { +- specICount = DEFAULT_COUNT; +- } else if (specICount < 0) { +- throw new InvalidAlgorithmParameterException( +- "Iteration count must be a positive number"); +- } +- iCount = specICount; +- +- AlgorithmParameterSpec specParams = +- ((PBEParameterSpec) params).getParameterSpec(); +- if (specParams != null) { +- if (specParams instanceof IvParameterSpec) { +- ivSpec = (IvParameterSpec)specParams; +- } else { +- throw new InvalidAlgorithmParameterException( +- "Wrong parameter type: IV expected"); +- } +- } else if ((opmode == Cipher.ENCRYPT_MODE) || +- (opmode == Cipher.WRAP_MODE)) { +- // generate random IV +- byte[] ivBytes = new byte[blkSize]; +- random.nextBytes(ivBytes); +- ivSpec = new IvParameterSpec(ivBytes); +- } else { +- throw new InvalidAlgorithmParameterException( +- "Missing parameter type: IV expected"); +- } +- } +- +- passwdChars = new char[passwdBytes.length]; +- for (int i = 0; i < passwdChars.length; i++) +- passwdChars[i] = (char) (passwdBytes[i] & 0x7f); +- +- pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); +- // password char[] was cloned in PBEKeySpec constructor, +- // so we can zero it out here +- } finally { +- if (passwdChars != null) Arrays.fill(passwdChars, '\0'); +- if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); +- } ++ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLength, ++ opmode, key, params, random); + + PBKDF2KeyImpl s; + +@@ -291,22 +170,14 @@ abstract class PBES2Core extends CipherSpi { + SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, cipherAlgo); + + // initialize the underlying cipher +- cipher.init(opmode, cipherKey, ivSpec, random); ++ cipher.init(opmode, cipherKey, pbes2Helper.getIvSpec(), random); + } + + protected void engineInit(int opmode, Key key, AlgorithmParameters params, + SecureRandom random) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- AlgorithmParameterSpec pbeSpec = null; +- if (params != null) { +- try { +- pbeSpec = params.getParameterSpec(PBEParameterSpec.class); +- } catch (InvalidParameterSpecException ipse) { +- throw new InvalidAlgorithmParameterException( +- "Wrong parameter type: PBE expected"); +- } +- } +- engineInit(opmode, key, pbeSpec, random); ++ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), ++ random); + } + + protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen) { diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java index a020e1c15d8..3c064965e82 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -1890,7 +2194,7 @@ index ca79f25cc44..225517ac69b 100644 "sun.security.rsa.PSSParameters", null); } diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index 6ffdfeda18d..775b185fb06 100644 +index 6ffdfeda18d..82e896170f0 100644 --- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java @@ -32,6 +32,7 @@ import java.security.cert.*; @@ -1901,124 +2205,311 @@ index 6ffdfeda18d..775b185fb06 100644 import sun.security.action.GetPropertyAction; import sun.security.provider.certpath.AlgorithmChecker; import sun.security.validator.Validator; -@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { - private static final List<CipherSuite> serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); +diff --git a/src/java.base/share/classes/sun/security/util/PBEUtil.java b/src/java.base/share/classes/sun/security/util/PBEUtil.java +new file mode 100644 +index 00000000000..dc8bc72fccb +--- /dev/null ++++ b/src/java.base/share/classes/sun/security/util/PBEUtil.java +@@ -0,0 +1,297 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.util; ++ ++import java.security.AlgorithmParameters; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.Key; ++import java.security.NoSuchAlgorithmException; ++import java.security.Provider; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidParameterSpecException; ++import java.util.Arrays; ++import javax.crypto.Cipher; ++import javax.crypto.SecretKey; ++import javax.crypto.spec.IvParameterSpec; ++import javax.crypto.spec.PBEKeySpec; ++import javax.crypto.spec.PBEParameterSpec; ++ ++public final class PBEUtil { ++ ++ // Used by SunJCE and SunPKCS11 ++ public final static class PBES2Helper { ++ private int iCount; ++ private byte[] salt; ++ private IvParameterSpec ivSpec; ++ private final int defaultSaltLength; ++ private final int defaultCount; ++ ++ public PBES2Helper(int defaultSaltLength, int defaultCount) { ++ this.defaultSaltLength = defaultSaltLength; ++ this.defaultCount = defaultCount; ++ } ++ ++ public IvParameterSpec getIvSpec() { ++ return ivSpec; ++ } ++ ++ public AlgorithmParameters getAlgorithmParameters( ++ int blkSize, String pbeAlgo, Provider p, SecureRandom random) { ++ AlgorithmParameters params = null; ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; + } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; ++ if (ivSpec == null) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } ++ PBEParameterSpec pbeSpec = new PBEParameterSpec( ++ salt, iCount, ivSpec); ++ try { ++ params = (p == null) ? ++ AlgorithmParameters.getInstance(pbeAlgo) : ++ AlgorithmParameters.getInstance(pbeAlgo, p); ++ params.init(pbeSpec); ++ } catch (NoSuchAlgorithmException nsae) { ++ // should never happen ++ throw new RuntimeException("AlgorithmParameters for " ++ + pbeAlgo + " not configured"); ++ } catch (InvalidParameterSpecException ipse) { ++ // should never happen ++ throw new RuntimeException("PBEParameterSpec not supported"); ++ } ++ return params; ++ } ++ ++ public PBEKeySpec getPBEKeySpec( ++ int blkSize, int keyLength, int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ ++ if (key == null) { ++ throw new InvalidKeyException("Null key"); ++ } ++ ++ byte[] passwdBytes = key.getEncoded(); ++ char[] passwdChars = null; ++ PBEKeySpec pbeSpec; ++ try { ++ if ((passwdBytes == null) || !(key.getAlgorithm().regionMatches( ++ true, 0, "PBE", 0, 3))) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ ++ // TBD: consolidate the salt, ic and IV parameter checks below ++ ++ // Extract salt and iteration count from the key, if present ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ salt = ((javax.crypto.interfaces.PBEKey)key).getSalt(); ++ if (salt != null && salt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ iCount = ((javax.crypto.interfaces.PBEKey)key) ++ .getIterationCount(); ++ if (iCount == 0) { ++ iCount = defaultCount; ++ } else if (iCount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ } ++ ++ // Extract salt, iteration count and IV from the params, ++ // if present ++ if (params == null) { ++ if (salt == null) { ++ // generate random salt and use default iteration count ++ salt = new byte[defaultSaltLength]; ++ random.nextBytes(salt); ++ iCount = defaultCount; ++ } ++ if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } + } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; ++ if (!(params instanceof PBEParameterSpec)) { ++ throw new InvalidAlgorithmParameterException ++ ("Wrong parameter type: PBE expected"); ++ } ++ // salt and iteration count from the params take precedence ++ byte[] specSalt = ((PBEParameterSpec) params).getSalt(); ++ if (specSalt != null && specSalt.length < 8) { ++ throw new InvalidAlgorithmParameterException( ++ "Salt must be at least 8 bytes long"); ++ } ++ salt = specSalt; ++ int specICount = ((PBEParameterSpec) params) ++ .getIterationCount(); ++ if (specICount == 0) { ++ specICount = defaultCount; ++ } else if (specICount < 0) { ++ throw new InvalidAlgorithmParameterException( ++ "Iteration count must be a positive number"); ++ } ++ iCount = specICount; ++ ++ AlgorithmParameterSpec specParams = ++ ((PBEParameterSpec) params).getParameterSpec(); ++ if (specParams != null) { ++ if (specParams instanceof IvParameterSpec) { ++ ivSpec = (IvParameterSpec)specParams; ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: IV expected"); ++ } ++ } else if ((opmode == Cipher.ENCRYPT_MODE) || ++ (opmode == Cipher.WRAP_MODE)) { ++ // generate random IV ++ byte[] ivBytes = new byte[blkSize]; ++ random.nextBytes(ivBytes); ++ ivSpec = new IvParameterSpec(ivBytes); ++ } else { ++ throw new InvalidAlgorithmParameterException( ++ "Missing parameter type: IV expected"); ++ } + } - } else { - // Use the customized TLS protocols. - candidates = -diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index 894e26dfad8..8b16378b96b 100644 ---- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; + -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); ++ passwdChars = new char[passwdBytes.length]; ++ for (int i = 0; i < passwdChars.length; i++) ++ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); ++ ++ pbeSpec = new PBEKeySpec(passwdChars, salt, iCount, keyLength); ++ // password char[] was cloned in PBEKeySpec constructor, ++ // so we can zero it out here ++ } finally { ++ if (passwdChars != null) Arrays.fill(passwdChars, '\0'); ++ if (passwdBytes != null) Arrays.fill(passwdBytes, (byte)0x00); ++ } ++ return pbeSpec; ++ } ++ ++ public static AlgorithmParameterSpec getParameterSpec( ++ AlgorithmParameters params) ++ throws InvalidAlgorithmParameterException { ++ AlgorithmParameterSpec pbeSpec = null; ++ if (params != null) { ++ try { ++ pbeSpec = params.getParameterSpec(PBEParameterSpec.class); ++ } catch (InvalidParameterSpecException ipse) { ++ throw new InvalidAlgorithmParameterException( ++ "Wrong parameter type: PBE expected"); ++ } ++ } ++ return pbeSpec; ++ } ++ } ++ ++ // Used by SunJCE and SunPKCS11 ++ public static PBEKeySpec getPBAKeySpec(Key key, AlgorithmParameterSpec params) ++ throws InvalidKeyException, InvalidAlgorithmParameterException { ++ char[] passwdChars; ++ byte[] salt = null; ++ int iCount = 0; ++ if (key instanceof javax.crypto.interfaces.PBEKey) { ++ javax.crypto.interfaces.PBEKey pbeKey = ++ (javax.crypto.interfaces.PBEKey) key; ++ passwdChars = pbeKey.getPassword(); ++ salt = pbeKey.getSalt(); // maybe null if unspecified ++ iCount = pbeKey.getIterationCount(); // maybe 0 if unspecified ++ } else if (key instanceof SecretKey) { ++ byte[] passwdBytes; ++ if (!(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3)) || ++ (passwdBytes = key.getEncoded()) == null) { ++ throw new InvalidKeyException("Missing password"); ++ } ++ passwdChars = new char[passwdBytes.length]; ++ for (int i=0; i<passwdChars.length; i++) { ++ passwdChars[i] = (char) (passwdBytes[i] & 0x7f); ++ } ++ Arrays.fill(passwdBytes, (byte)0x00); ++ } else { ++ throw new InvalidKeyException("SecretKey of PBE type required"); ++ } ++ ++ try { ++ if (params == null) { ++ // should not auto-generate default values since current ++ // javax.crypto.Mac api does not have any method for caller to ++ // retrieve the generated defaults. ++ if ((salt == null) || (iCount == 0)) { ++ throw new InvalidAlgorithmParameterException ++ ("PBEParameterSpec required for salt and iteration count"); ++ } ++ } else if (!(params instanceof PBEParameterSpec)) { ++ throw new InvalidAlgorithmParameterException ++ ("PBEParameterSpec type required"); ++ } else { ++ PBEParameterSpec pbeParams = (PBEParameterSpec) params; ++ // make sure the parameter values are consistent ++ if (salt != null) { ++ if (!Arrays.equals(salt, pbeParams.getSalt())) { ++ throw new InvalidAlgorithmParameterException ++ ("Inconsistent value of salt between key and params"); ++ } ++ } else { ++ salt = pbeParams.getSalt(); ++ } ++ if (iCount != 0) { ++ if (iCount != pbeParams.getIterationCount()) { ++ throw new InvalidAlgorithmParameterException ++ ("Different iteration count between key and params"); ++ } ++ } else { ++ iCount = pbeParams.getIterationCount(); ++ } ++ } ++ // For security purpose, we need to enforce a minimum length ++ // for salt; just require the minimum salt length to be 8-byte ++ // which is what PKCS#5 recommends and openssl does. ++ if (salt.length < 8) { ++ throw new InvalidAlgorithmParameterException ++ ("Salt must be at least 8 bytes long"); ++ } ++ if (iCount <= 0) { ++ throw new InvalidAlgorithmParameterException ++ ("IterationCount must be a positive number"); ++ } ++ return new PBEKeySpec(passwdChars, salt, iCount); ++ } finally { ++ Arrays.fill(passwdChars, '\0'); ++ } ++ } ++} diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 6d91e3f8e4e..adfaf57d29e 100644 +index 6d91e3f8e4e..f357b630460 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -79,6 +79,16 @@ security.provider.tbd=Apple @@ -2045,7 +2536,7 @@ index 6d91e3f8e4e..adfaf57d29e 100644 +# +# Default keystore type used when global crypto-policies are set to FIPS. +# -+fips.keystore.type=PKCS11 ++fips.keystore.type=pkcs12 + # # Controls compatibility mode for JKS and PKCS12 keystore types. @@ -2794,7 +3285,7 @@ index 00000000000..8cfa2734d4e + } +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..babf19d7157 100644 +index 9b69072280e..5696b904979 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -2816,7 +3307,18 @@ index 9b69072280e..babf19d7157 100644 private static final long serialVersionUID = -2575874101938349339L; private static final String PUBLIC = "public"; -@@ -379,7 +384,9 @@ abstract class P11Key implements Key, Length { +@@ -136,9 +141,7 @@ abstract class P11Key implements Key, Length { + this.tokenObject = tokenObject; + this.sensitive = sensitive; + this.extractable = extractable; +- char[] tokenLabel = this.token.tokenInfo.label; +- boolean isNSS = (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' +- && tokenLabel[2] == 'S'); ++ boolean isNSS = P11Util.isNSS(this.token); + boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && + extractable && !tokenObject); + this.keyIDHolder = new NativeKeyHolder(this, keyID, session, +@@ -379,7 +382,9 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_SENSITIVE), new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); @@ -2827,7 +3329,7 @@ index 9b69072280e..babf19d7157 100644 return new P11PrivateKey (session, keyID, algorithm, keyLength, attributes); } else { -@@ -461,7 +468,8 @@ abstract class P11Key implements Key, Length { +@@ -461,7 +466,8 @@ abstract class P11Key implements Key, Length { } public String getFormat() { token.ensureValid(); @@ -2837,8 +3339,548 @@ index 9b69072280e..babf19d7157 100644 return null; } else { return "RAW"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +index ba0b7faf3f8..4840a116b34 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +@@ -29,14 +29,17 @@ import java.nio.ByteBuffer; + + import java.security.*; + import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; + + import javax.crypto.MacSpi; ++import javax.crypto.spec.PBEKeySpec; + + import sun.nio.ch.DirectBuffer; + + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.util.PBEUtil; + + /** + * MAC implementation class. This class currently supports HMAC using +@@ -202,12 +205,23 @@ final class P11Mac extends MacSpi { + // see JCE spec + protected void engineInit(Key key, AlgorithmParameterSpec params) + throws InvalidKeyException, InvalidAlgorithmParameterException { +- if (params != null) { +- throw new InvalidAlgorithmParameterException +- ("Parameters not supported"); ++ if (algorithm.startsWith("HmacPBE")) { ++ PBEKeySpec pbeSpec = PBEUtil.getPBAKeySpec(key, params); ++ reset(true); ++ try { ++ p11Key = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, algorithm); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ } else { ++ if (params != null) { ++ throw new InvalidAlgorithmParameterException ++ ("Parameters not supported"); ++ } ++ reset(true); ++ p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + } +- reset(true); +- p11Key = P11SecretKeyFactory.convertKey(token, key, algorithm); + try { + initialize(); + } catch (PKCS11Exception e) { +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +new file mode 100644 +index 00000000000..ae4262703e6 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java +@@ -0,0 +1,200 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.security.AlgorithmParameters; ++import java.security.Key; ++import java.security.InvalidAlgorithmParameterException; ++import java.security.InvalidKeyException; ++import java.security.NoSuchAlgorithmException; ++import java.security.SecureRandom; ++import java.security.spec.AlgorithmParameterSpec; ++import java.security.spec.InvalidKeySpecException; ++import javax.crypto.BadPaddingException; ++import javax.crypto.CipherSpi; ++import javax.crypto.IllegalBlockSizeException; ++import javax.crypto.NoSuchPaddingException; ++import javax.crypto.ShortBufferException; ++import javax.crypto.spec.PBEKeySpec; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.util.PBEUtil; ++ ++final class P11PBECipher extends CipherSpi { ++ ++ private static final int DEFAULT_SALT_LENGTH = 20; ++ private static final int DEFAULT_COUNT = 4096; ++ ++ private final Token token; ++ private final String pbeAlg; ++ private final P11Cipher cipher; ++ private final int blkSize; ++ private final int keyLen; ++ private final PBEUtil.PBES2Helper pbes2Helper = new PBEUtil.PBES2Helper( ++ DEFAULT_SALT_LENGTH, DEFAULT_COUNT); ++ ++ P11PBECipher(Token token, String pbeAlg, long cipherMech) ++ throws PKCS11Exception, NoSuchAlgorithmException { ++ super(); ++ String cipherTrans; ++ if (cipherMech == CKM_AES_CBC_PAD || cipherMech == CKM_AES_CBC) { ++ cipherTrans = "AES/CBC/PKCS5Padding"; ++ } else { ++ throw new NoSuchAlgorithmException( ++ "Cipher transformation not supported."); ++ } ++ cipher = new P11Cipher(token, cipherTrans, cipherMech); ++ blkSize = cipher.engineGetBlockSize(); ++ assert P11Util.kdfDataMap.get(pbeAlg) != null; ++ keyLen = P11Util.kdfDataMap.get(pbeAlg).keyLen; ++ this.pbeAlg = pbeAlg; ++ this.token = token; ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetMode(String mode) ++ throws NoSuchAlgorithmException { ++ cipher.engineSetMode(mode); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineSetPadding(String padding) ++ throws NoSuchPaddingException { ++ cipher.engineSetPadding(padding); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetBlockSize() { ++ return cipher.engineGetBlockSize(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetOutputSize(int inputLen) { ++ return cipher.engineGetOutputSize(inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineGetIV() { ++ return cipher.engineGetIV(); ++ } ++ ++ // see JCE spec ++ @Override ++ protected AlgorithmParameters engineGetParameters() { ++ return pbes2Helper.getAlgorithmParameters( ++ blkSize, pbeAlg, null, JCAUtil.getSecureRandom()); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ SecureRandom random) throws InvalidKeyException { ++ try { ++ engineInit(opmode, key, (AlgorithmParameterSpec) null, random); ++ } catch (InvalidAlgorithmParameterException e) { ++ throw new InvalidKeyException("requires PBE parameters", e); ++ } ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameterSpec params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ ++ PBEKeySpec pbeSpec = pbes2Helper.getPBEKeySpec(blkSize, keyLen, ++ opmode, key, params, random); ++ ++ Key derivedKey; ++ try { ++ derivedKey = P11SecretKeyFactory.derivePBEKey( ++ token, pbeSpec, pbeAlg); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ cipher.engineInit(opmode, derivedKey, pbes2Helper.getIvSpec(), random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected void engineInit(int opmode, Key key, ++ AlgorithmParameters params, SecureRandom random) ++ throws InvalidKeyException, ++ InvalidAlgorithmParameterException { ++ engineInit(opmode, key, PBEUtil.PBES2Helper.getParameterSpec(params), ++ random); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineUpdate(byte[] input, int inputOffset, ++ int inputLen) { ++ return cipher.engineUpdate(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineUpdate(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException { ++ return cipher.engineUpdate(input, inputOffset, inputLen, ++ output, outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected byte[] engineDoFinal(byte[] input, int inputOffset, ++ int inputLen) ++ throws IllegalBlockSizeException, BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineDoFinal(byte[] input, int inputOffset, ++ int inputLen, byte[] output, int outputOffset) ++ throws ShortBufferException, IllegalBlockSizeException, ++ BadPaddingException { ++ return cipher.engineDoFinal(input, inputOffset, inputLen, output, ++ outputOffset); ++ } ++ ++ // see JCE spec ++ @Override ++ protected int engineGetKeySize(Key key) ++ throws InvalidKeyException { ++ return cipher.engineGetKeySize(key); ++ } ++ ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +index c98960f7fcc..c14319a5356 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.spec.*; + + import javax.crypto.*; ++import javax.crypto.interfaces.PBEKey; + import javax.crypto.spec.*; + + import static sun.security.pkcs11.TemplateManager.*; +@@ -193,6 +194,128 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + return p11Key; + } + ++ static P11Key derivePBEKey(Token token, PBEKeySpec keySpec, String algo) ++ throws InvalidKeySpecException { ++ token.ensureValid(); ++ if (keySpec == null) { ++ throw new InvalidKeySpecException("PBEKeySpec must not be null"); ++ } ++ Session session = null; ++ try { ++ session = token.getObjSession(); ++ P11Util.KDFData kdfData = P11Util.kdfDataMap.get(algo); ++ CK_MECHANISM ckMech; ++ char[] password = keySpec.getPassword(); ++ byte[] salt = keySpec.getSalt(); ++ int itCount = keySpec.getIterationCount(); ++ int keySize = keySpec.getKeyLength(); ++ if (kdfData.keyLen != -1) { ++ if (keySize == 0) { ++ keySize = kdfData.keyLen; ++ } else if (keySize != kdfData.keyLen) { ++ throw new InvalidKeySpecException( ++ "Key length is invalid for " + algo); ++ } ++ } ++ ++ if (kdfData.kdfMech == CKM_PKCS5_PBKD2) { ++ CK_VERSION p11Ver = token.p11.getInfo().cryptokiVersion; ++ if (P11Util.isNSS(token) || p11Ver.major < 2 || ++ p11Ver.major == 2 && p11Ver.minor < 40) { ++ // NSS keeps using the old structure beyond PKCS #11 v2.40 ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS(password, salt, ++ itCount, kdfData.prfMech)); ++ } else { ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PKCS5_PBKD2_PARAMS2(password, salt, ++ itCount, kdfData.prfMech)); ++ } ++ } else { ++ // PKCS #12 "General Method" PBKD (RFC 7292, Appendix B.2) ++ if (P11Util.isNSS(token)) { ++ // According to PKCS #11, "password" in CK_PBE_PARAMS has ++ // a CK_UTF8CHAR_PTR type. This suggests that it is encoded ++ // in UTF-8. However, NSS expects the password to be encoded ++ // as BMPString with a NULL terminator when C_GenerateKey ++ // is called for a PKCS #12 "General Method" derivation ++ // (see RFC 7292, Appendix B.1). ++ // ++ // The char size in Java is 2 bytes. When a char is ++ // converted to a CK_UTF8CHAR, the high-order byte is ++ // discarded (see jCharArrayToCKUTF8CharArray in ++ // p11_util.c). In order to have a BMPString passed to ++ // C_GenerateKey, we need to account for that and expand: ++ // the high and low parts of each char are split into 2 ++ // chars. As an example, this is the transformation for ++ // a NULL terminated password "a": ++ // char[] => [ 0x0061, 0x0000 ] ++ // / \ / \ ++ // Expansion => [0x0000, 0x0061, 0x0000, 0x0000] ++ // | | | | ++ // BMPString => [ 0x00, 0x61, 0x00, 0x00] ++ // ++ int inputLength = (password == null) ? 0 : password.length; ++ char[] expPassword = new char[inputLength * 2 + 2]; ++ for (int i = 0, j = 0; i < inputLength; i++, j += 2) { ++ expPassword[j] = (char) ((password[i] >>> 8) & 0xFF); ++ expPassword[j + 1] = (char) (password[i] & 0xFF); ++ } ++ password = expPassword; ++ } ++ ckMech = new CK_MECHANISM(kdfData.kdfMech, ++ new CK_PBE_PARAMS(password, salt, itCount)); ++ } ++ ++ long keyType = getKeyType(kdfData.keyAlgo); ++ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[ ++ switch (kdfData.op) { ++ case ENCRYPTION, AUTHENTICATION -> 4; ++ case GENERIC -> 5; ++ }]; ++ attrs[0] = new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY); ++ attrs[1] = new CK_ATTRIBUTE(CKA_VALUE_LEN, keySize >> 3); ++ attrs[2] = new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType); ++ switch (kdfData.op) { ++ case ENCRYPTION -> attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ case AUTHENTICATION -> attrs[3] = CK_ATTRIBUTE.SIGN_TRUE; ++ case GENERIC -> { ++ attrs[3] = CK_ATTRIBUTE.ENCRYPT_TRUE; ++ attrs[4] = CK_ATTRIBUTE.SIGN_TRUE; ++ } ++ } ++ CK_ATTRIBUTE[] attr = token.getAttributes( ++ O_GENERATE, CKO_SECRET_KEY, keyType, attrs); ++ long keyID = token.p11.C_GenerateKey(session.id(), ckMech, attr); ++ return (P11Key)P11Key.secretKey( ++ session, keyID, kdfData.keyAlgo, keySize, attr); ++ } catch (PKCS11Exception e) { ++ throw new InvalidKeySpecException("Could not create key", e); ++ } finally { ++ token.releaseSession(session); ++ } ++ } ++ ++ static P11Key derivePBEKey(Token token, PBEKey key, String algo) ++ throws InvalidKeyException { ++ token.ensureValid(); ++ if (key == null) { ++ throw new InvalidKeyException("PBEKey must not be null"); ++ } ++ P11Key p11Key = token.secretCache.get(key); ++ if (p11Key != null) { ++ return p11Key; ++ } ++ try { ++ p11Key = derivePBEKey(token, new PBEKeySpec(key.getPassword(), ++ key.getSalt(), key.getIterationCount()), algo); ++ } catch (InvalidKeySpecException e) { ++ throw new InvalidKeyException(e); ++ } ++ token.secretCache.put(key, p11Key); ++ return p11Key; ++ } ++ + static void fixDESParity(byte[] key, int offset) { + for (int i = 0; i < 8; i++) { + int b = key[offset] & 0xfe; +@@ -319,6 +442,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + keySpec = new SecretKeySpec(keyBytes, "DESede"); + return engineGenerateSecret(keySpec); + } ++ } else if (keySpec instanceof PBEKeySpec) { ++ return (SecretKey)derivePBEKey(token, ++ (PBEKeySpec)keySpec, algorithm); + } + throw new InvalidKeySpecException + ("Unsupported spec: " + keySpec.getClass().getName()); +@@ -372,6 +498,9 @@ final class P11SecretKeyFactory extends SecretKeyFactorySpi { + // see JCE spec + protected SecretKey engineTranslateKey(SecretKey key) + throws InvalidKeyException { ++ if (key instanceof PBEKey) { ++ return (SecretKey)derivePBEKey(token, (PBEKey)key, algorithm); ++ } + return (SecretKey)convertKey(token, key, algorithm); + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +index 262cfc062ad..72b64f72c0a 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +@@ -27,6 +27,10 @@ package sun.security.pkcs11; + + import java.math.BigInteger; + import java.security.*; ++import java.util.HashMap; ++import java.util.Map; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * Collection of static utility methods. +@@ -40,10 +44,106 @@ public final class P11Util { + + private static volatile Provider sun, sunRsaSign, sunJce; + ++ // Used by PBE ++ static final class KDFData { ++ public enum Operation {ENCRYPTION, AUTHENTICATION, GENERIC} ++ public long kdfMech; ++ public long prfMech; ++ public String keyAlgo; ++ public int keyLen; ++ public Operation op; ++ KDFData(long kdfMech, long prfMech, String keyAlgo, ++ int keyLen, Operation op) { ++ this.kdfMech = kdfMech; ++ this.prfMech = prfMech; ++ this.keyAlgo = keyAlgo; ++ this.keyLen = keyLen; ++ this.op = op; ++ } ++ ++ public static void addPbkdf2Data(String algo, long kdfMech, ++ long prfMech) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "Generic", -1, Operation.GENERIC)); ++ } ++ ++ public static void addPbkdf2AesData(String algo, long kdfMech, ++ long prfMech, int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, prfMech, ++ "AES", keyLen, Operation.ENCRYPTION)); ++ } ++ ++ public static void addPkcs12KDData(String algo, long kdfMech, ++ int keyLen) { ++ kdfDataMap.put(algo, new KDFData(kdfMech, -1, ++ "Generic", keyLen, Operation.AUTHENTICATION)); ++ } ++ } ++ ++ static final Map<String, KDFData> kdfDataMap = new HashMap<>(); ++ ++ static { ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_128", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 128); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA1AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA224AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA256AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA384AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384, 256); ++ KDFData.addPbkdf2AesData("PBEWithHmacSHA512AndAES_256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512, 256); ++ ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA1", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA1); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA224", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA224); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA256", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA256); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA384", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA384); ++ KDFData.addPbkdf2Data("PBKDF2WithHmacSHA512", ++ CKM_PKCS5_PBKD2, CKP_PKCS5_PBKD2_HMAC_SHA512); ++ ++ KDFData.addPkcs12KDData("HmacPBESHA1", ++ CKM_PBA_SHA1_WITH_SHA1_HMAC, 160); ++ KDFData.addPkcs12KDData("HmacPBESHA224", ++ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, 224); ++ KDFData.addPkcs12KDData("HmacPBESHA256", ++ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, 256); ++ KDFData.addPkcs12KDData("HmacPBESHA384", ++ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, 384); ++ KDFData.addPkcs12KDData("HmacPBESHA512", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/224", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ KDFData.addPkcs12KDData("HmacPBESHA512/256", ++ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, 512); ++ } ++ + private P11Util() { + // empty + } + ++ static boolean isNSS(Token token) { ++ char[] tokenLabel = token.tokenInfo.label; ++ if (tokenLabel != null && tokenLabel.length >= 3) { ++ return (tokenLabel[0] == 'N' && tokenLabel[1] == 'S' ++ && tokenLabel[2] == 'S'); ++ } ++ return false; ++ } ++ + static Provider getSunProvider() { + Provider p = sun; + if (p == null) { diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 112b639aa96..5549cd9ed4e 100644 +index 112b639aa96..3e170b4c115 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -2918,7 +3960,7 @@ index 112b639aa96..5549cd9ed4e 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -339,7 +383,8 @@ public final class SunPKCS11 extends AuthProvider { +@@ -339,11 +383,12 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, @@ -2928,6 +3970,11 @@ index 112b639aa96..5549cd9ed4e 100644 } p11 = tmpPKCS11; +- CK_INFO p11Info = p11.C_GetInfo(); ++ CK_INFO p11Info = p11.getInfo(); + if (p11Info.cryptokiVersion.major < 2) { + throw new ProviderException("Only PKCS#11 v2.0 and later " + + "supported, library version is v" + p11Info.cryptokiVersion); @@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); @@ -2953,8 +4000,588 @@ index 112b639aa96..5549cd9ed4e 100644 } catch (Exception e) { if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException +@@ -417,14 +480,19 @@ public final class SunPKCS11 extends AuthProvider { + final String className; + final List<String> aliases; + final int[] mechanisms; ++ final int[] requiredMechs; + ++ // mechanisms is a list of possible mechanisms that implement the ++ // algorithm, at least one of them must be available. requiredMechs ++ // is a list of auxiliary mechanisms, all of them must be available + private Descriptor(String type, String algorithm, String className, +- List<String> aliases, int[] mechanisms) { ++ List<String> aliases, int[] mechanisms, int[] requiredMechs) { + this.type = type; + this.algorithm = algorithm; + this.className = className; + this.aliases = aliases; + this.mechanisms = mechanisms; ++ this.requiredMechs = requiredMechs; + } + private P11Service service(Token token, int mechanism) { + return new P11Service +@@ -458,18 +526,29 @@ public final class SunPKCS11 extends AuthProvider { + + private static void d(String type, String algorithm, String className, + int[] m) { +- register(new Descriptor(type, algorithm, className, null, m)); ++ register(new Descriptor(type, algorithm, className, null, m, null)); + } + + private static void d(String type, String algorithm, String className, + List<String> aliases, int[] m) { +- register(new Descriptor(type, algorithm, className, aliases, m)); ++ register(new Descriptor(type, algorithm, className, aliases, m, null)); ++ } ++ ++ private static void d(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, null, m, ++ requiredMechs)); ++ } ++ private static void dA(String type, String algorithm, String className, ++ int[] m, int[] requiredMechs) { ++ register(new Descriptor(type, algorithm, className, ++ getAliases(algorithm), m, requiredMechs)); + } + + private static void dA(String type, String algorithm, String className, + int[] m) { + register(new Descriptor(type, algorithm, className, +- getAliases(algorithm), m)); ++ getAliases(algorithm), m, null)); + } + + private static void register(Descriptor d) { +@@ -525,6 +604,7 @@ public final class SunPKCS11 extends AuthProvider { + String P11Cipher = "sun.security.pkcs11.P11Cipher"; + String P11RSACipher = "sun.security.pkcs11.P11RSACipher"; + String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher"; ++ String P11PBECipher = "sun.security.pkcs11.P11PBECipher"; + String P11Signature = "sun.security.pkcs11.P11Signature"; + String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature"; + +@@ -587,6 +667,30 @@ public final class SunPKCS11 extends AuthProvider { + d(MAC, "SslMacSHA1", P11Mac, + m(CKM_SSL3_SHA1_MAC)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBA HMacs ++ * ++ * KeyDerivationMech must be supported ++ * for these services to be available. ++ * ++ */ ++ d(MAC, "HmacPBESHA1", P11Mac, m(CKM_SHA_1_HMAC), ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(MAC, "HmacPBESHA224", P11Mac, m(CKM_SHA224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA256", P11Mac, m(CKM_SHA256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA384", P11Mac, m(CKM_SHA384_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512", P11Mac, m(CKM_SHA512_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/224", P11Mac, m(CKM_SHA512_224_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(MAC, "HmacPBESHA512/256", P11Mac, m(CKM_SHA512_256_HMAC), ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ } ++ + d(KPG, "RSA", P11KeyPairGenerator, + getAliases("PKCS1"), + m(CKM_RSA_PKCS_KEY_PAIR_GEN)); +@@ -685,6 +789,66 @@ public final class SunPKCS11 extends AuthProvider { + d(SKF, "ChaCha20", P11SecretKeyFactory, + m(CKM_CHACHA20_POLY1305)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Secret Key Factories ++ * ++ * KeyDerivationPrf must be supported for these services ++ * to be available. ++ * ++ */ ++ d(SKF, "PBEWithHmacSHA1AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_128", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ d(SKF, "PBEWithHmacSHA1AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBEWithHmacSHA224AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBEWithHmacSHA256AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBEWithHmacSHA384AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBEWithHmacSHA512AndAES_256", ++ P11SecretKeyFactory, m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ /* ++ * PBA Secret Key Factories ++ */ ++ d(SKF, "HmacPBESHA1", P11SecretKeyFactory, ++ m(CKM_PBA_SHA1_WITH_SHA1_HMAC)); ++ d(SKF, "HmacPBESHA224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA384", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/224", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ d(SKF, "HmacPBESHA512/256", P11SecretKeyFactory, ++ m(CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN)); ++ /* ++ * PBKDF2 Secret Key Factories ++ */ ++ dA(SKF, "PBKDF2WithHmacSHA1", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA_1_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA224", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA224_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA256", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA256_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA384", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA384_HMAC)); ++ d(SKF, "PBKDF2WithHmacSHA512", P11SecretKeyFactory, ++ m(CKM_PKCS5_PBKD2), m(CKM_SHA512_HMAC)); ++ } ++ + // XXX attributes for Ciphers (supported modes, padding) + dA(CIP, "ARCFOUR", P11Cipher, + m(CKM_RC4)); +@@ -754,6 +918,46 @@ public final class SunPKCS11 extends AuthProvider { + d(CIP, "RSA/ECB/NoPadding", P11RSACipher, + m(CKM_RSA_X_509)); + ++ if (systemFipsEnabled) { ++ /* ++ * PBE Ciphers ++ * ++ * KeyDerivationMech and KeyDerivationPrf must be supported ++ * for these services to be available. ++ * ++ */ ++ d(CIP, "PBEWithHmacSHA1AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_128", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ d(CIP, "PBEWithHmacSHA1AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA_1_HMAC)); ++ d(CIP, "PBEWithHmacSHA224AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA224_HMAC)); ++ d(CIP, "PBEWithHmacSHA256AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA256_HMAC)); ++ d(CIP, "PBEWithHmacSHA384AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA384_HMAC)); ++ d(CIP, "PBEWithHmacSHA512AndAES_256", P11PBECipher, ++ m(CKM_AES_CBC_PAD, CKM_AES_CBC), ++ m(CKM_PKCS5_PBKD2, CKM_SHA512_HMAC)); ++ } ++ + d(SIG, "RawDSA", P11Signature, + List.of("NONEwithDSA"), + m(CKM_DSA)); +@@ -1144,9 +1348,21 @@ public final class SunPKCS11 extends AuthProvider { + if (ds == null) { + continue; + } ++ descLoop: + for (Descriptor d : ds) { + Integer oldMech = supportedAlgs.get(d); + if (oldMech == null) { ++ if (d.requiredMechs != null) { ++ // Check that other mechanisms required for the ++ // service are supported before listing it as ++ // available for the first time. ++ for (int requiredMech : d.requiredMechs) { ++ if (token.getMechanismInfo( ++ requiredMech & 0xFFFFFFFFL) == null) { ++ continue descLoop; ++ } ++ } ++ } + supportedAlgs.put(d, integerMech); + continue; + } +@@ -1244,6 +1460,8 @@ public final class SunPKCS11 extends AuthProvider { + } else if (algorithm.endsWith("GCM/NoPadding") || + algorithm.startsWith("ChaCha20-Poly1305")) { + return new P11AEADCipher(token, algorithm, mechanism); ++ } else if (algorithm.startsWith("PBE")) { ++ return new P11PBECipher(token, algorithm, mechanism); + } else { + return new P11Cipher(token, algorithm, mechanism); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +index 88ff8a71fc3..47a2f97eddf 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java +@@ -100,9 +100,9 @@ public class CK_ECDH1_DERIVE_PARAMS { + } + + /** +- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. ++ * Returns the string representation of CK_ECDH1_DERIVE_PARAMS. + * +- * @return the string representation of CK_PKCS5_PBKD2_PARAMS ++ * @return the string representation of CK_ECDH1_DERIVE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +index 0c9ebb289c1..b4b2448464d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +@@ -160,6 +160,18 @@ public class CK_MECHANISM { + init(mechanism, params); + } + ++ public CK_MECHANISM(long mechanism, CK_PBE_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS params) { ++ init(mechanism, params); ++ } ++ ++ public CK_MECHANISM(long mechanism, CK_PKCS5_PBKD2_PARAMS2 params) { ++ init(mechanism, params); ++ } ++ + // For PSS. the parameter may be set multiple times, use the + // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS) + // methods instead of creating yet another constructor +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +index e8b048869c4..a25fa1c39e5 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java +@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper; + + + /** +- * class CK_PBE_PARAMS provides all of the necessary information required byte ++ * class CK_PBE_PARAMS provides all the necessary information required by + * the CKM_PBE mechanisms and the CKM_PBA_SHA1_WITH_SHA1_HMAC mechanism. + * PKCS#11 structure: + * <PRE> + * typedef struct CK_PBE_PARAMS { +- * CK_CHAR_PTR pInitVector; +- * CK_CHAR_PTR pPassword; ++ * CK_BYTE_PTR pInitVector; ++ * CK_UTF8CHAR_PTR pPassword; + * CK_ULONG ulPasswordLen; +- * CK_CHAR_PTR pSalt; ++ * CK_BYTE_PTR pSalt; + * CK_ULONG ulSaltLen; + * CK_ULONG ulIteration; + * } CK_PBE_PARAMS; +@@ -72,15 +72,15 @@ public class CK_PBE_PARAMS { + /** + * PKCS#11: + * <PRE> +- * CK_CHAR_PTR pInitVector; ++ * CK_BYTE_PTR pInitVector; + * </PRE> + */ +- public char[] pInitVector; ++ public byte[] pInitVector; + + /** + * PKCS#11: + * <PRE> +- * CK_CHAR_PTR pPassword; ++ * CK_UTF8CHAR_PTR pPassword; + * CK_ULONG ulPasswordLen; + * </PRE> + */ +@@ -89,11 +89,11 @@ public class CK_PBE_PARAMS { + /** + * PKCS#11: + * <PRE> +- * CK_CHAR_PTR pSalt ++ * CK_BYTE_PTR pSalt + * CK_ULONG ulSaltLen; + * </PRE> + */ +- public char[] pSalt; ++ public byte[] pSalt; + + /** + * PKCS#11: +@@ -103,6 +103,12 @@ public class CK_PBE_PARAMS { + */ + public long ulIteration; + ++ public CK_PBE_PARAMS(char[] pPassword, byte[] pSalt, long ulIteration) { ++ this.pPassword = pPassword; ++ this.pSalt = pSalt; ++ this.ulIteration = ulIteration; ++ } ++ + /** + * Returns the string representation of CK_PBE_PARAMS. + * +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java +index fb90bfced27..a01beb0753a 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java +@@ -47,7 +47,7 @@ + + package sun.security.pkcs11.wrapper; + +- ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + + /** + * class CK_PKCS5_PBKD2_PARAMS provides the parameters to the CKM_PKCS5_PBKD2 +@@ -55,13 +55,15 @@ package sun.security.pkcs11.wrapper; + * PKCS#11 structure: + * <PRE> + * typedef struct CK_PKCS5_PBKD2_PARAMS { +- * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE saltSource; ++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; + * CK_VOID_PTR pSaltSourceData; + * CK_ULONG ulSaltSourceDataLen; + * CK_ULONG iterations; + * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; + * CK_VOID_PTR pPrfData; + * CK_ULONG ulPrfDataLen; ++ * CK_UTF8CHAR_PTR pPassword; ++ * CK_ULONG_PTR ulPasswordLen; + * } CK_PKCS5_PBKD2_PARAMS; + * </PRE> + * +@@ -112,6 +114,24 @@ public class CK_PKCS5_PBKD2_PARAMS { + */ + public byte[] pPrfData; + ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_UTF8CHAR_PTR pPassword ++ * CK_ULONG_PTR ulPasswordLen; ++ * </pre> ++ */ ++ public char[] pPassword; ++ ++ public CK_PKCS5_PBKD2_PARAMS(char[] pPassword, byte[] pSalt, ++ long iterations, long prf) { ++ this.pPassword = pPassword; ++ this.pSaltSourceData = pSalt; ++ this.iterations = iterations; ++ this.prf = prf; ++ this.saltSource = CKZ_SALT_SPECIFIED; ++ } ++ + /** + * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. + * +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java +new file mode 100644 +index 00000000000..935db656639 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2.java +@@ -0,0 +1,156 @@ ++/* ++ * Copyright (c) 2022, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11.wrapper; ++ ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++ ++/** ++ * class CK_PKCS5_PBKD2_PARAMS2 provides the parameters to the CKM_PKCS5_PBKD2 ++ * mechanism. ++ * PKCS#11 structure: ++ * <pre> ++ * typedef struct CK_PKCS5_PBKD2_PARAMS2 { ++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; ++ * CK_VOID_PTR pSaltSourceData; ++ * CK_ULONG ulSaltSourceDataLen; ++ * CK_ULONG iterations; ++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; ++ * CK_VOID_PTR pPrfData; ++ * CK_ULONG ulPrfDataLen; ++ * CK_UTF8CHAR_PTR pPassword; ++ * CK_ULONG ulPasswordLen; ++ * } CK_PKCS5_PBKD2_PARAMS2; ++ * </pre> ++ * ++ */ ++public class CK_PKCS5_PBKD2_PARAMS2 { ++ ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; ++ * </pre> ++ */ ++ public long saltSource; ++ ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_VOID_PTR pSaltSourceData; ++ * CK_ULONG ulSaltSourceDataLen; ++ * </pre> ++ */ ++ public byte[] pSaltSourceData; ++ ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_ULONG iterations; ++ * </pre> ++ */ ++ public long iterations; ++ ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; ++ * </pre> ++ */ ++ public long prf; ++ ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_VOID_PTR pPrfData; ++ * CK_ULONG ulPrfDataLen; ++ * </pre> ++ */ ++ public byte[] pPrfData; ++ ++ /** ++ * PKCS#11: ++ * <pre> ++ * CK_UTF8CHAR_PTR pPassword ++ * CK_ULONG ulPasswordLen; ++ * </pre> ++ */ ++ public char[] pPassword; ++ ++ public CK_PKCS5_PBKD2_PARAMS2(char[] pPassword, byte[] pSalt, ++ long iterations, long prf) { ++ this.pPassword = pPassword; ++ this.pSaltSourceData = pSalt; ++ this.iterations = iterations; ++ this.prf = prf; ++ this.saltSource = CKZ_SALT_SPECIFIED; ++ } ++ ++ /** ++ * Returns the string representation of CK_PKCS5_PBKD2_PARAMS2. ++ * ++ * @return the string representation of CK_PKCS5_PBKD2_PARAMS2 ++ */ ++ public String toString() { ++ StringBuilder sb = new StringBuilder(); ++ ++ sb.append(Constants.INDENT); ++ sb.append("saltSource: "); ++ sb.append(saltSource); ++ sb.append(Constants.NEWLINE); ++ ++ sb.append(Constants.INDENT); ++ sb.append("pSaltSourceData: "); ++ sb.append(Functions.toHexString(pSaltSourceData)); ++ sb.append(Constants.NEWLINE); ++ ++ sb.append(Constants.INDENT); ++ sb.append("ulSaltSourceDataLen: "); ++ sb.append(pSaltSourceData.length); ++ sb.append(Constants.NEWLINE); ++ ++ sb.append(Constants.INDENT); ++ sb.append("iterations: "); ++ sb.append(iterations); ++ sb.append(Constants.NEWLINE); ++ ++ sb.append(Constants.INDENT); ++ sb.append("prf: "); ++ sb.append(prf); ++ sb.append(Constants.NEWLINE); ++ ++ sb.append(Constants.INDENT); ++ sb.append("pPrfData: "); ++ sb.append(Functions.toHexString(pPrfData)); ++ sb.append(Constants.NEWLINE); ++ ++ sb.append(Constants.INDENT); ++ sb.append("ulPrfDataLen: "); ++ sb.append(pPrfData.length); ++ ++ return sb.toString(); ++ } ++ ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java +index 1f9c4d39f57..5e3c1b9d29f 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java +@@ -94,9 +94,9 @@ public class CK_X9_42_DH1_DERIVE_PARAMS { + public byte[] pPublicData; + + /** +- * Returns the string representation of CK_PKCS5_PBKD2_PARAMS. ++ * Returns the string representation of CK_X9_42_DH1_DERIVE_PARAMS. + * +- * @return the string representation of CK_PKCS5_PBKD2_PARAMS ++ * @return the string representation of CK_X9_42_DH1_DERIVE_PARAMS + */ + public String toString() { + StringBuilder sb = new StringBuilder(); diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..1e98ce2e280 100644 +index 5c0aacd1a67..5fbf8addcba 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; @@ -2967,10 +4594,26 @@ index 5c0aacd1a67..1e98ce2e280 100644 import java.util.*; import java.security.AccessController; -@@ -150,18 +153,43 @@ public class PKCS11 { - this.pkcs11ModulePath = pkcs11ModulePath; - } +@@ -113,6 +116,8 @@ public class PKCS11 { + + private long pNativeData; ++ private CK_INFO pInfo; ++ + /** + * This method does the initialization of the native library. It is called + * exactly once for this class. +@@ -145,23 +150,49 @@ public class PKCS11 { + * @postconditions + */ + PKCS11(String pkcs11ModulePath, String functionListName) +- throws IOException { ++ throws IOException, PKCS11Exception { + connect(pkcs11ModulePath, functionListName); + this.pkcs11ModulePath = pkcs11ModulePath; ++ pInfo = C_GetInfo(); ++ } ++ + /* + * Compatibility wrapper to allow this method to work as before + * when FIPS mode support is not active. @@ -2980,8 +4623,8 @@ index 5c0aacd1a67..1e98ce2e280 100644 + boolean omitInitialize) throws IOException, PKCS11Exception { + return getInstance(pkcs11ModulePath, functionList, + pInitArgs, omitInitialize, null, null); -+ } -+ + } + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { @@ -3014,7 +4657,31 @@ index 5c0aacd1a67..1e98ce2e280 100644 } if (omitInitialize == false) { try { -@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 { +@@ -179,6 +210,14 @@ public class PKCS11 { + return pkcs11; + } + ++ /** ++ * Returns the CK_INFO structure fetched at initialization with ++ * C_GetInfo. This structure represent Cryptoki library information. ++ */ ++ public CK_INFO getInfo() { ++ return pInfo; ++ } ++ + /** + * Connects this object to the specified PKCS#11 library. This method is for + * internal use only. +@@ -1625,7 +1664,7 @@ public class PKCS11 { + static class SynchronizedPKCS11 extends PKCS11 { + + SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) +- throws IOException { ++ throws IOException, PKCS11Exception { + super(pkcs11ModulePath, functionListName); + } + +@@ -1911,4 +1950,194 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } @@ -3028,7 +4695,7 @@ index 5c0aacd1a67..1e98ce2e280 100644 + private MethodHandle hC_GetAttributeValue; + FIPSPKCS11(String pkcs11ModulePath, String functionListName, + MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) -+ throws IOException { ++ throws IOException, PKCS11Exception { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; + this.fipsKeyExporter = fipsKeyExporter; @@ -3080,7 +4747,7 @@ index 5c0aacd1a67..1e98ce2e280 100644 + private MethodHandle hC_GetAttributeValue; + SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, + MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) -+ throws IOException { ++ throws IOException, PKCS11Exception { + super(pkcs11ModulePath, functionListName); + this.fipsKeyImporter = fipsKeyImporter; + this.fipsKeyExporter = fipsKeyExporter; @@ -3209,6 +4876,442 @@ index 5c0aacd1a67..1e98ce2e280 100644 + } +} } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +index d22844cfba8..9e02958b4b0 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +@@ -1104,17 +1104,6 @@ public interface PKCS11Constants { + public static final long CKD_BLAKE2B_384_KDF = 0x00000019L; + public static final long CKD_BLAKE2B_512_KDF = 0x0000001aL; + +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L; +- public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L; +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L; +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L; +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L; +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L; +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L; +- public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L; +- +- public static final long CKZ_SALT_SPECIFIED = 0x00000001L; +- + public static final long CK_OTP_VALUE = 0x00000000L; + public static final long CK_OTP_PIN = 0x00000001L; + public static final long CK_OTP_CHALLENGE = 0x00000002L; +@@ -1150,12 +1139,23 @@ public interface PKCS11Constants { + public static final long CKF_HKDF_SALT_KEY = 0x00000004L; + */ + ++ // PBKDF2 support, used in P11Util ++ public static final long CKZ_SALT_SPECIFIED = 0x00000001L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_GOSTR3411 = 0x00000002L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA224 = 0x00000003L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA256 = 0x00000004L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA384 = 0x00000005L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512 = 0x00000006L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_224 = 0x00000007L; ++ public static final long CKP_PKCS5_PBKD2_HMAC_SHA512_256 = 0x00000008L; ++ + // private NSS attribute (for DSA and DH private keys) + public static final long CKA_NETSCAPE_DB = 0xD5A0DB00L; + + // base number of NSS private attributes + public static final long CKA_NETSCAPE_BASE /*0x80000000L + 0x4E534350L*/ +- = 0xCE534350L; ++ /* now known as CKM_NSS ^ */ = 0xCE534350L; + + // object type for NSS trust + public static final long CKO_NETSCAPE_TRUST = 0xCE534353L; +@@ -1180,4 +1180,14 @@ public interface PKCS11Constants { + = 0xCE534355L; + public static final long CKT_NETSCAPE_VALID = 0xCE53435AL; + public static final long CKT_NETSCAPE_VALID_DELEGATOR = 0xCE53435BL; ++ ++ // Additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 ++ public static final long CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN ++ /* (CKM_NSS + 29) */ = 0xCE53436DL; ++ public static final long CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN ++ /* (CKM_NSS + 30) */ = 0xCE53436EL; ++ public static final long CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN ++ /* (CKM_NSS + 31) */ = 0xCE53436FL; ++ public static final long CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN ++ /* (CKM_NSS + 32) */ = 0xCE534370L; + } +diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +index 666c5eb9b3b..5523dafcdb4 100644 +--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c ++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c +@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam, + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PBA_SHA1_WITH_SHA1_HMAC: ++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: + ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength); + break; + case CKM_PKCS5_PBKD2: +@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) + // retrieve java values + jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); + if (jPbeParamsClass == NULL) { return NULL; } +- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C"); ++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[B"); + if (fieldID == NULL) { return NULL; } + jInitVector = (*env)->GetObjectField(env, jParam, fieldID); + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C"); + if (fieldID == NULL) { return NULL; } + jPassword = (*env)->GetObjectField(env, jParam, fieldID); +- fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C"); ++ fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[B"); + if (fieldID == NULL) { return NULL; } + jSalt = (*env)->GetObjectField(env, jParam, fieldID); + fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J"); +@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) + + // populate using java values + ckParamPtr->ulIteration = jLongToCKULong(jIteration); +- jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp); ++ jByteArrayToCKByteArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } +- jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen)); ++ jCharArrayToCKUTF8CharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen)); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } +- jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen)); ++ jByteArrayToCKByteArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen)); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } +@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job + } + } + ++#define PBKD2_PARAM_SET(member, value) \ ++ do { \ ++ if(ckParamPtr->version == PARAMS) { \ ++ ckParamPtr->params.v1.member = value; \ ++ } else { \ ++ ckParamPtr->params.v2.member = value; \ ++ } \ ++ } while(0) ++ ++#define PBKD2_PARAM_ADDR(member) \ ++ ( \ ++ (ckParamPtr->version == PARAMS) ? \ ++ (void*) &ckParamPtr->params.v1.member : \ ++ (void*) &ckParamPtr->params.v2.member \ ++ ) ++ + /* +- * converts the Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS ++ * converts a Java CK_PKCS5_PBKD2_PARAMS object to a CK_PKCS5_PBKD2_PARAMS ++ * pointer, or a Java CK_PKCS5_PBKD2_PARAMS2 object to a CK_PKCS5_PBKD2_PARAMS2 + * pointer + * +- * @param env - used to call JNI funktions to get the Java classes and objects +- * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert ++ * @param env - used to call JNI functions to get the Java classes and objects ++ * @param jParam - the Java object to convert + * @param pLength - length of the allocated memory of the returned pointer +- * @return pointer to the new CK_PKCS5_PBKD2_PARAMS structure ++ * @return pointer to the new structure + */ +-CK_PKCS5_PBKD2_PARAMS_PTR ++CK_VOID_PTR + jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength) + { +- CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr; ++ VersionedPbkd2ParamsPtr ckParamPtr; ++ ParamVersion paramVersion; ++ CK_ULONG_PTR pUlPasswordLen; + jclass jPkcs5Pbkd2ParamsClass; + jfieldID fieldID; + jlong jSaltSource, jIteration, jPrf; +- jobject jSaltSourceData, jPrfData; ++ jobject jSaltSourceData, jPrfData, jPassword; + + if (pLength != NULL) { + *pLength = 0L; + } + + // retrieve java values +- jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); +- if (jPkcs5Pbkd2ParamsClass == NULL) { return NULL; } ++ if ((jPkcs5Pbkd2ParamsClass = ++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS)) != NULL ++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) { ++ paramVersion = PARAMS; ++ } else if ((jPkcs5Pbkd2ParamsClass = ++ (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS2)) != NULL ++ && (*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) { ++ paramVersion = PARAMS2; ++ } else { ++ return NULL; ++ } + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J"); + if (fieldID == NULL) { return NULL; } + jSaltSource = (*env)->GetLongField(env, jParam, fieldID); +@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL + fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B"); + if (fieldID == NULL) { return NULL; } + jPrfData = (*env)->GetObjectField(env, jParam, fieldID); ++ fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPassword", "[C"); ++ if (fieldID == NULL) { return NULL; } ++ jPassword = (*env)->GetObjectField(env, jParam, fieldID); + +- // allocate memory for CK_PKCS5_PBKD2_PARAMS pointer +- ckParamPtr = calloc(1, sizeof(CK_PKCS5_PBKD2_PARAMS)); ++ // allocate memory for VersionedPbkd2Params and store the structure version ++ ckParamPtr = calloc(1, sizeof(VersionedPbkd2Params)); + if (ckParamPtr == NULL) { + throwOutOfMemoryError(env, 0); + return NULL; + } ++ ckParamPtr->version = paramVersion; + + // populate using java values +- ckParamPtr->saltSource = jLongToCKULong(jSaltSource); +- jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) +- &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen)); ++ PBKD2_PARAM_SET(saltSource, jLongToCKULong(jSaltSource)); ++ jByteArrayToCKByteArray(env, jSaltSourceData, ++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pSaltSourceData), ++ PBKD2_PARAM_ADDR(ulSaltSourceDataLen)); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } +- ckParamPtr->iterations = jLongToCKULong(jIteration); +- ckParamPtr->prf = jLongToCKULong(jPrf); +- jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) +- &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen)); ++ PBKD2_PARAM_SET(iterations, jLongToCKULong(jIteration)); ++ PBKD2_PARAM_SET(prf, jLongToCKULong(jPrf)); ++ jByteArrayToCKByteArray(env, jPrfData, ++ (CK_BYTE_PTR *) PBKD2_PARAM_ADDR(pPrfData), ++ PBKD2_PARAM_ADDR(ulPrfDataLen)); ++ if ((*env)->ExceptionCheck(env)) { ++ goto cleanup; ++ } ++ if (ckParamPtr->version == PARAMS) { ++ pUlPasswordLen = calloc(1, sizeof(CK_ULONG)); ++ if (pUlPasswordLen == NULL) { ++ throwOutOfMemoryError(env, 0); ++ goto cleanup; ++ } ++ ckParamPtr->params.v1.ulPasswordLen = pUlPasswordLen; ++ } else { ++ pUlPasswordLen = &ckParamPtr->params.v2.ulPasswordLen; ++ } ++ jCharArrayToCKUTF8CharArray(env, jPassword, ++ (CK_CHAR_PTR *) PBKD2_PARAM_ADDR(pPassword), ++ pUlPasswordLen); + if ((*env)->ExceptionCheck(env)) { + goto cleanup; + } + + if (pLength != NULL) { +- *pLength = sizeof(CK_PKCS5_PBKD2_PARAMS); ++ *pLength = (ckParamPtr->version == PARAMS ? ++ sizeof(ckParamPtr->params.v1) : ++ sizeof(ckParamPtr->params.v2)); + } ++ // VersionedPbkd2ParamsPtr is equivalent to CK_PKCS5_PBKD2_PARAMS[2]_PTR + return ckParamPtr; + cleanup: +- free(ckParamPtr->pSaltSourceData); +- free(ckParamPtr->pPrfData); ++ FREE_VERSIONED_PBKD2_MEMBERS(ckParamPtr); + free(ckParamPtr); + return NULL; + +diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c +index 520bd52a2cd..aa76945283d 100644 +--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c ++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c +@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) { + case CKM_CAMELLIA_CTR: + // params do not contain pointers + break; ++ case CKM_PKCS5_PBKD2: ++ // get the versioned structure from behind memory ++ TRACE0(((VersionedPbkd2ParamsPtr)tmp)->version == PARAMS ? ++ "[ CK_PKCS5_PBKD2_PARAMS ]\n" : ++ "[ CK_PKCS5_PBKD2_PARAMS2 ]\n"); ++ FREE_VERSIONED_PBKD2_MEMBERS((VersionedPbkd2ParamsPtr)tmp); ++ break; ++ case CKM_PBA_SHA1_WITH_SHA1_HMAC: ++ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: ++ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: ++ free(((CK_PBE_PARAMS_PTR)tmp)->pInitVector); ++ free(((CK_PBE_PARAMS_PTR)tmp)->pPassword); ++ free(((CK_PBE_PARAMS_PTR)tmp)->pSalt); ++ break; + default: + // currently unsupported mechs by SunPKCS11 provider + // CKM_RSA_PKCS_OAEP, CKM_ECMQV_DERIVE, + // CKM_X9_42_*, CKM_KEA_DERIVE, CKM_RC2_*, CKM_RC5_*, +- // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, CKM_PKCS5_PBKD2, ++ // CKM_SKIPJACK_*, CKM_KEY_WRAP_SET_OAEP, + // PBE mechs, WTLS mechs, CMS mechs, + // CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP, + // CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_* +@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO + jboolean* jpTemp; + CK_ULONG i; + +- if(jArray == NULL) { ++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray); ++ if(*ckpLength == 0L) { + *ckpArray = NULL_PTR; +- *ckpLength = 0L; + return; + } +- *ckpLength = (*env)->GetArrayLength(env, jArray); + jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); +@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR * + jbyte* jpTemp; + CK_ULONG i; + +- if(jArray == NULL) { ++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray); ++ if(*ckpLength == 0L) { + *ckpArray = NULL_PTR; +- *ckpLength = 0L; + return; + } +- *ckpLength = (*env)->GetArrayLength(env, jArray); + jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); +@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR + jlong* jTemp; + CK_ULONG i; + +- if(jArray == NULL) { ++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray); ++ if(*ckpLength == 0L) { + *ckpArray = NULL_PTR; +- *ckpLength = 0L; + return; + } +- *ckpLength = (*env)->GetArrayLength(env, jArray); + jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong)); + if (jTemp == NULL) { + throwOutOfMemoryError(env, 0); +@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR * + jchar* jpTemp; + CK_ULONG i; + +- if(jArray == NULL) { ++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray); ++ if(*ckpLength == 0L) { + *ckpArray = NULL_PTR; +- *ckpLength = 0L; + return; + } +- *ckpLength = (*env)->GetArrayLength(env, jArray); + jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar)); + if (jpTemp == NULL) { + throwOutOfMemoryError(env, 0); +@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH + jchar* jTemp; + CK_ULONG i; + +- if(jArray == NULL) { ++ *ckpLength = jArray == NULL ? 0L : (*env)->GetArrayLength(env, jArray); ++ if(*ckpLength == 0L) { + *ckpArray = NULL_PTR; +- *ckpLength = 0L; + return; + } +- *ckpLength = (*env)->GetArrayLength(env, jArray); + jTemp = (jchar*) calloc(*ckpLength, sizeof(jchar)); + if (jTemp == NULL) { + throwOutOfMemoryError(env, 0); +diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h +index eb6d01b9e47..450e4d27d62 100644 +--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h ++++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h +@@ -68,6 +68,7 @@ + /* extra PKCS#11 constants not in the standard include files */ + + #define CKA_NETSCAPE_BASE (0x80000000 + 0x4E534350) ++/* ^ now known as CKM_NSS (CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS) */ + #define CKA_NETSCAPE_TRUST_BASE (CKA_NETSCAPE_BASE + 0x2000) + #define CKA_NETSCAPE_TRUST_SERVER_AUTH (CKA_NETSCAPE_TRUST_BASE + 8) + #define CKA_NETSCAPE_TRUST_CLIENT_AUTH (CKA_NETSCAPE_TRUST_BASE + 9) +@@ -76,6 +77,12 @@ + #define CKA_NETSCAPE_DB 0xD5A0DB00 + #define CKM_NSS_TLS_PRF_GENERAL 0x80000373 + ++/* additional PKCS #12 PBE key derivation algorithms defined in NSS v3.29 */ ++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 29) ++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 30) ++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 31) ++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKA_NETSCAPE_BASE + 32) ++ + /* + + Define the PKCS#11 functions to include and exclude. Reduces the size +@@ -265,6 +272,7 @@ void printDebug(const char *format, ...); + #define CLASS_PBE_PARAMS "sun/security/pkcs11/wrapper/CK_PBE_PARAMS" + #define PBE_INIT_VECTOR_SIZE 8 + #define CLASS_PKCS5_PBKD2_PARAMS "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS" ++#define CLASS_PKCS5_PBKD2_PARAMS2 "sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS2" + #define CLASS_EXTRACT_PARAMS "sun/security/pkcs11/wrapper/CK_EXTRACT_PARAMS" + + #define CLASS_ECDH1_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS" +@@ -378,7 +386,7 @@ CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam, CK_MECHANISM + CK_RSA_PKCS_OAEP_PARAMS_PTR jRsaPkcsOaepParamToCKRsaPkcsOaepParamPtr(JNIEnv *env, + jobject jParam, CK_ULONG* pLength); + CK_PBE_PARAMS_PTR jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); +-CK_PKCS5_PBKD2_PARAMS_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); ++CK_VOID_PTR jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); + CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); + CK_SSL3_KEY_MAT_PARAMS_PTR jSsl3KeyMatParamToCKSsl3KeyMatParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); + CK_KEY_DERIVATION_STRING_DATA jKeyDerivationStringDataToCKKeyDerivationStringData(JNIEnv *env, jobject jParam); +@@ -388,6 +396,31 @@ CK_ECDH2_DERIVE_PARAMS_PTR jEcdh2DeriveParamToCKEcdh2DeriveParamPtr(JNIEnv *env, + CK_X9_42_DH1_DERIVE_PARAMS_PTR jX942Dh1DeriveParamToCKX942Dh1DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); + CK_X9_42_DH2_DERIVE_PARAMS_PTR jX942Dh2DeriveParamToCKX942Dh2DeriveParamPtr(JNIEnv *env, jobject jParam, CK_ULONG* pLength); + ++/* handling of CK_PKCS5_PBKD2_PARAMS and CK_PKCS5_PBKD2_PARAMS2 */ ++typedef enum {PARAMS=0, PARAMS2} ParamVersion; ++ ++typedef struct { ++ union { ++ CK_PKCS5_PBKD2_PARAMS v1; ++ CK_PKCS5_PBKD2_PARAMS2 v2; ++ } params; ++ ParamVersion version; ++} VersionedPbkd2Params, *VersionedPbkd2ParamsPtr; ++ ++#define FREE_VERSIONED_PBKD2_MEMBERS(verParamsPtr) \ ++ do { \ ++ if ((verParamsPtr)->version == PARAMS) { \ ++ free((verParamsPtr)->params.v1.pSaltSourceData); \ ++ free((verParamsPtr)->params.v1.pPrfData); \ ++ free((verParamsPtr)->params.v1.pPassword); \ ++ free((verParamsPtr)->params.v1.ulPasswordLen); \ ++ } else { \ ++ free((verParamsPtr)->params.v2.pSaltSourceData); \ ++ free((verParamsPtr)->params.v2.pPrfData); \ ++ free((verParamsPtr)->params.v2.pPassword); \ ++ } \ ++ } while(0) ++ + /* functions to copy the returned values inside CK-mechanism back to Java object */ + + void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism); diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java index 8c9e4f9dbe6..883dc04758e 100644 --- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 654850d..a7e9c14 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -349,7 +349,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver bb46af07cb9 +%global fipsver 0bd5ca9ccc5 # Standard JPackage naming and versioning defines %global origin openjdk @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1392,6 +1392,8 @@ Patch7: jdk8292223-tzdata2022b-kyiv.patch # RH2104724: Avoid import/export of DH private keys # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode # Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores +# RH2020290: Support TLS 1.3 in FIPS mode Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -2621,6 +2623,11 @@ cjc.mainProgram(args) %endif %changelog +* Mon Aug 29 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-2 +- Update FIPS support to bring in latest changes +- * RH2048582: Support PKCS#12 keystores +- * RH2020290: Support TLS 1.3 in FIPS mode + * Sun Aug 21 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-1 - Update to jdk-17.0.4.1+1 - Update release notes to 17.0.4.1+1 commit 5dd4fd8561efbcb9c8ce6d67b0c4c8df8dc5c5b3 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Sun Aug 21 04:04:02 2022 +0100 Update to jdk-17.0.4.1+1 Update release notes to 17.0.4.1+1 Add patch to provide translations for Europe/Kyiv added in tzdata2022b Add test to ensure timezones can be translated diff --git a/.gitignore b/.gitignore index 9aef5aa..5df29a7 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ /openjdk-jdk17u-jdk-17.0.4+1.tar.xz /openjdk-jdk17u-jdk-17.0.4+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+8.tar.xz +/openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz diff --git a/NEWS b/NEWS index 0a1d468..ed5ebeb 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,26 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.4.1 (2022-08-16): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk17041 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.1.txt + +* Other changes + - JDK-8292258: Bump update version for OpenJDK: jdk-17.0.4.1 + - JDK-8292260: [BACKOUT] JDK-8279219: [REDO] C2 crash when allocating array of size too large + +Notes on individual issues: +=========================== + +hotspot/compiler: + +JDK-8292396: C2 Compilation Errors Unpredictably Crashes JVM +============================================================ +Fixes a regression in the C2 JIT compiler which caused the Java +Runtime to crash unpredictably. + New in release OpenJDK 17.0.4 (2022-07-19): =========================================== Live versions of these release notes can be found at: diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java index 552bd0f..2967a32 100644 --- a/TestSecurityProperties.java +++ b/TestSecurityProperties.java @@ -1,3 +1,20 @@ +/* TestSecurityProperties -- Ensure system security properties can be used to + enable the crypto policies. + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ import java.io.File; import java.io.FileInputStream; import java.security.Security; diff --git a/TestTranslations.java b/TestTranslations.java new file mode 100644 index 0000000..cf83303 --- /dev/null +++ b/TestTranslations.java @@ -0,0 +1,35 @@ +/* TestTranslations -- Ensure translations are available for new timezones + Copyright (C) 2022 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +import java.util.Arrays; +import java.util.Locale; +import java.util.ResourceBundle; + +import sun.util.resources.LocaleData; +import sun.util.locale.provider.LocaleProviderAdapter; + +public class TestTranslations { + public static void main(String[] args) { + for (String zone : args) { + System.out.printf("Translations for %s\n", zone); + for (Locale l : Locale.getAvailableLocales()) { + ResourceBundle bundle = new LocaleData(LocaleProviderAdapter.Type.JRE).getTimeZoneNames(l); + System.out.printf("Locale: %s, language: %s, translations: %s\n", l, l.getDisplayLanguage(), Arrays.toString(bundle.getStringArray(zone))); + } + } + } +} diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 082fe91..654850d 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -310,7 +310,7 @@ %global featurever 17 %global interimver 0 %global updatever 4 -%global patchver 0 +%global patchver 1 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -356,8 +356,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 -%global rpmrelease 2 +%global buildver 1 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1341,6 +1341,9 @@ Source16: CheckVendor.java # nss fips configuration file Source17: nss.fips.cfg.in +# Ensure translations are available for new timezones +Source18: TestTranslations.java + ############################################ # # RPM/distribution specific patches @@ -1360,6 +1363,8 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +# Add translations for Europe/Kyiv locally until upstream is fully updated for tzdata2022b +Patch7: jdk8292223-tzdata2022b-kyiv.patch # Crypto policy and FIPS support patches # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u @@ -1801,6 +1806,7 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch6 -p1 +%patch7 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security @@ -2340,6 +2346,14 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" +# Check translations are available for new timezones +$JAVA_HOME/bin/javac --add-exports java.base/sun.util.resources=ALL-UNNAMED \ + --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ + -d . %{SOURCE18} +$JAVA_HOME/bin/java --add-exports java.base/sun.util.resources=ALL-UNNAMED \ + --add-exports java.base/sun.util.locale.provider=ALL-UNNAMED \ + $(echo $(basename %{SOURCE18})|sed "s|\.java||") "Europe/Kiev" "Europe/Kyiv" + %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} @@ -2607,6 +2621,12 @@ cjc.mainProgram(args) %endif %changelog +* Sun Aug 21 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated + * Mon Aug 15 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-2 - Update FIPS support to bring in latest changes - * RH2104724: Avoid import/export of DH private keys @@ -2614,8 +2634,8 @@ cjc.mainProgram(args) - * Build the systemconf library on all platforms * Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-1 -- Update to jdk-17.0.3.0+8 -- Update release notes to 17.0.3.0+8 +- Update to jdk-17.0.4.0+8 +- Update release notes to 17.0.4.0+8 - Switch to GA mode for release - Exclude x86 where java_arches is undefined, in order to unbreak build diff --git a/jdk8292223-tzdata2022b-kyiv.patch b/jdk8292223-tzdata2022b-kyiv.patch new file mode 100644 index 0000000..1107b82 --- /dev/null +++ b/jdk8292223-tzdata2022b-kyiv.patch @@ -0,0 +1,132 @@ +diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +index 8759aab3995..11ccbf73839 100644 +--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java ++++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +@@ -847,6 +847,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle { + {"Europe/Kirov", new String[] {"Kirov Standard Time", "GMT+03:00", + "Kirov Daylight Time", "GMT+03:00", + "Kirov Time", "GMT+03:00"}}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java +index f007c1a8d3b..617268e4cf3 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java +index 386414e16e6..14c5d89b9c5 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java +index d23f5fd49e6..44117125619 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java +index b4f57d4568c..efa818f3865 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java +index 1a10a9f96dc..7c0565461ad 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java +index 9a2d9e5c57c..8a2c805997f 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java +index de5e5c82daa..e3c06417f09 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java +index b53de4d8c89..3e46b6a063e 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java +index 7797cda19d5..590908409a8 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java +@@ -825,6 +825,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java +index 2cd10554853..23c5f180b6d 100644 +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java +@@ -827,6 +827,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle { + {"Europe/Jersey", GMTBST}, + {"Europe/Kaliningrad", EET}, + {"Europe/Kiev", EET}, ++ {"Europe/Kyiv", EET}, + {"Europe/Lisbon", WET}, + {"Europe/Ljubljana", CET}, + {"Europe/London", GMTBST}, diff --git a/sources b/sources index 765b22b..2008902 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+8.tar.xz) = 9b6bac353899501e5645cac0234455d5777d6d7c7f0ef5ca2487770be5953a7af578c735aece1b64d2a59cc9e93d735ecb3a4d693ef97ca4ca84595bdb0c8deb +SHA512 (openjdk-jdk17u-jdk-17.0.4.1+1.tar.xz) = 50bf07932e3aec20b4b5d51c01fe095a67b0186a4bc0bed6c8acfacde3673b97f0f177e0f3c372bf1a494c99e61475b4af66261be15f33bb4be8b14671952419 commit ddd9b60d6ebc3f166a7e8768d0cf6af2076fb5ea Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Mon Aug 15 02:09:20 2022 +0100 Update FIPS support to bring in latest changes * RH2104724: Avoid import/export of DH private keys * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode * Build the systemconf library on all platforms diff --git a/fips-17u-f8142a23d0a.patch b/fips-17u-bb46af07cb9.patch similarity index 94% rename from fips-17u-f8142a23d0a.patch rename to fips-17u-bb46af07cb9.patch index c07a4bf..8954cf1 100644 --- a/fips-17u-f8142a23d0a.patch +++ b/fips-17u-bb46af07cb9.patch @@ -124,10 +124,10 @@ index c2c9c4adf3a..9d105b37acf 100644 LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk -index 5658ff342e5..cb7a56852f7 100644 +index 5658ff342e5..c8bc5bde1e1 100644 --- a/make/modules/java.base/Lib.gmk +++ b/make/modules/java.base/Lib.gmk -@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) +@@ -167,6 +167,29 @@ ifeq ($(call isTargetOsType, unix), true) endif endif @@ -142,255 +142,23 @@ index 5658ff342e5..cb7a56852f7 100644 + LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS +endif + -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) -+ -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif ++$(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++)) ++ ++TARGETS += $(BUILD_LIBSYSTEMCONF) + ################################################################################ # Create the symbols file for static builds. -diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..8dcb7d9073f ---- /dev/null -+++ b/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -0,0 +1,224 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include <jni.h> -+#include <jni_util.h> -+#include "jvm_md.h" -+#include <stdio.h> -+ -+#ifdef SYSCONF_NSS -+#include <nss3/pk11pub.h> -+#else -+#include <dlfcn.h> -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define MSG_MAX_SIZE 256 -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); -+ -+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) -+{ -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "systemconf: cannot render message"); -+ } -+} -+ -+// Only used when NSS is not linked at build time -+#ifndef SYSCONF_NSS -+ -+static void *nss_handle; -+ -+static jboolean loadNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); -+ if (nss_handle == NULL) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ dlerror(); /* Clear errors */ -+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); -+ if ((errmsg = dlerror()) != NULL) { -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ return JNI_FALSE; -+ } -+ return JNI_TRUE; -+} -+ -+static void closeNSS(JNIEnv *env) -+{ -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ const char* errmsg; -+ -+ if (dlclose(nss_handle) != 0) { -+ errmsg = dlerror(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", -+ errmsg); -+ handle_msg(env, msg, msg_bytes); -+ } -+} -+ -+#endif -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+#ifdef SYSCONF_NSS -+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; -+#else -+ if (loadNSS(env) == JNI_FALSE) { -+ dbgPrint(env, "libsystemconf: Failed to load NSS library."); -+ } -+#endif -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+#ifndef SYSCONF_NSS -+ closeNSS(env); -+#endif -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+ if (getSystemFIPSEnabled != NULL) { -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = (*getSystemFIPSEnabled)(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ } else { -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ handle_msg(env, msg, msg_bytes); -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ } -+} diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index a020e1c15d8..6d459fdec01 100644 +index a020e1c15d8..3c064965e82 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -31,6 +31,7 @@ import java.security.SecureRandom; @@ -1006,89 +774,10 @@ index a020e1c15d8..6d459fdec01 100644 /* * Algorithm Parameter engines -@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { - psA("AlgorithmParameters", "ChaCha20-Poly1305", - "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); +@@ -610,118 +619,120 @@ public final class SunJCE extends Provider { + ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", + "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- /* -- * Key factories -- */ -- psA("KeyFactory", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyFactory", -- null); -- -- /* -- * Secret-key factories -- */ -- ps("SecretKeyFactory", "DES", -- "com.sun.crypto.provider.DESKeyFactory"); -- -- psA("SecretKeyFactory", "DESede", -- "com.sun.crypto.provider.DESedeKeyFactory", null); -- -- psA("SecretKeyFactory", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -- null); -- -- /* -- * Internal in-house crypto algorithm used for -- * the JCEKS keystore type. Since this was developed -- * internally, there isn't an OID corresponding to this -- * algorithm. -- */ -- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -- null); -- -- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -- null); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -- -- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -- - // PBKDF2 - psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", - "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", @@ -1198,89 +887,10 @@ index a020e1c15d8..6d459fdec01 100644 - "com.sun.crypto.provider.TlsKeyMaterialGenerator", - List.of("SunTls12KeyMaterial"), null); - -- ps("KeyGenerator", "SunTlsRsaPremasterSecret", -- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", -- List.of("SunTls12RsaPremasterSecret"), null); -+ if (!systemFipsEnabled) { -+ /* -+ * Key factories -+ */ -+ psA("KeyFactory", "DiffieHellman", -+ "com.sun.crypto.provider.DHKeyFactory", -+ null); -+ -+ /* -+ * Secret-key factories -+ */ -+ ps("SecretKeyFactory", "DES", -+ "com.sun.crypto.provider.DESKeyFactory"); -+ -+ psA("SecretKeyFactory", "DESede", -+ "com.sun.crypto.provider.DESedeKeyFactory", null); -+ -+ psA("SecretKeyFactory", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", -+ null); -+ -+ /* -+ * Internal in-house crypto algorithm used for -+ * the JCEKS keystore type. Since this was developed -+ * internally, there isn't an OID corresponding to this -+ * algorithm. -+ */ -+ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", -+ null); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); -+ -+ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); -+ +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { + // PBKDF2 + psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", + "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", @@ -2474,12 +2084,254 @@ index b22f26947af..3ee2ce6ea88 100644 permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; +diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..ddf9befe5bc +--- /dev/null ++++ b/src/java.base/share/native/libsystemconf/systemconf.c +@@ -0,0 +1,236 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include <jni.h> ++#include <jni_util.h> ++#include "jvm_md.h" ++#include <stdio.h> ++ ++#ifdef LINUX ++ ++#ifdef SYSCONF_NSS ++#include <nss3/pk11pub.h> ++#else ++#include <dlfcn.h> ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} ++ ++#else // !LINUX ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ return JNI_FALSE; ++} ++ ++#endif diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java new file mode 100644 -index 00000000000..9bb31555f48 +index 00000000000..8cfa2734d4e --- /dev/null +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,490 @@ +@@ -0,0 +1,461 @@ +/* + * Copyright (c) 2021, Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. @@ -2520,7 +2372,6 @@ index 00000000000..9bb31555f48 +import javax.crypto.Cipher; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.SecretKeySpec; -+import javax.crypto.spec.DHPrivateKeySpec; +import javax.crypto.spec.IvParameterSpec; + +import sun.security.jca.JCAUtil; @@ -2676,34 +2527,6 @@ index 00000000000..9bb31555f48 + attrsMap.put(CKA_NETSCAPE_DB, + new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); + } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } + } else { + if (debug != null) { + debug.println("Unrecognized private key type."); @@ -2971,7 +2794,7 @@ index 00000000000..9bb31555f48 + } +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 9b69072280e..b403e6d3c6d 100644 +index 9b69072280e..babf19d7157 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -2993,17 +2816,18 @@ index 9b69072280e..b403e6d3c6d 100644 private static final long serialVersionUID = -2575874101938349339L; private static final String PUBLIC = "public"; -@@ -379,7 +384,8 @@ abstract class P11Key implements Key, Length { +@@ -379,7 +384,9 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_SENSITIVE), new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); - if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { -+ if (!plainKeySupportEnabled && (attributes[1].getBoolean() || ++ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); ++ if (!exportable && (attributes[1].getBoolean() || + (attributes[2].getBoolean() == false))) { return new P11PrivateKey (session, keyID, algorithm, keyLength, attributes); } else { -@@ -461,7 +467,8 @@ abstract class P11Key implements Key, Length { +@@ -461,7 +468,8 @@ abstract class P11Key implements Key, Length { } public String getFormat() { token.ensureValid(); diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index b44225e..082fe91 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -349,7 +349,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver f8142a23d0a +%global fipsver bb46af07cb9 # Standard JPackage naming and versioning defines %global origin openjdk @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 8 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1384,6 +1384,9 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2094027: SunEC runtime permission for FIPS # RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage # RH2090378: Revert to disabling system security properties and FIPS mode support together +# RH2104724: Avoid import/export of DH private keys +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +# Build the systemconf library on all platforms Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -2604,6 +2607,12 @@ cjc.mainProgram(args) %endif %changelog +* Mon Aug 15 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-2 +- Update FIPS support to bring in latest changes +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms + * Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-1 - Update to jdk-17.0.3.0+8 - Update release notes to 17.0.3.0+8 commit b540c519002b754f5a5b9a252d6173af17af9549 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Fri Jul 22 16:23:05 2022 +0100 Update to jdk-17.0.3.0+8 Update release notes to 17.0.3.0+8 Switch to GA mode for release Exclude x86 where java_arches is undefined, in order to unbreak build diff --git a/.gitignore b/.gitignore index 0987d85..9aef5aa 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /openjdk-jdk17u-jdk-17.0.3+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+1.tar.xz /openjdk-jdk17u-jdk-17.0.4+7.tar.xz +/openjdk-jdk17u-jdk-17.0.4+8.tar.xz diff --git a/NEWS b/NEWS index 797c2d2..0a1d468 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,16 @@ Live versions of these release notes can be found at: * https://bitly.com/openjdk1704 * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt +* Security fixes + - JDK-8272243: Improve DER parsing + - JDK-8272249: Better properties of loaded Properties + - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions + - JDK-8277608: Address IP Addressing + - JDK-8281859, CVE-2022-21540: Improve class compilation + - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations + - JDK-8283190: Improve MIDI processing + - JDK-8284370: Improve zlib usage + - JDK-8285407, CVE-2022-34169: Improve Xalan supports * Other changes - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn - JDK-8181571: printing to CUPS fails on mac sandbox app @@ -57,7 +67,6 @@ Live versions of these release notes can be found at: - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 5a441bb..b44225e 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -356,8 +356,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 3 +%global buildver 8 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -383,7 +383,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global build_type GA %global ea_designator "" @@ -475,7 +475,11 @@ %endif # x86 is no longer supported +%if 0%{?java_arches:1} ExclusiveArch: %{java_arches} +%else +ExcludeArch: %{ix86} +%endif # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -2600,6 +2604,12 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.8-1 +- Update to jdk-17.0.3.0+8 +- Update release notes to 17.0.3.0+8 +- Switch to GA mode for release +- Exclude x86 where java_arches is undefined, in order to unbreak build + * Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea - moved to build only on %%{java_arches} -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs diff --git a/sources b/sources index 865c6f2..765b22b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419 +SHA512 (openjdk-jdk17u-jdk-17.0.4+8.tar.xz) = 9b6bac353899501e5645cac0234455d5777d6d7c7f0ef5ca2487770be5953a7af578c735aece1b64d2a59cc9e93d735ecb3a4d693ef97ca4ca84595bdb0c8deb commit 814266f96991bd7727bf42c90e541250497deb2d Author: Jiri <jvanek(a)redhat.com> Date: Fri Jul 22 12:52:20 2022 +0200 moved to build only on %%{java_arches} -- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs - reverted : -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) -- Try to build on x86 again by creating a husk of a JDK which does not depend on itself -- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable -- Replaced binaries and .so files with bash-stubs on i686 - added ExclusiveArch: %%{java_arches} -- this now excludes i686 -- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) - https://bugzilla.redhat.com/show_bug.cgi?id=2104128 diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 6e57c24..5a441bb 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -474,6 +474,9 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif +# x86 is no longer supported +ExclusiveArch: %{java_arches} + # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -808,20 +811,14 @@ exit 0 exit 0 } -%ifarch %{ix86} -%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh} -%else %define files_jre() %{expand: %{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so } -%endif -%ifarch %{ix86} -%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh} -%else + %define files_jre_headless() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS @@ -956,11 +953,7 @@ exit 0 %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } -%endif -%ifarch %{ix86} -%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh} -%else %define files_devel() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar @@ -1063,49 +1056,29 @@ exit 0 %endif %endif } -%endif -%ifarch %{ix86} -%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh} -%else %define files_jmods() %{expand: %{_jvmdir}/%{sdkdir -- %{?1}}/jmods } -%endif -%ifarch %{ix86} -%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh} -%else %define files_demo() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/demo %{_jvmdir}/%{sdkdir -- %{?1}}/sample } -%endif -%ifarch %{ix86} -%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh} -%else %define files_src() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip } -%endif -%ifarch %{ix86} -%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh} -%else %define files_static_libs() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } -%endif -%ifarch %{ix86} -%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh} -%else %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1118,11 +1091,7 @@ exit 0 %endif %endif } -%endif -%ifarch %{ix86} -%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh} -%else %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1135,7 +1104,6 @@ exit 0 %endif %endif } -%endif # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: @@ -1298,7 +1266,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1453,9 +1421,7 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem -%ifnarch %{ix86} BuildRequires: java-%{buildjdkver}-openjdk-devel -%endif # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1911,11 +1877,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build -# x86 is deprecated -%ifarch %{ix86} - exit 0 -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2224,35 +2185,6 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} - -%ifarch %{ix86} - mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}} - - file=/tmp/gonejdk.$$ - echo "OpenJDK on x86 is now deprecated" - echo '#!/bin/bash' > $file - echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file - echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file - echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file - echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file - echo 'exit 1' >> $file - - for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do - cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh - done - - # Docs were only in the normal build - if ! echo $suffix | grep -q "debug" ; then - for pkgsuffix in javadoc javadoc_zip ; do - cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh - done - fi - - rm -f ${file} - -%else - -# Install the jdk cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} @@ -2353,8 +2285,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; -%endif - # end, dual install done @@ -2363,14 +2293,6 @@ done # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -%ifarch %{ix86} - - # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go - echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list - cat debugsourcefiles.list - -%else - # Tests in the check stage are performed on the installed image # rpmbuild operates as follows: build -> install -> test export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} @@ -2431,8 +2353,6 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable -%endif - # build cycles check done @@ -2680,6 +2600,19 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 22 2022 Jiri Vanek <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.3.ea +- moved to build only on %%{java_arches} +-- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs +- reverted : +-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild (always mess up release) +-- Try to build on x86 again by creating a husk of a JDK which does not depend on itself +-- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable +-- Replaced binaries and .so files with bash-stubs on i686 +- added ExclusiveArch: %%{java_arches} +-- this now excludes i686 +-- this is safely backport-able to older fedoras, as the macro was backported proeprly (with i686 included) +- https://bugzilla.redhat.com/show_bug.cgi?id=2104128 + * Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild commit 87a3e38c1ab30ea4a44a54198817793e470cd99b Author: Fedora Release Engineering <releng(a)fedoraproject.org> Date: Thu Jul 21 15:05:49 2022 +0000 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng(a)fedoraproject.org> diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a4d8b5c..6e57c24 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -1298,7 +1298,7 @@ Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} Name: java-17-%{origin} Version: %{newjavaver}.%{buildver} -Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}.1 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -2680,6 +2680,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:17.0.4.0.7-0.2.ea.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea - Try to build on x86 again by creating a husk of a JDK which does not depend on itself commit e47cdf807e496454ba26a188e8df7ae986931ecf Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Tue Jul 19 01:18:30 2022 +0100 Try to build on x86 again by creating a husk of a JDK which does not depend on itself diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index a8e4bc1..a4d8b5c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -474,9 +474,6 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif -# x86 is no longer supported -ExcludeArch: %{ix86} - # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -811,14 +808,20 @@ exit 0 exit 0 } +%ifarch %{ix86} +%define files_jre() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jre.sh} +%else %define files_jre() %{expand: %{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so } +%endif - +%ifarch %{ix86} +%define files_jre_headless() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-headless.sh} +%else %define files_jre_headless() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS @@ -953,7 +956,11 @@ exit 0 %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } +%endif +%ifarch %{ix86} +%define files_devel() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-devel.sh} +%else %define files_devel() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar @@ -1056,29 +1063,49 @@ exit 0 %endif %endif } +%endif +%ifarch %{ix86} +%define files_jmods() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-jmods.sh} +%else %define files_jmods() %{expand: %{_jvmdir}/%{sdkdir -- %{?1}}/jmods } +%endif +%ifarch %{ix86} +%define files_demo() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-demo.sh} +%else %define files_demo() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/demo %{_jvmdir}/%{sdkdir -- %{?1}}/sample } +%endif +%ifarch %{ix86} +%define files_src() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-src.sh} +%else %define files_src() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip } +%endif +%ifarch %{ix86} +%define files_static_libs() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-static_libs.sh} +%else %define files_static_libs() %{expand: %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } +%endif +%ifarch %{ix86} +%define files_javadoc() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc.sh} +%else %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1091,7 +1118,11 @@ exit 0 %endif %endif } +%endif +%ifarch %{ix86} +%define files_javadoc_zip() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/gone-javadoc_zip.sh} +%else %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal @@ -1104,6 +1135,7 @@ exit 0 %endif %endif } +%endif # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: @@ -1421,7 +1453,9 @@ BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem +%ifnarch %{ix86} BuildRequires: java-%{buildjdkver}-openjdk-devel +%endif # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1877,6 +1911,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build +# x86 is deprecated +%ifarch %{ix86} + exit 0 +%endif + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2186,20 +2225,34 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -pushd ${jdk_image} %ifarch %{ix86} - for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do - echo "deprecating $file" - echo '#!/bin/bash' > $file - echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file - echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file - echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file - echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file - echo 'exit 1' >> $file + mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}} + + file=/tmp/gonejdk.$$ + echo "OpenJDK on x86 is now deprecated" + echo '#!/bin/bash' > $file + echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file + echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file + echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file + echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file + echo 'exit 1' >> $file + + for pkgsuffix in jre headless devel demo src debugsourcefiles jmods static_libs ; do + cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh done -%endif -popd + # Docs were only in the normal build + if ! echo $suffix | grep -q "debug" ; then + for pkgsuffix in javadoc javadoc_zip ; do + cp -a ${file} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-${pkgsuffix}.sh + done + fi + + rm -f ${file} + +%else + +# Install the jdk cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} @@ -2300,16 +2353,24 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 7 find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; +%endif + # end, dual install done %check -%ifarch %{ix86} - exit 0 -%endif + # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do +%ifarch %{ix86} + + # Fake debugsourcefiles.list here after find-debuginfo.sh has already had a go + echo "%{_jvmdir}/%{sdkdir -- ${suffix}}/gone-debugsourcefiles.sh" >> debugsourcefiles.list + cat debugsourcefiles.list + +%else + # Tests in the check stage are performed on the installed image # rpmbuild operates as follows: build -> install -> test export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} @@ -2370,6 +2431,8 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable +%endif + # build cycles check done @@ -2617,6 +2680,9 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jul 19 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.2.ea +- Try to build on x86 again by creating a husk of a JDK which does not depend on itself + * Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea - Update to jdk-17.0.3.0+7 - Update release notes to 17.0.3.0+7 commit c43163d44566d2264fdf69f2d197627b6ce4ed9e Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Sat Jul 16 20:03:04 2022 +0100 Update to jdk-17.0.3.0+7 Update release notes to 17.0.3.0+7 Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable Need to include the '.S' suffix in debuginfo checks after JDK-8284661 diff --git a/.gitignore b/.gitignore index eaa1e0c..0987d85 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz /openjdk-jdk17u-jdk-17.0.3+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+1.tar.xz +/openjdk-jdk17u-jdk-17.0.4+7.tar.xz diff --git a/NEWS b/NEWS index 5d91d43..797c2d2 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,14 @@ Live versions of these release notes can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt * Other changes + - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + - JDK-8181571: printing to CUPS fails on mac sandbox app - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use + - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test - JDK-8214733: runtime/8176717/TestInheritFD.java timed out + - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel + - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR - JDK-8255266: Update Public Suffix List to 3c213aa @@ -26,6 +32,7 @@ Live versions of these release notes can be found at: - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout + - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs @@ -60,6 +67,7 @@ Live versions of these release notes can be found at: - JDK-8274233: Minor cleanup for ToolBox - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image - JDK-8274751: Drag And Drop hangs on Windows - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed @@ -125,6 +133,7 @@ Live versions of these release notes can be found at: - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor - JDK-8280600: C2: assert(!had_error) failed: bad dominance - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination @@ -150,8 +159,10 @@ Live versions of these release notes can be found at: - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 + - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads - JDK-8282225: GHA: Allow one concurrent run per PR only - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers @@ -160,6 +171,7 @@ Live versions of these release notes can be found at: - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 - JDK-8282345: handle latest VS2022 in abstract_vm_version - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale - JDK-8282444: Module finder incorrectly assumes default file system path-separator character - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output @@ -170,31 +182,71 @@ Live versions of these release notes can be found at: - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value - JDK-8283017: GHA: Workflows break with update release versions - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + - JDK-8283315: jrt-fs.jar not always deterministically built + - JDK-8283323: libharfbuzz optimization level results in extreme build times - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled - JDK-8283350: (tz) Update Timezone Data to 2022a - JDK-8283408: Fix a C2 crash when filling arrays with unsafe - JDK-8283422: Create a new test for JDK-8254790 - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info - JDK-8283641: Large value for CompileThresholdScaling causes assert - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284094: Memory leak in invoker_completeInvokeRequest() - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284437: Building from different users/workspace is not always deterministic - JDK-8284458: CodeHeapState::aggregate() leaks blob_name - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler + - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + - JDK-8284620: CodeBuffer may leak _overflow_arena - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284661: Reproducible assembly builds without relative linking + - JDK-8284754: print more interesting env variables in hs_err and VM.info + - JDK-8284758: [linux] improve print_container_info + - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping - JDK-8284866: Add test to JDK-8273056 - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8284992: Fix misleading Vector API doc for LSHR operator - JDK-8285342: Zero build failure with clang due to values not handled in switch + - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() + - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 - JDK-8285445: cannot open file "NUL:" + - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + - JDK-8285686: Update FreeType to 2.12.0 + - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + - JDK-8285728: Alpine Linux build fails with busybox tar + - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine + - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService + - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc + - JDK-8286198: [linux] Fix process-memory information + - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk + - JDK-8286855: javac error on invalid jar should only print filename + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287119: Add Distrust.java to ProblemList + - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions + - JDK-8287336: GHA: Workflows break on patch versions + - JDK-8287362: FieldAccessWatch testcase failed on AIX platform + - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows Notes on individual issues: =========================== diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7e28951..a8e4bc1 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -356,8 +356,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 -%global rpmrelease 5 +%global buildver 7 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -474,6 +474,9 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif +# x86 is no longer supported +ExcludeArch: %{ix86} + # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : @@ -2046,9 +2049,9 @@ function debugcheckjdk() { IFS=$'\n' for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") do - # We expect to see .cpp files, except for architectures like aarch64 and + # We expect to see .cpp and .S files, except for architectures like aarch64 and # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" done IFS="$old_IFS" @@ -2614,6 +2617,12 @@ cjc.mainProgram(args) %endif %changelog +* Sat Jul 16 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.7-0.1.ea +- Update to jdk-17.0.3.0+7 +- Update release notes to 17.0.3.0+7 +- Exclude x86 from builds as the bootstrap JDK is now completely broken and unusable +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 + * Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea - Explicitly require crypto-policies during build and runtime for system security properties diff --git a/sources b/sources index ded0ae9..865c6f2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1 +SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419 commit 0cff01bd2387e69bf4f5090b6eb16e7452033da6 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Sat Jul 9 01:10:32 2022 +0100 Explicitly require crypto-policies during build and runtime for system security properties diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 2f04873..7e28951 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 4 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1152,6 +1152,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for system security properties +Requires: crypto-policies # for FIPS PKCS11 provider Requires: nss # Post requires alternatives to install tool alternatives @@ -1410,6 +1412,8 @@ BuildRequires: libXt-devel BuildRequires: libXtst-devel # Requirement for setting up nss.cfg and nss.fips.cfg BuildRequires: nss-devel +# Requirement for system security property test +BuildRequires: crypto-policies BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -2610,6 +2614,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.5.ea +- Explicitly require crypto-policies during build and runtime for system security properties + * Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea - Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: - https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs commit 73fbfeeb34244ac9e1b105d6dea094c1f4d7f1cb Author: Jiri <jvanek(a)redhat.com> Date: Wed Jul 13 20:07:30 2022 +0200 Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 4e33514..2f04873 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2178,6 +2178,21 @@ jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} + +pushd ${jdk_image} +%ifarch %{ix86} + for file in $(find $(pwd) | grep -e "/bin/" -e "\.so$") ; do + echo "deprecating $file" + echo '#!/bin/bash' > $file + echo 'echo "We are going to remove i686 jdk. Please fix your package accordingly!"' >> $file + echo 'echo "See https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs"' >> $file + echo 'echo "See https://pagure.io/fesco/issue/2772"' >> $file + echo 'echo "See https://bugzilla.redhat.com/show_bug.cgi?id=2083750"' >> $file + echo 'exit 1' >> $file + done +%endif +popd + cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} pushd ${jdk_image} @@ -2282,7 +2297,9 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6 done %check - +%ifarch %{ix86} + exit 0 +%endif # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do @@ -2593,6 +2610,10 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 Jiri Vanek <jvanek(a)redhat.com> - 1:17.0.4.0.1-0.4.ea +- Replaced binaries and .so files with bash-stubs on i686 in preparation of the removal on that architecture: +- https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs + * Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea - Add javaver- and origin-specific javadoc and javadoczip alternatives. commit 3a89c445abf482c0bd02c00252d30ddb43f9d1aa Author: FeRD (Frank Dana) <ferdnyc(a)gmail.com> Date: Wed Jun 8 14:03:04 2022 -0400 Add additional javadoc & javadoczip alternatives Create additional alternatives linked from the javadocdir, named: * java-%{origin} / java-%{origin}.zip * java-%{javaver} / java-%{javaver}.zip * java-%{javaver}-%{origin} / java-%{javaver}-%{origin}.zip diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 657f19c..4e33514 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -357,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -743,10 +743,19 @@ PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi + for X in %{origin} %{javaver} ; do + key=javadocdir_"$X" + alternatives --install %{_javadocdir}/java-"$X" $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + done + + key=javadocdir_%{javaver}_%{origin} + alternatives --install %{_javadocdir}/java-%{javaver}-%{origin} $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} -key=javadocdir -alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} -%{set_if_needed_alternatives $key %{family_noarch}} + key=javadocdir + alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} exit 0 } @@ -756,6 +765,9 @@ if [ "x$debug" == "xtrue" ] ; then fi post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy... %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} + %{save_and_remove_alternatives javadocdir_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } @@ -767,9 +779,20 @@ PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -key=javadoczip -alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} -%{set_if_needed_alternatives $key %{family_noarch}} + for X in %{origin} %{javaver} ; do + key=javadoczip_"$X" + alternatives --install %{_javadocdir}/java-"$X".zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + done + + key=javadoczip_%{javaver}_%{origin} + alternatives --install %{_javadocdir}/java-%{javaver}-%{origin}.zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} + + # Weird legacy filename for backwards-compatibility + key=javadoczip + alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} + %{set_if_needed_alternatives $key %{family_noarch}} exit 0 } @@ -779,6 +802,9 @@ exit 0 fi post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_sy... %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{javaver} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} + %{save_and_remove_alternatives javadoczip_%{javaver}_%{origin} %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -1056,6 +1082,9 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java +%ghost %{_javadocdir}/java-%{origin} +%ghost %{_javadocdir}/java-%{javaver} +%ghost %{_javadocdir}/java-%{javaver}-%{origin} %endif %endif } @@ -1066,6 +1095,9 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java-zip +%ghost %{_javadocdir}/java-%{origin}.zip +%ghost %{_javadocdir}/java-%{javaver}.zip +%ghost %{_javadocdir}/java-%{javaver}-%{origin}.zip %endif %endif } @@ -2561,6 +2593,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 FeRD (Frank Dana) <ferdnyc(a)gmail.com> - 1:17.0.4.0.1-0.3.ea +- Add javaver- and origin-specific javadoc and javadoczip alternatives. + * Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea - Make use of the vendor version string to store our version & release rather than an upstream release date - Include a test in the RPM to check the build has the correct vendor information. commit b88e34f02e7b229b3bc02ef74b7a8ffccd73d8f1 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Sat Jul 9 02:02:43 2022 +0100 Make use of the vendor version string to store our version & release rather than an upstream release date Include a test in the RPM to check the build has the correct vendor information. Fix issue where CheckVendor.java test erroneously passes when it should fail. Add proper quoting so '&' is not treated as a special character by the shell. diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>"); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 22fe90f..657f19c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -311,10 +311,6 @@ %global interimver 0 %global updatever 4 %global patchver 0 -# If you bump featurever, you must also bump vendor_version_string -# Used via new version scheme. JDK 17 was -# GA'ed in September 2021 => 21.9 -%global vendor_version_string 21.9 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -329,6 +325,27 @@ %global lts_designator_zip "" %endif +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component... +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name... +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%... +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{release}) + # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches @@ -340,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 1 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -381,23 +398,6 @@ %global eaprefix 0. %endif -# Define what url should JVM offer in case of a crash report -# order may be important, epel may have rhel declared -%if 0%{?epel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component... -%else -%if 0%{?fedora} -# Does not work for rawhide, keeps the version field empty -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name... -%else -%if 0%{?rhel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%... -%else -%global bugs https://bugzilla.redhat.com/enter_bug.cgi -%endif -%endif -%endif - # parametrized macros are order-sensitive %global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} @@ -1294,6 +1294,9 @@ Source14: TestECDSA.java # Verify system crypto (policy) can be disabled via a property Source15: TestSecurityProperties.java +# Ensure vendor settings are correct +Source16: CheckVendor.java + # nss fips configuration file Source17: nss.fips.cfg.in @@ -1703,6 +1706,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv %prep +echo "Preparing %{oj_vendor_version}" + # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( %if 0%{?stapinstall:1} echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" @@ -1896,11 +1901,11 @@ function buildjdk() { --with-version-build=%{buildver} \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ - --with-vendor-version-string="%{vendor_version_string}" \ - --with-vendor-name="Red Hat, Inc." \ - --with-vendor-url="https://www.redhat.com/" \ - --with-vendor-bug-url="%{bugs}" \ - --with-vendor-vm-bug-url="%{bugs}" \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ @@ -2285,6 +2290,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} @@ -2552,6 +2561,14 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 14 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.2.ea +- Make use of the vendor version string to store our version & release rather than an upstream release date +- Include a test in the RPM to check the build has the correct vendor information. + +* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana(a)redhat.com> - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. + * Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea - Update to jdk-17.0.4.0+1 - Update release notes to 17.0.4.0+1 commit 9686b18e4ff6e393dbdb8a9256000685fa961430 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Mon Jul 11 19:39:27 2022 +0100 Update to jdk-17.0.4.0+1 Update release notes to 17.0.4.0+1 Switch to EA mode for 17.0.4 pre-release builds. Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 Print release file during build, which should now include a correct SOURCE value from .src-rev Update tarball script with IcedTea GitHub URL and .src-rev generation Include script to generate bug list for release notes Update tzdata requirement to 2022a to match JDK-8283350 Move EA designator check to prep so failures can be caught earlier Make EA designator check non-fatal while upstream is not maintaining it diff --git a/.gitignore b/.gitignore index 9d53f89..eaa1e0c 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ /openjdk-jdk17u-jdk-17.0.3+5.tar.xz /openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz /openjdk-jdk17u-jdk-17.0.3+7.tar.xz +/openjdk-jdk17u-jdk-17.0.4+1.tar.xz diff --git a/NEWS b/NEWS index b0e58ad..5d91d43 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,262 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 17.0.4 (2022-07-19): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1704 + * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt + +* Other changes + - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8214733: runtime/8176717/TestInheritFD.java timed out + - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode + - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + - JDK-8255266: Update Public Suffix List to 3c213aa + - JDK-8256368: Avoid repeated upcalls into Java to re-resolve MH/VH linkers/invokers + - JDK-8258814: Compilation logging crashes for thread suspension / debugging tests + - JDK-8263461: jdk/jfr/event/gc/detailed/TestEvacuationFailedEvent.java uses wrong mechanism to cause evacuation failure + - JDK-8263538: SharedArchiveConsistency.java should test -Xshare:auto as well + - JDK-8264605: vmTestbase/nsk/jvmti/SuspendThread/suspendthrd003/TestDescription.java failed with "agent_tools.cpp, 471: (foundThread = (jthread) jni_env->NewGlobalRef(foundThread)) != NULL" + - JDK-8265261: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8265317: [vector] assert(payload->is_object()) failed: expected 'object' value for scalar-replaced boxed vector but got: NULL + - JDK-8267163: Rename anonymous loader tests to hidden loader tests + - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo + - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped + - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout + - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum + - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest + - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs + - JDK-8269135: TestDifferentProtectionDomains runs into timeout in client VM + - JDK-8269373: some tests in jdk/tools/launcher/ fails on localized Windows platform + - JDK-8269753: Misplaced caret in PatternSyntaxException's detail message + - JDK-8269933: test/jdk/javax/net/ssl/compatibility/JdkInfo incorrect verification of protocol and cipher support + - JDK-8270021: Incorrect log decorators in gc/g1/plab/TestPLABEvacuationFailure.java + - JDK-8270336: [TESTBUG] Fix initialization in NonbranchyTree + - JDK-8270435: UT: MonitorUsedDeflationThresholdTest failed: did not find too_many string in output + - JDK-8270468: TestRangeCheckEliminated fails because methods are not compiled + - JDK-8270797: ShortECDSA.java test is not complete + - JDK-8270837: fix typos in test TestSigParse.java + - JDK-8271008: appcds/*/MethodHandlesAsCollectorTest.java tests time out because of excessive GC (CodeCache GC Threshold) in loom + - JDK-8271055: Crash during deoptimization with "assert(bb->is_reachable()) failed: getting result from unreachable basicblock" with -XX:+VerifyStack + - JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + - JDK-8271302: Regex Test Refresh + - JDK-8272146: Disable Fibonacci test on memory constrained systems + - JDK-8272168: some hotspot runtime/logging tests don't check exit code + - JDK-8272169: runtime/logging/LoaderConstraintsTest.java doesn't build test.Empty + - JDK-8272358: Some tests may fail when executed with other locales than the US + - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 + - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security + - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted + - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions + - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" + - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency + - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests + - JDK-8273169: java/util/regex/NegativeArraySize.java failed after JDK-8271302 + - JDK-8273804: Platform.isTieredSupported should handle the no-compiler case + - JDK-8274172: Convert JavadocTester to use NIO + - JDK-8274233: Minor cleanup for ToolBox + - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun + - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image + - JDK-8274751: Drag And Drop hangs on Windows + - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed + - JDK-8274939: Incorrect size of the pixel storage is used by the robot on macOS + - JDK-8274983: C1 optimizes the invocation of private interface methods + - JDK-8275037: Test vmTestbase/nsk/sysdict/vm/stress/btree/btree011/btree011.java crashes with memory exhaustion on Windows + - JDK-8275337: C1: assert(false) failed: live_in set of first block must be empty + - JDK-8275638: GraphKit::combine_exception_states fails with "matching stack sizes" assert + - JDK-8275745: Reproducible copyright headers + - JDK-8275830: C2: Receiver downcast is missing when inlining through method handle linkers + - JDK-8275854: C2: assert(stride_con != 0) failed: missed some peephole opt + - JDK-8276260: (se) Remove java/nio/channels/Selector/Wakeup.java from ProblemList (win) + - JDK-8276657: XSLT compiler tries to define a class with empty name + - JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + - JDK-8276825: hotspot/runtime/SelectionResolution test errors + - JDK-8276863: Remove test/jdk/sun/security/ec/ECDSAJavaVerify.java + - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary + - JDK-8276990: Memory leak in invoker.c fillInvokeRequest() during JDI operations + - JDK-8277055: Assert "missing inlining msg" with -XX:+PrintIntrinsics + - JDK-8277072: ObjectStreamClass caches keep ClassLoaders alive + - JDK-8277087: ZipException: zip END header not found at ZipFile#Source.findEND + - JDK-8277123: jdeps does not report some exceptions correctly + - JDK-8277165: jdeps --multi-release --print-module-deps fails if module-info.class in different versioned directories + - JDK-8277166: Data race in jdeps VersionHelper + - JDK-8277396: [TESTBUG] In DefaultButtonModelCrashTest.java, frame is accessed from main thread + - JDK-8277422: tools/jar/JarEntryTime.java fails with modified time mismatch + - JDK-8277893: Arraycopy stress tests + - JDK-8277906: Incorrect type for IV phi of long counted loops after CCP + - JDK-8277922: Unable to click JCheckBox in JTable through Java Access Bridge + - JDK-8278014: [vectorapi] Remove test run script + - JDK-8278065: Refactor subclassAudits to use ClassValue + - JDK-8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method + - JDK-8278472: Invalid value set to CANDIDATEFORM structure + - JDK-8278519: serviceability/jvmti/FieldAccessWatch/FieldAccessWatch.java failed "assert(handle != __null) failed: JNI handle should not be null" + - JDK-8278549: UNIX sun/font coding misses SUSE distro detection on recent distro SUSE 15 + - JDK-8278766: Enable OpenJDK build support for reproducible jars and jmods using --date + - JDK-8278794: Infinite loop in DeflaterOutputStream.finish() + - JDK-8278796: Incorrect behavior of FloatVector.withLane on X86 + - JDK-8278851: Correct signer logic for jars signed with multiple digestalgs + - JDK-8278948: compiler/vectorapi/reshape/TestVectorCastAVX1.java crashes in assembler + - JDK-8278966: two microbenchmarks tests fail "assert(!jvms->method()->has_exception_handlers()) failed: no exception handler expected" after JDK-8275638 + - JDK-8279182: MakeZipReproducible ZipEntry timestamps not localized to UTC + - JDK-8279219: [REDO] C2 crash when allocating array of size too large + - JDK-8279227: Access Bridge: Wrong frame position and hit test result on HiDPI display + - JDK-8279356: Method linking fails with guarantee(mh->adapter() != NULL) failed: Adapter blob must already exist! + - JDK-8279437: [JVMCI] exception in HotSpotJVMCIRuntime.translate can exit the VM + - JDK-8279515: C1: No inlining through invokedynamic and invokestatic call sites when resolved class is not linked + - JDK-8279520: SPNEGO has not passed channel binding info into the underlying mechanism + - JDK-8279529: ProblemList java/nio/channels/DatagramChannel/ManySourcesAndTargets.java on macosx-aarch64 + - JDK-8279532: ProblemList sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java + - JDK-8279560: AArch64: generate_compare_long_string_same_encoding and LARGE_LOOP_PREFETCH alignment + - JDK-8279586: [macos] custom JCheckBox and JRadioBox with custom icon set: focus is still displayed after unchecking + - JDK-8279597: [TESTBUG] ReturnBlobToWrongHeapTest.java fails with -XX:TieredStopAtLevel=1 on machines with many cores + - JDK-8279668: x86: AVX2 versions of vpxor should be asserted + - JDK-8279822: CI: Constant pool entries in error state are not supported + - JDK-8279834: Alpine Linux fails to build when --with-source-date enabled + - JDK-8279837: C2: assert(is_Loop()) failed: invalid node class: Region + - JDK-8279842: HTTPS Channel Binding support for Java GSS/Kerberos + - JDK-8279958: Provide configure hints for Alpine/apk package managers + - JDK-8280004: DCmdArgument<jlong>::parse_value() should handle NULL input + - JDK-8280041: Retry loop issues in java.io.ClassCache + - JDK-8280123: C2: Infinite loop in CMoveINode::Ideal during IGVN + - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized + - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang + - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + - JDK-8280600: C2: assert(!had_error) failed: bad dominance + - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. + - JDK-8280799: С2: assert(false) failed: cyclic dependency prevents range check elimination + - JDK-8280867: Cpuid1Ecx feature parsing is incorrect for AMD CPUs + - JDK-8280901: MethodHandle::linkToNative stub is missing w/ -Xint + - JDK-8280940: gtest os.release_multi_mappings_vm is racy + - JDK-8280941: os::print_memory_mappings() prints segment preceeding the inclusion range + - JDK-8280956: Re-examine copyright headers on files in src/java.desktop/macosx/native/libawt_lwawt/awt/a11y + - JDK-8280964: [Linux aarch64] : drawImage dithers TYPE_BYTE_INDEXED images incorrectly + - JDK-8281043: Intrinsify recursive ObjectMonitor locking for PPC64 + - JDK-8281168: Micro-optimize VarForm.getMemberName for interpreter + - JDK-8281262: Windows builds in different directories are not fully reproducible + - JDK-8281266: [JVMCI] MetaUtil.toInternalName() doesn't handle hidden classes correctly + - JDK-8281274: deal with ActiveProcessorCount in os::Linux::print_container_info + - JDK-8281275: Upgrading from 8 to 11 no longer accepts '/' as filepath separator in gc paths + - JDK-8281318: Improve jfr/event/allocation tests reliability + - JDK-8281338: NSAccessibilityPressAction action for tree node and NSAccessibilityShowMenuAcgtion action not working + - JDK-8281450: Remove unnecessary operator new and delete from ObjectMonitor + - JDK-8281522: Rename ADLC classes which have the same name as hotspot variants + - JDK-8281544: assert(VM_Version::supports_avx512bw()) failed for Tests jdk/incubator/vector/ + - JDK-8281615: Deadlock caused by jdwp agent + - JDK-8281638: jfr/event/allocation tests fail with release VMs after JDK-8281318 due to lack of -XX:+UnlockDiagnosticVMOptions + - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature + - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 + - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway + - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 + - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads + - JDK-8282225: GHA: Allow one concurrent run per PR only + - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers + - JDK-8282293: Domain value for system property jdk.https.negotiate.cbt should be case-insensitive + - JDK-8282295: SymbolPropertyEntry::set_method_type fails with assert + - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 + - JDK-8282345: handle latest VS2022 in abstract_vm_version + - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282444: Module finder incorrectly assumes default file system path-separator character + - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 + - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output + - JDK-8282551: Properly initialize L32X64MixRandom state + - JDK-8282583: Update BCEL md to include the copyright notice + - JDK-8282590: C2: assert(addp->is_AddP() && addp->outcnt() > 0) failed: Don't process dead nodes + - JDK-8282592: C2: assert(false) failed: graph should be schedulable + - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() + - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap + - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8283017: GHA: Workflows break with update release versions + - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails + - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c + - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing + - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled + - JDK-8283350: (tz) Update Timezone Data to 2022a + - JDK-8283408: Fix a C2 crash when filling arrays with unsafe + - JDK-8283422: Create a new test for JDK-8254790 + - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info + - JDK-8283641: Large value for CompileThresholdScaling causes assert + - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM + - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 + - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284458: CodeHeapState::aggregate() leaks blob_name + - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284866: Add test to JDK-8273056 + - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8285342: Zero build failure with clang due to values not handled in switch + - JDK-8285445: cannot open file "NUL:" + +Notes on individual issues: +=========================== + +core-libs/java.net: + +JDK-8285240: HTTPS Channel Binding support for Java GSS/Kerberos +================================================================ +Support has been added for TLS channel binding tokens for +Negotiate/Kerberos authentication over HTTPS through +javax.net.HttpsURLConnection. + +Channel binding tokens are increasingly required as an enhanced form +of security which can mitigate certain kinds of socially engineered, +man in the middle (MITM) attacks. They work by communicating from a +client to a server the client's understanding of the binding between +connection security (as represented by a TLS server cert) and higher +level authentication credentials (such as a username and +password). The server can then detect if the client has been fooled by +a MITM and shutdown the session/connection. + +The feature is controlled through a new system property +`jdk.https.negotiate.cbt` which is described fully at the following +page: + +https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/net/doc-files/net-properties.html#jdk.https.negotiate.cbt + +core-libs/java.lang: + +JDK-8283137: Incorrect handling of quoted arguments in ProcessBuilder +===================================================================== +ProcessBuilder on Windows is restored to address a regression caused +by JDK-8250568. Previously, an argument to ProcessBuilder that +started with a double-quote and ended with a backslash followed by a +double-quote was passed to a command incorrectly and may cause the +command to fail. For example the argument `"C:\\Program Files\"`, +would be seen by the command with extra double-quotes. This update +restores the long standing behavior that does not treat the backslash +before the final double-quote specially. + + +core-libs/java.util.jar: + +JDK-8278386: Default JDK compressor will be closed when IOException is encountered +================================================================================== +`DeflaterOutputStream.close()` and `GZIPOutputStream.finish()` methods +have been modified to close out the associated default JDK compressor +before propagating a Throwable up the +stack. `ZIPOutputStream.closeEntry()` method has been modified to +close out the associated default JDK compressor before propagating an +IOException, not of type ZipException, up the stack. + +core-libs/java.io: + +JDK-8285660: New System Property to Disable Windows Alternate Data Stream Support in java.io.File +================================================================================================= +The Windows implementation of `java.io.File` allows access to NTFS +Alternate Data Streams (ADS) by default. Such streams have a structure +like “filename:streamname”. A system property `jdk.io.File.enableADS` +has been added to control this behavior. To disable ADS support in +`java.io.File`, the system property `jdk.io.File.enableADS` should be +set to `false` (case ignored). Stricter path checking however prevents +the use of special devices such as `NUL:` + New in release OpenJDK 17.0.3 (2022-04-19): =========================================== Live versions of these release notes can be found at: diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index bf21bc4..eb99e1a 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -37,6 +37,8 @@ set -e OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz +# Corresponding IcedTea version +ICEDTEA_VERSION=12.0 if [ "x$1" = "xhelp" ] ; then echo -e "Behaviour may be specified by setting the following variables:\n" @@ -126,11 +128,10 @@ pushd "${FILE_NAME_ROOT}" echo "Syncing EC list with NSS" if [ "x$PR3823" = "x" ] ; then - # originally for 8: - # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag - # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823) + # get PR3823.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch + # Do not push it or publish it echo "PR3823 not found. Downloading..." - wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.p... + wget -v https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3... echo "Applying ${PWD}/pr3823.patch" patch -Np1 < pr3823.patch rm pr3823.patch @@ -142,6 +143,14 @@ pushd "${FILE_NAME_ROOT}" popd fi + # Generate .src-rev so build has knowledge of the revision the tarball was created from + mkdir build + pushd build + sh ${PWD}/../openjdk/configure + make store-source-revision + popd + rm -rf build + echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then SWITCH=cJf @@ -152,5 +161,3 @@ pushd "${FILE_NAME_ROOT}" mv ${FILE_NAME_ROOT}.tar.${COMPRESSION} .. popd echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." - - diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 40394dd..22fe90f 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -309,7 +309,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 3 +%global updatever 4 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -339,8 +339,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 7 -%global rpmrelease 7 +%global buildver 1 +%global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -366,18 +366,18 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global build_type GA -%global expected_ea_designator "" +%global ea_designator "" %global ea_designator_zip "" %global extraver %{nil} %global eaprefix %{nil} %else %global build_type EA -%global expected_ea_designator ea -%global ea_designator_zip -%{expected_ea_designator} -%global extraver .%{expected_ea_designator} +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} %global eaprefix 0. %endif @@ -1106,7 +1106,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -Requires: tzdata-java >= 2015d +# 2022a required as of JDK-8283350 in 17.0.4 +Requires: tzdata-java >= 2022a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1346,8 +1347,6 @@ Patch1001: fips-17u-%{fipsver}.patch # OpenJDK patches in need of upstreaming # ############################################# -# JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects -Patch7: jdk8282004-x86_32-missing_call_effects.patch BuildRequires: autoconf BuildRequires: automake @@ -1385,7 +1384,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -BuildRequires: tzdata-java >= 2015d +# 2022a required as of JDK-8283350 in 17.0.4 +BuildRequires: tzdata-java >= 2022a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1750,7 +1750,6 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch6 -p1 -%patch7 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security @@ -1759,6 +1758,27 @@ popd # openjdk %patch600 +# The OpenJDK version file includes the current +# upstream version information. For some reason, +# configure does not automatically use the +# default pre-version supplied there (despite +# what the file claims), so we pass it manually +# to configure +VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf +if [ -f ${VERSION_FILE} ] ; then + UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) +else + echo "Could not find OpenJDK version file."; + exit 16 +fi +if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then + echo "WARNING: Designator mismatch"; + echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" + echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; + # Don't fail at present as upstream are not maintaining the value correctly + #exit 17 +fi + # Extract systemtap tapsets %if %{with_systemtap} tar --strip-components=1 -x -I xz -f %{SOURCE8} @@ -1855,31 +1875,13 @@ function buildjdk() { local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} - # The OpenJDK version file includes the current - # upstream version information. For some reason, - # configure does not automatically use the - # default pre-version supplied there (despite - # what the file claims), so we pass it manually - # to configure - VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf - if [ -f ${VERSION_FILE} ] ; then - EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) - else - echo "Could not find OpenJDK version file."; - exit 16 - fi - if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then - echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; - exit 17 - fi - echo "Using output directory: ${outputdir}"; echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version echo "Using make targets: ${maketargets}" echo "Using debuglevel: ${debuglevel}" echo "Using link_opt: ${link_opt}" - echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}" + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" mkdir -p ${outputdir} pushd ${outputdir} @@ -1892,7 +1894,7 @@ function buildjdk() { --with-jobs=1 \ %endif --with-version-build=%{buildver} \ - --with-version-pre="${EA_DESIGNATOR}" \ + --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{vendor_version_string}" \ --with-vendor-name="Red Hat, Inc." \ @@ -2120,6 +2122,9 @@ for suffix in %{build_loop} ; do # Check debug symbols were built into the dynamic libraries debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + # Print release information + cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release + # build cycles done # end of release / debug cycle loop @@ -2547,6 +2552,18 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jul 11 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Drop JDK-8282004 patch which is now upstreamed under JDK-8282231 +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it + * Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 - Fix whitespace in spec file diff --git a/jdk8282004-x86_32-missing_call_effects.patch b/jdk8282004-x86_32-missing_call_effects.patch deleted file mode 100644 index 3efe993..0000000 --- a/jdk8282004-x86_32-missing_call_effects.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad -index a31a38a384f..6138ca5281f 100644 ---- a/src/hotspot/cpu/x86/x86_32.ad -+++ b/src/hotspot/cpu/x86/x86_32.ad -@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{ - %} - - // Divide Register Long --instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{ -+instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{ - match(Set dst (DivL src1 src2)); -- effect( KILL cr, KILL cx, KILL bx ); -+ effect(CALL); - ins_cost(10000); - format %{ "PUSH $src1.hi\n\t" - "PUSH $src1.lo\n\t" -@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{ - %} - - // Remainder Register Long --instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{ -+instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{ - match(Set dst (ModL src1 src2)); -- effect( KILL cr, KILL cx, KILL bx ); -+ effect(CALL); - ins_cost(10000); - format %{ "PUSH $src1.hi\n\t" - "PUSH $src1.lo\n\t" diff --git a/openjdk_news.sh b/openjdk_news.sh new file mode 100755 index 0000000..560b356 --- /dev/null +++ b/openjdk_news.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# Copyright (C) 2022 Red Hat, Inc. +# Written by Andrew John Hughes <gnu.andrew(a)redhat.com>, 2012-2022 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +OLD_RELEASE=$1 +NEW_RELEASE=$2 +SUBDIR=$3 +REPO=$4 +SCRIPT_DIR=$(dirname ${0}) + +if test "x${SUBDIR}" = "x"; then + echo "No subdirectory specified; using ."; + SUBDIR="."; +fi + +if test "x$REPO" = "x"; then + echo "No repository specified; using ${PWD}" + REPO=${PWD} +fi + +if test x${TMPDIR} = x; then + TMPDIR=/tmp; +fi + +echo "Repository: ${REPO}" + +if [ -e ${REPO}/.git ] ; then + TYPE=git; +elif [ -e ${REPO}/.hg ] ; then + TYPE=hg; +else + echo "No Mercurial or Git repository detected."; + exit 1; +fi + +if test "x$OLD_RELEASE" = "x" || test "x$NEW_RELEASE" = "x"; then + echo "ERROR: Need to specify old and new release"; + exit 2; +fi + +echo "Listing fixes between $OLD_RELEASE and $NEW_RELEASE in $REPO" +rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 ${TMPDIR}/fixes +for repos in . $(${SCRIPT_DIR}/discover_trees.sh ${REPO}); +do + if test "x$TYPE" = "xhg"; then + hg log -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ + egrep '^[o:| ]*summary'|grep -v 'Added tag'|sed -r 's#^[o:| ]*summary:\W*([0-9])# - JDK-\1#'| \ + sed 's#^[o:| ]*summary:\W*# - #' >> ${TMPDIR}/fixes2; + hg log -v -r "tag('$NEW_RELEASE'):tag('$OLD_RELEASE') - tag('$OLD_RELEASE')" -R $REPO/$repos -G -M ${REPO}/${SUBDIR} | \ + egrep '^[o:| ]*[0-9]{7}'|sed -r 's#^[o:| ]*([0-9]{7})# - JDK-\1#' >> ${TMPDIR}/fixes3; + else + git -C ${REPO} log --no-merges --pretty=format:%B ${NEW_RELEASE}...${OLD_RELEASE} -- ${SUBDIR} |egrep '^[0-9]{7}' | \ + sed -r 's#^([0-9])# - JDK-\1#' >> ${TMPDIR}/fixes2; + touch ${TMPDIR}/fixes3 ; # unused + fi +done + +sort ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 | uniq > ${TMPDIR}/fixes +rm -f ${TMPDIR}/fixes2 ${TMPDIR}/fixes3 + +echo "In ${TMPDIR}/fixes:" +cat ${TMPDIR}/fixes diff --git a/sources b/sources index e4816a7..ded0ae9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567 +SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1 commit 1d41f8167f4acd4ac0e33e8ea3835b5535abe77d Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Thu Jul 7 20:30:28 2022 +0100 Fix whitespace in spec file diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 9a63e0b..40394dd 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -552,7 +552,7 @@ alternatives \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ - %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext %{set_if_needed_alternatives $key %{family}} @@ -1937,41 +1937,41 @@ function installjdk() { local imagepath=${1} if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; - - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ - - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security - - # Use system-wide tzdata - mv ${imagepath}/lib/tzdb.dat{,.upstream} - ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - - # Rename OpenJDK cacerts database - mv ${imagepath}/lib/security/cacerts{,.upstream} - # Install cacerts symlink needed by some apps which hard-code the path - ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security - - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ + + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + + # Use system-wide tzdata + mv ${imagepath}/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd fi } @@ -1982,58 +1982,58 @@ function debugcheckjdk() { if [ -d ${imagepath} ] ; then - so_suffix="so" - # Check debug symbols are present and can identify code - find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib - do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. - - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 - - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" - done - IFS="$old_IFS" - - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi - - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi - fi - done - - # Make sure gdb can do a backtrace based on line numbers on libjvm.so - # javaCalls.cpp:58 should map to: - # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/shar... - # Using line number 1 might cause build problems. See: - # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 - # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 - gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out + so_suffix="so" + # Check debug symbols are present and can identify code + find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib + do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi + done + + # Make sure gdb can do a backtrace based on line numbers on libjvm.so + # javaCalls.cpp:58 should map to: + # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/shar... + # Using line number 1 might cause build problems. See: + # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 + # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 + gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out handle SIGSEGV pass nostop noprint handle SIGILL pass nostop noprint set breakpoint pending on @@ -2045,7 +2045,7 @@ end run -version EOF %ifarch %{gdb_arches} - grep 'JavaCallWrapper::JavaCallWrapper' gdb.out + grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif fi @@ -2232,9 +2232,9 @@ popd # end moving files to /etc # stabilize permissions -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; +find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; # end, dual install done @@ -2318,7 +2318,7 @@ local posix = require "posix" if (os.getenv("debug") == "true") then debug = true; print("cjc: in spec debug is on") -else +else debug = false; end @@ -2547,6 +2547,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 +- Fix whitespace in spec file + * Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 - Sequence spec file sections as they are run by rpmbuild (build, install then test) commit 034d3998e606a175245c36ea793bce0c2e9df0b1 Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Thu Jul 7 20:26:58 2022 +0100 Sequence spec file sections as they are run by rpmbuild (build, install then test) diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index c9d86fe..9a63e0b 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -2123,68 +2123,6 @@ for suffix in %{build_loop} ; do # build cycles done # end of release / debug cycle loop -%check - -# We test debug first as it will give better diagnostics on a crash -for suffix in %{build_loop} ; do - -export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} - -#check Shenandoah is enabled -%if %{use_shenandoah_hotspot} -$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version -%endif - -# Check unlimited policy has been used -$JAVA_HOME/bin/javac -d . %{SOURCE13} -$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel - -# Check ECC is working -$JAVA_HOME/bin/javac -d . %{SOURCE14} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") - -# Check system crypto (policy) is active and can be disabled -# Test takes a single argument - true or false - to state whether system -# security properties are enabled or not. -$JAVA_HOME/bin/javac -d . %{SOURCE15} -export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") -export SEC_DEBUG="-Djava.security.debug=properties" -$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true -$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false - -# Check java launcher has no SSB mitigation -if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi - -# Check alt-java launcher has SSB mitigation on supported architectures -%ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation -%else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi -%endif - -%if %{include_staticlibs} -# Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c -%endif - -# Check src.zip has all sources. See RHBZ#1130490 -$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' - -# Check class files include useful debugging information -$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable - -# Check generated class files include useful debugging information -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable -$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable - -# build cycles check -done - %install STRIP_KEEP_SYMTAB=libjvm* @@ -2301,6 +2239,70 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6 # end, dual install done +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +# Tests in the check stage are performed on the installed image +# rpmbuild operates as follows: build -> install -> test +export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c +%endif + +# Check src.zip has all sources. See RHBZ#1130490 +$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' + +# Check class files include useful debugging information +$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable + +# Check generated class files include useful debugging information +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from" +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable +$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable + +# build cycles check +done + %if %{include_normal_build} # intentionally only for non-debug %pretrans headless -p <lua> @@ -2545,6 +2547,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jul 07 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 +- Sequence spec file sections as they are run by rpmbuild (build, install then test) + * Tue Jul 05 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat commit 14d01cca4a503d51f3948b24adfa87b26a46a95f Author: Andrew Hughes <gnu.andrew(a)redhat.com> Date: Tue Jul 5 18:01:34 2022 +0100 Turn on system security properties as part of the build's install section Move cacerts replacement to install section and retain original of this and tzdb.dat Run tests on the installed image, rather than the build image Introduce variables to refer to the static library installation directories Use relative symlinks so they work within the image Run debug symbols check during build stage, before the install strips them diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 7950912..c9d86fe 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -340,7 +340,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 6 +%global rpmrelease 7 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -404,6 +404,10 @@ # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs +# installation directory for static libraries +%global static_libs_root lib/static +%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall} +%global static_libs_install_dir %{static_libs_arch_dir}/glibc # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch @@ -810,6 +814,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so @@ -868,6 +873,7 @@ exit 0 %dir %{etcjavadir -- %{?1}}/lib %dir %{etcjavadir -- %{?1}}/lib/security %{etcjavadir -- %{?1}}/lib/security/cacerts +%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream %dir %{etcjavadir -- %{?1}}/conf %dir %{etcjavadir -- %{?1}}/conf/sdp %dir %{etcjavadir -- %{?1}}/conf/management @@ -1038,10 +1044,10 @@ exit 0 } %define files_static_libs() %{expand: -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} -%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} +%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a } %define files_javadoc() %{expand: @@ -1806,6 +1812,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1946,9 +1953,18 @@ function installjdk() { # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Turn on system security properties + sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${imagepath}/conf/security/java.security + # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + mv ${imagepath}/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security # Create fake alt-java as a placeholder for future alt-java pushd ${imagepath} @@ -1959,6 +1975,82 @@ function installjdk() { fi } +# Checks on debuginfo must be performed before the files are stripped +# by the RPM installation stage +function debugcheckjdk() { + local imagepath=${1} + + if [ -d ${imagepath} ] ; then + + so_suffix="so" + # Check debug symbols are present and can identify code + find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib + do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi + done + + # Make sure gdb can do a backtrace based on line numbers on libjvm.so + # javaCalls.cpp:58 should map to: + # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/shar... + # Using line number 1 might cause build problems. See: + # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 + # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 + gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out +handle SIGSEGV pass nostop noprint +handle SIGILL pass nostop noprint +set breakpoint pending on +break javaCalls.cpp:58 +commands 1 +backtrace +quit +end +run -version +EOF +%ifarch %{gdb_arches} + grep 'JavaCallWrapper::JavaCallWrapper' gdb.out +%endif + + fi +} + %if %{build_hotspot_first} # Build a fresh libjvm.so first and use it to bootstrap cp -LR --preserve=mode,timestamps %{bootjdk} newboot @@ -2025,6 +2117,8 @@ for suffix in %{build_loop} ; do # Final setup on the main image top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + # Check debug symbols were built into the dynamic libraries + debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} # build cycles done # end of release / debug cycle loop @@ -2034,22 +2128,11 @@ done # end of release / debug cycle loop # We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -%if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} -%endif - -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} - -# Pre-test setup - -# Turn on system security properties -sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${JAVA_HOME}/conf/security/java.security +export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} #check Shenandoah is enabled %if %{use_shenandoah_hotspot} -$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version %endif # Check unlimited policy has been used @@ -2081,75 +2164,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c -%endif - -so_suffix="so" -# Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib -do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. - - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 - - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" - done - IFS="$old_IFS" - - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi - - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi - fi -done - -# Make sure gdb can do a backtrace based on line numbers on libjvm.so -# javaCalls.cpp:58 should map to: -# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/shar... -# Using line number 1 might cause build problems. See: -# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 -# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 -gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out -handle SIGSEGV pass nostop noprint -handle SIGILL pass nostop noprint -set breakpoint pending on -break javaCalls.cpp:58 -commands 1 -backtrace -quit -end -run -version -EOF -%ifarch %{gdb_arches} -grep 'JavaCallWrapper::JavaCallWrapper' gdb.out +export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c %endif # Check src.zip has all sources. See RHBZ#1130490 @@ -2196,17 +2213,10 @@ pushd ${jdk_image} install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir} for name in $tapsetFiles ; do targetName=`echo $name | sed "s/.stp/$suffix.stp/"` - ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName + ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName done %endif - # Remove empty cacerts database - rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts - # Install cacerts symlink needed by some apps which hard-code the path - pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security - ln -sf /etc/pki/java/cacerts . - popd - # Install version-ed symlinks pushd $RPM_BUILD_ROOT%{_jvmdir} ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} @@ -2226,11 +2236,12 @@ pushd ${jdk_image} rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man popd + # Install static libs artefacts %if %{include_staticlibs} -mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc +mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc + $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} %endif if ! echo $suffix | grep -q "debug" ; then @@ -2275,10 +2286,10 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix} - ln -s %{etcjavadir -- $suffix}/conf ./conf + ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf popd pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib - ln -s %{etcjavadir -- $suffix}/lib/security ./security + ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security popd # end moving files to /etc @@ -2534,6 +2545,14 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jul 05 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-7 +- Turn on system security properties as part of the build's install section +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Run tests on the installed image, rather than the build image +- Introduce variables to refer to the static library installation directories +- Use relative symlinks so they work within the image +- Run debug symbols check during build stage, before the install strips them + * Fri Jul 01 2022 Stephan Bergmann <sbergman(a)redhat.com> - 1:17.0.3.0.7-6 - Fix flatpak builds by exempting them from bootstrap commit de9ee0719807ae772e241f5e8cd8f76291d331e7 Author: Stephan Bergmann <sbergman(a)redhat.com> Date: Mon Apr 4 14:58:57 2022 +0200 Fix flatpak builds ...after 19065a8b01585a1aa5f22e38e99fc0c47c597074 "Temporarily move x86 to use Zero in order to get a working build": When building the > if ${run_bootstrap} ; then branch for suffix='' and loop='-main', the second > buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk on the previous line. But installjdk does > rm ${imagepath}/lib/tzdb.dat > ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non- flatpak build) which is not present at build-time (but will be present at runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for the flatpak /app prefix). So using that JDK's compiler during the build kept failing due to java.io.FileNotFoundException for its lib/tzdb.dat. (This was not an issue prior to 19065a8b01585a1aa5f22e38e99fc0c47c597074, as installjdk's modification of lib/tzdb.dat used to be done only for the "Final setup on the main image" at the very end of the build, not during the build for JDKs that are themselves used later during the build.) The easiest workaround for this issue appears to be to just not bootstrap_build in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has been modified through installjdk is used during the build. diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 31c6750..7950912 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -190,11 +190,15 @@ %global staticlibs_loop %{nil} %endif +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from @@ -336,7 +340,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 5 +%global rpmrelease 6 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2530,6 +2534,9 @@ cjc.mainProgram(args) %endif %changelog +* Fri Jul 01 2022 Stephan Bergmann <sbergman(a)redhat.com> - 1:17.0.3.0.7-6 +- Fix flatpak builds by exempting them from bootstrap + * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:17.0.3.0.7-5 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode commit 92f9e6d8e30cce2d96af267b7579b4ab851eda0a Author: Francisco Ferrari Bihurriet <fferrari(a)redhat.com> Date: Thu Jun 30 13:51:25 2022 -0300 RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see: https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide... diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index dae285c..31c6750 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 4 +%global rpmrelease 5 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -2530,6 +2530,9 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari(a)redhat.com> - 1:17.0.3.0.7-5 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode + * Mon Jun 27 2022 Stephan Bergmann <sbergman(a)redhat.com> - 1:17.0.3.0.7-4 - Fix flatpak builds (catering for their uncompressed manual pages) diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in index 1aff153..2d9ec35 100644 --- a/nss.fips.cfg.in +++ b/nss.fips.cfg.in @@ -4,3 +4,5 @@ nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips +attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true } + commit a6295304fdbd0c105ba5d6c09e45495e7ec0a631 Author: Stephan Bergmann <sbergman(a)redhat.com> Date: Tue Jun 14 13:08:00 2022 +0200 Fix flatpak builds (catering for their uncompressed manual pages) ...see <https://docs.fedoraproject.org/en-US/flatpak/troubleshooting/#_uncompress...> for details diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index b9b18b5..dae285c 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 3 +%global rpmrelease 4 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -933,7 +933,7 @@ exit 0 %ifarch %{sa_arches} %ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb -%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* %endif %endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo @@ -972,11 +972,11 @@ exit 0 %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* %if %{with_systemtap} %dir %{tapsetroot} @@ -2530,6 +2530,9 @@ cjc.mainProgram(args) %endif %changelog +* Mon Jun 27 2022 Stephan Bergmann <sbergman(a)redhat.com> - 1:17.0.3.0.7-4 +- Fix flatpak builds (catering for their uncompressed manual pages) + * Wed Jun 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-3 - Update FIPS support to bring in latest changes - * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage commit 2879030caf2866f2fa19887e662a284f771a81ff Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org> Date: Wed Jun 22 20:17:41 2022 +0100 Update FIPS support to bring in latest changes * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage * RH2090378: Revert to disabling system security properties and FIPS mode support together Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch Enable system security properties in the RPM (now disabled by default in the FIPS repo) Improve security properties test to check both enabled and disabled behaviour Run security properties test with property debugging on diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java index 06a0b07..552bd0f 100644 --- a/TestSecurityProperties.java +++ b/TestSecurityProperties.java @@ -9,35 +9,59 @@ public class TestSecurityProperties { // JDK 8 private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config"; + + private static final String MSG_PREFIX = "DEBUG: "; + public static void main(String[] args) { + if (args.length == 0) { + System.err.println("TestSecurityProperties <true|false>"); + System.err.println("Invoke with 'true' if system security properties should be enabled."); + System.err.println("Invoke with 'false' if system security properties should be disabled."); + System.exit(1); + } + boolean enabled = Boolean.valueOf(args[0]); + System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled); Properties jdkProps = new Properties(); loadProperties(jdkProps); + if (enabled) { + loadPolicy(jdkProps); + } for (Object key: jdkProps.keySet()) { String sKey = (String)key; String securityVal = Security.getProperty(sKey); String jdkSecVal = jdkProps.getProperty(sKey); if (!securityVal.equals(jdkSecVal)) { - String msg = "Expected value '" + jdkSecVal + "' for key '" + + String msg = "Expected value '" + jdkSecVal + "' for key '" + sKey + "'" + " but got value '" + securityVal + "'"; throw new RuntimeException("Test failed! " + msg); } else { - System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected."); } } System.out.println("TestSecurityProperties PASSED!"); } - + private static void loadProperties(Properties props) { String javaVersion = System.getProperty("java.version"); - System.out.println("Debug: Java version is " + javaVersion); + System.out.println(MSG_PREFIX + "Java version is " + javaVersion); String propsFile = JDK_PROPS_FILE_JDK_11; if (javaVersion.startsWith("1.8.0")) { propsFile = JDK_PROPS_FILE_JDK_8; } - try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + try (FileInputStream fin = new FileInputStream(propsFile)) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } + + private static void loadPolicy(Properties props) { + try (FileInputStream fin = new FileInputStream(POLICY_FILE)) { props.load(fin); } catch (Exception e) { throw new RuntimeException("Test failed!", e); } } + } diff --git a/fips-17u-3625385b13d.patch b/fips-17u-f8142a23d0a.patch similarity index 96% rename from fips-17u-3625385b13d.patch rename to fips-17u-f8142a23d0a.patch index eecef3b..c07a4bf 100644 --- a/fips-17u-3625385b13d.patch +++ b/fips-17u-f8142a23d0a.patch @@ -1398,7 +1398,7 @@ index a020e1c15d8..6d459fdec01 100644 // Return the instance of this class or create one if needed. diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index ff2bc942c03..d303ae5c8f3 100644 +index ff2bc942c03..96a3ba4040c 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -32,6 +32,7 @@ import java.net.URL; @@ -1409,7 +1409,7 @@ index ff2bc942c03..d303ae5c8f3 100644 import jdk.internal.access.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,6 +48,9 @@ import sun.security.jca.*; +@@ -47,12 +48,20 @@ import sun.security.jca.*; * implementation-specific location, which is typically the properties file * {@code conf/security/java.security} in the Java installation directory. * @@ -1419,7 +1419,18 @@ index ff2bc942c03..d303ae5c8f3 100644 * @author Benjamin Renaud * @since 1.1 */ -@@ -67,6 +71,19 @@ public final class Security { + + public final class Security { + ++ private static final String SYS_PROP_SWITCH = ++ "java.security.disableSystemPropertiesFile"; ++ private static final String SEC_PROP_SWITCH = ++ "security.useSystemPropertiesFile"; ++ + /* Are we debugging? -- for developers */ + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -67,6 +76,19 @@ public final class Security { } static { @@ -1439,7 +1450,15 @@ index ff2bc942c03..d303ae5c8f3 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -99,6 +116,7 @@ public final class Security { +@@ -84,6 +106,7 @@ public final class Security { + props = new Properties(); + boolean loadedProps = false; + boolean overrideAll = false; ++ boolean systemSecPropsEnabled = false; + + // first load the system properties file + // to determine the value of security.overridePropertiesFile +@@ -99,6 +122,7 @@ public final class Security { if (sdebug != null) { sdebug.println("reading security properties file: " + propFile); @@ -1447,41 +1466,74 @@ index ff2bc942c03..d303ae5c8f3 100644 } } catch (IOException e) { if (sdebug != null) { -@@ -193,6 +211,28 @@ public final class Security { +@@ -193,6 +217,61 @@ public final class Security { } } -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && -+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { -+ if (!SystemConfigurator.configureSysProps(props)) { ++ boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); ++ boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); ++ if (sdebug != null) { ++ sdebug.println(SYS_PROP_SWITCH + "=" + sysUseProps); ++ sdebug.println(SEC_PROP_SWITCH + "=" + secUseProps); ++ } ++ if (!sysUseProps && secUseProps) { ++ systemSecPropsEnabled = SystemConfigurator.configureSysProps(props); ++ if (!systemSecPropsEnabled) { + if (sdebug != null) { -+ sdebug.println("WARNING: System properties could not be loaded."); ++ sdebug.println("WARNING: System security properties could not be loaded."); + } + } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("System security property support disabled by user."); ++ } + } + + // FIPS support depends on the contents of java.security so + // ensure it has loaded first -+ if (loadedProps) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); -+ if (sdebug != null) { -+ if (fipsEnabled) { -+ sdebug.println("FIPS support enabled."); -+ } else { -+ sdebug.println("FIPS support disabled."); ++ if (loadedProps && systemSecPropsEnabled) { ++ boolean shouldEnable; ++ String sysProp = System.getProperty("com.redhat.fips"); ++ if (sysProp == null) { ++ shouldEnable = true; ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips unset, using default value of true"); ++ } ++ } else { ++ shouldEnable = Boolean.valueOf(sysProp); ++ if (sdebug != null) { ++ sdebug.println("com.redhat.fips set, using its value " + shouldEnable); + } + } ++ if (shouldEnable) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS mode support configured and enabled."); ++ } else { ++ sdebug.println("FIPS mode support disabled."); ++ } ++ } ++ } else { ++ if (sdebug != null ) { ++ sdebug.println("FIPS mode support disabled by user."); ++ } ++ } ++ } else { ++ if (sdebug != null) { ++ sdebug.println("WARNING: FIPS mode support can not be enabled without " + ++ "system security properties being enabled."); ++ } + } } /* diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 00000000000..da2af5defda +index 00000000000..98ffced455b --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,245 @@ +@@ -0,0 +1,249 @@ +/* + * Copyright (c) 2019, 2021, Red Hat, Inc. + * @@ -1562,13 +1614,13 @@ index 00000000000..da2af5defda + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean loadedProps = false; ++ boolean systemSecPropsLoaded = false; + + try (BufferedInputStream bis = + new BufferedInputStream( + new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { + props.load(bis); -+ loadedProps = true; ++ systemSecPropsLoaded = true; + if (sdebug != null) { + sdebug.println("reading system security properties file " + + CRYPTO_POLICIES_JAVA_CONFIG); @@ -1581,7 +1633,7 @@ index 00000000000..da2af5defda + e.printStackTrace(); + } + } -+ return loadedProps; ++ return systemSecPropsLoaded; + } + + /* @@ -1653,6 +1705,8 @@ index 00000000000..da2af5defda + sdebug.println("FIPS support enabled without plain key support"); + } + } ++ } else { ++ if (sdebug != null) { sdebug.println("FIPS mode not detected"); } + } + } catch (Exception e) { + if (sdebug != null) { @@ -1693,37 +1747,39 @@ index 00000000000..da2af5defda + return plainKeySupportEnabled; + } + -+ /* -+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips -+ * system property is true (default) and the system is in FIPS mode. ++ /** ++ * Determines whether FIPS mode should be enabled. ++ * ++ * OpenJDK FIPS mode will be enabled only if the system is in ++ * FIPS mode. ++ * ++ * Calls to this method only occur if the system property ++ * com.redhat.fips is not set to false. + * + * There are 2 possible ways in which OpenJDK detects that the system + * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is + * available at OpenJDK's built-time, it is called; 2) otherwise, the + * /proc/sys/crypto/fips_enabled file is read. ++ * ++ * @return true if the system is in FIPS mode + */ + private static boolean enableFips() throws Exception { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ boolean fipsEnabled = getSystemFIPSEnabled(); + if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + fipsEnabled); + } -+ try { -+ shouldEnable = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + shouldEnable); -+ } -+ return shouldEnable; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; ++ return fipsEnabled; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); + } -+ } else { -+ return false; ++ throw e; + } + } +} @@ -2352,7 +2408,7 @@ index 894e26dfad8..8b16378b96b 100644 "sun.security.ssl.SSLContextImpl$TLSContext", List.of("SSL"), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 6d91e3f8e4e..5a355e70cae 100644 +index 6d91e3f8e4e..adfaf57d29e 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -79,6 +79,16 @@ security.provider.tbd=Apple @@ -2360,7 +2416,7 @@ index 6d91e3f8e4e..5a355e70cae 100644 security.provider.tbd=SunPKCS11 +# -+# Security providers used when global crypto-policies are set to FIPS. ++# Security providers used when FIPS mode support is active +# +fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg +fips.provider.2=SUN @@ -2393,7 +2449,7 @@ index 6d91e3f8e4e..5a355e70cae 100644 +# using the system properties file stored at +# /etc/crypto-policies/back-ends/java.config +# -+security.useSystemPropertiesFile=true ++security.useSystemPropertiesFile=false + # # Determines the default key and trust manager factory algorithms for @@ -3074,7 +3130,7 @@ index 112b639aa96..5549cd9ed4e 100644 if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { throw new UnsupportedOperationException diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..372a50dd587 100644 +index 5c0aacd1a67..1e98ce2e280 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java @@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; @@ -3087,8 +3143,21 @@ index 5c0aacd1a67..372a50dd587 100644 import java.util.*; import java.security.AccessController; -@@ -152,16 +155,30 @@ public class PKCS11 { +@@ -150,18 +153,43 @@ public class PKCS11 { + this.pkcs11ModulePath = pkcs11ModulePath; + } ++ /* ++ * Compatibility wrapper to allow this method to work as before ++ * when FIPS mode support is not active. ++ */ ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, ++ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, ++ boolean omitInitialize) throws IOException, PKCS11Exception { ++ return getInstance(pkcs11ModulePath, functionList, ++ pInitArgs, omitInitialize, null, null); ++ } ++ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, CK_C_INITIALIZE_ARGS pInitArgs, - boolean omitInitialize) throws IOException, PKCS11Exception { @@ -3121,7 +3190,7 @@ index 5c0aacd1a67..372a50dd587 100644 } if (omitInitialize == false) { try { -@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 { +@@ -1911,4 +1939,194 @@ static class SynchronizedPKCS11 extends PKCS11 { super.C_GenerateRandom(hSession, randomData); } } diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 057f7ad..b9b18b5 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -328,7 +328,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 3625385b13d +%global fipsver f8142a23d0a # Standard JPackage naming and versioning defines %global origin openjdk @@ -336,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 2 +%global rpmrelease 3 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1327,6 +1327,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode # RH2023467: Enable FIPS keys export # RH2094027: SunEC runtime permission for FIPS +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -2035,6 +2037,12 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} +# Pre-test setup + +# Turn on system security properties +sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ + ${JAVA_HOME}/conf/security/java.security + #check Shenandoah is enabled %if %{use_shenandoah_hotspot} $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version @@ -2048,9 +2056,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") -# Check system crypto (policy) can be disabled +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. $JAVA_HOME/bin/javac -d . %{SOURCE15} -$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -2517,6 +2530,15 @@ cjc.mainProgram(args) %endif %changelog +* Wed Jun 22 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-3 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on + * Sun Jun 12 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-2 - Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch index b552b99..6d2342a 100644 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -1,5 +1,5 @@ diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 5a355e70cae..c730ea26ea2 100644 +index adfaf57d29e..abf89bbf327 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security @@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI @@ -9,4 +9,4 @@ index 5a355e70cae..c730ea26ea2 100644 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # - # Security providers used when global crypto-policies are set to FIPS. + # Security providers used when FIPS mode support is active commit 756a991906919de0d448abf84e9a66cf96dc6afd Author: Andrew John Hughes <gnu_andrew(a)member.fsf.org> Date: Mon Jun 13 00:05:38 2022 +0100 Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch RH2023467: Enable FIPS keys export RH2094027: SunEC runtime permission for FIPS diff --git a/fips-17u-3625385b13d.patch b/fips-17u-3625385b13d.patch new file mode 100644 index 0000000..eecef3b --- /dev/null +++ b/fips-17u-3625385b13d.patch @@ -0,0 +1,3589 @@ +diff --git a/make/autoconf/lib-sysconf.m4 b/make/autoconf/lib-sysconf.m4 +new file mode 100644 +index 00000000000..b2b1c1787da +--- /dev/null ++++ b/make/autoconf/lib-sysconf.m4 +@@ -0,0 +1,84 @@ ++# ++# Copyright (c) 2021, Red Hat, Inc. ++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++# ++# This code is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License version 2 only, as ++# published by the Free Software Foundation. Oracle designates this ++# particular file as subject to the "Classpath" exception as provided ++# by Oracle in the LICENSE file that accompanied this code. ++# ++# This code is distributed in the hope that it will be useful, but WITHOUT ++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# version 2 for more details (a copy is included in the LICENSE file that ++# accompanied this code). ++# ++# You should have received a copy of the GNU General Public License version ++# 2 along with this work; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++# ++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++# or visit www.oracle.com if you need additional information or have any ++# questions. ++# ++ ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 +index a65d91ee974..a8f054c1397 100644 +--- a/make/autoconf/libraries.m4 ++++ b/make/autoconf/libraries.m4 +@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) + m4_include([lib-x11.m4]) + m4_include([lib-fontconfig.m4]) + m4_include([lib-tests.m4]) ++m4_include([lib-sysconf.m4]) + + ################################################################################ + # Determine which libraries are needed for this configuration +@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS + LIB_TESTS_SETUP_GTEST ++ LIB_SETUP_SYSCONF_LIBS + + BASIC_JDKLIB_LIBS="" + if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then +diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in +index c2c9c4adf3a..9d105b37acf 100644 +--- a/make/autoconf/spec.gmk.in ++++ b/make/autoconf/spec.gmk.in +@@ -836,6 +836,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git a/make/modules/java.base/Lib.gmk b/make/modules/java.base/Lib.gmk +index 5658ff342e5..cb7a56852f7 100644 +--- a/make/modules/java.base/Lib.gmk ++++ b/make/modules/java.base/Lib.gmk +@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) + endif + endif + ++################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ + ################################################################################ + # Create the symbols file for static builds. + +diff --git a/src/java.base/linux/native/libsystemconf/systemconf.c b/src/java.base/linux/native/libsystemconf/systemconf.c +new file mode 100644 +index 00000000000..8dcb7d9073f +--- /dev/null ++++ b/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -0,0 +1,224 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#include <jni.h> ++#include <jni_util.h> ++#include "jvm_md.h" ++#include <stdio.h> ++ ++#ifdef SYSCONF_NSS ++#include <nss3/pk11pub.h> ++#else ++#include <dlfcn.h> ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ } else { ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ } ++} +diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +index a020e1c15d8..6d459fdec01 100644 +--- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java ++++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +@@ -31,6 +31,7 @@ import java.security.SecureRandom; + import java.security.PrivilegedAction; + import java.util.HashMap; + import java.util.List; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.util.SecurityProviderConstants.*; + +@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; + + public final class SunJCE extends Provider { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + @java.io.Serial + private static final long serialVersionUID = 6812507587804302833L; + +@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { + void putEntries() { + // reuse attribute map and reset before each reuse + HashMap<String, String> attrs = new HashMap<>(3); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" +- + "|OAEPWITHMD5ANDMGF1PADDING" +- + "|OAEPWITHSHA1ANDMGF1PADDING" +- + "|OAEPWITHSHA-1ANDMGF1PADDING" +- + "|OAEPWITHSHA-224ANDMGF1PADDING" +- + "|OAEPWITHSHA-256ANDMGF1PADDING" +- + "|OAEPWITHSHA-384ANDMGF1PADDING" +- + "|OAEPWITHSHA-512ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" +- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); +- ps("Cipher", "RSA", +- "com.sun.crypto.provider.RSACipher", null, attrs); +- +- // common block cipher modes, pads +- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + +- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + +- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; +- final String BLOCK_MODES128 = BLOCK_MODES + +- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + +- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; +- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DES", +- "com.sun.crypto.provider.DESCipher", null, attrs); +- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", +- attrs); +- ps("Cipher", "Blowfish", +- "com.sun.crypto.provider.BlowfishCipher", null, attrs); +- +- ps("Cipher", "RC2", +- "com.sun.crypto.provider.RC2Cipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", BLOCK_MODES128); +- attrs.put("SupportedPaddings", BLOCK_PADS); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES", +- "com.sun.crypto.provider.AESCipher$General", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "AES/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", +- attrs); +- ps("Cipher", "AES/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_128/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_128/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_128/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_128/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_128/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_192/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_192/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_192/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_192/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_192/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", +- attrs); +- +- psA("Cipher", "AES_256/ECB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CBC/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", +- attrs); +- psA("Cipher", "AES_256/OFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/CFB/NoPadding", +- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", +- attrs); +- psA("Cipher", "AES_256/KW/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", +- attrs); +- ps("Cipher", "AES_256/KW/PKCS5Padding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", +- null, attrs); +- psA("Cipher", "AES_256/KWP/NoPadding", +- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "GCM"); +- attrs.put("SupportedKeyFormats", "RAW"); +- +- ps("Cipher", "AES/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, +- attrs); +- psA("Cipher", "AES_128/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES128", +- attrs); +- psA("Cipher", "AES_192/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES192", +- attrs); +- psA("Cipher", "AES_256/GCM/NoPadding", +- "com.sun.crypto.provider.GaloisCounterMode$AES256", +- attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "CBC"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "DESedeWrap", +- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); +- +- attrs.clear(); +- attrs.put("SupportedModes", "ECB"); +- attrs.put("SupportedPaddings", "NOPADDING"); +- attrs.put("SupportedKeyFormats", "RAW"); +- psA("Cipher", "ARCFOUR", +- "com.sun.crypto.provider.ARCFOURCipher", attrs); +- +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Cipher", "ChaCha20", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", +- null, attrs); +- psA("Cipher", "ChaCha20-Poly1305", +- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", +- attrs); +- +- // PBES1 +- psA("Cipher", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", +- null); +- ps("Cipher", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); +- psA("Cipher", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", +- null); +- psA("Cipher", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", +- null); +- psA("Cipher", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", +- null); +- +- psA("Cipher", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", +- null); +- +- // PBES2 +- ps("Cipher", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); +- +- ps("Cipher", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); +- +- ps("Cipher", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); +- +- /* +- * Key(pair) Generator engines +- */ +- ps("KeyGenerator", "DES", +- "com.sun.crypto.provider.DESKeyGenerator"); +- psA("KeyGenerator", "DESede", +- "com.sun.crypto.provider.DESedeKeyGenerator", +- null); +- ps("KeyGenerator", "Blowfish", +- "com.sun.crypto.provider.BlowfishKeyGenerator"); +- psA("KeyGenerator", "AES", +- "com.sun.crypto.provider.AESKeyGenerator", +- null); +- ps("KeyGenerator", "RC2", +- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); +- psA("KeyGenerator", "ARCFOUR", +- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", +- null); +- ps("KeyGenerator", "ChaCha20", +- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); +- ps("KeyGenerator", "HmacMD5", +- "com.sun.crypto.provider.HmacMD5KeyGenerator"); +- +- psA("KeyGenerator", "HmacSHA1", +- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); +- psA("KeyGenerator", "HmacSHA224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", +- null); +- psA("KeyGenerator", "HmacSHA256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", +- null); +- psA("KeyGenerator", "HmacSHA384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", +- null); +- psA("KeyGenerator", "HmacSHA512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", +- null); +- psA("KeyGenerator", "HmacSHA512/224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", +- null); +- psA("KeyGenerator", "HmacSHA512/256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", +- null); +- +- psA("KeyGenerator", "HmacSHA3-224", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", +- null); +- psA("KeyGenerator", "HmacSHA3-256", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", +- null); +- psA("KeyGenerator", "HmacSHA3-384", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", +- null); +- psA("KeyGenerator", "HmacSHA3-512", +- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", +- null); +- +- psA("KeyPairGenerator", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyPairGenerator", +- null); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" ++ + "|OAEPWITHMD5ANDMGF1PADDING" ++ + "|OAEPWITHSHA1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-1ANDMGF1PADDING" ++ + "|OAEPWITHSHA-224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-256ANDMGF1PADDING" ++ + "|OAEPWITHSHA-384ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" ++ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ ps("Cipher", "RSA", ++ "com.sun.crypto.provider.RSACipher", null, attrs); ++ ++ // common block cipher modes, pads ++ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + ++ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + ++ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; ++ final String BLOCK_MODES128 = BLOCK_MODES + ++ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + ++ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; ++ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DES", ++ "com.sun.crypto.provider.DESCipher", null, attrs); ++ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", ++ attrs); ++ ps("Cipher", "Blowfish", ++ "com.sun.crypto.provider.BlowfishCipher", null, attrs); ++ ++ ps("Cipher", "RC2", ++ "com.sun.crypto.provider.RC2Cipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", BLOCK_MODES128); ++ attrs.put("SupportedPaddings", BLOCK_PADS); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES", ++ "com.sun.crypto.provider.AESCipher$General", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "AES/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_128/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_128/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_128/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_128/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_192/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_192/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_192/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_192/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", ++ attrs); ++ ++ psA("Cipher", "AES_256/ECB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CBC/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/OFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/CFB/NoPadding", ++ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", ++ attrs); ++ psA("Cipher", "AES_256/KW/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", ++ attrs); ++ ps("Cipher", "AES_256/KW/PKCS5Padding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", ++ null, attrs); ++ psA("Cipher", "AES_256/KWP/NoPadding", ++ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "GCM"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ++ ps("Cipher", "AES/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, ++ attrs); ++ psA("Cipher", "AES_128/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES128", ++ attrs); ++ psA("Cipher", "AES_192/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES192", ++ attrs); ++ psA("Cipher", "AES_256/GCM/NoPadding", ++ "com.sun.crypto.provider.GaloisCounterMode$AES256", ++ attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "CBC"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "DESedeWrap", ++ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedModes", "ECB"); ++ attrs.put("SupportedPaddings", "NOPADDING"); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ psA("Cipher", "ARCFOUR", ++ "com.sun.crypto.provider.ARCFOURCipher", attrs); ++ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Cipher", "ChaCha20", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", ++ null, attrs); ++ psA("Cipher", "ChaCha20-Poly1305", ++ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", ++ attrs); ++ ++ // PBES1 ++ psA("Cipher", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", ++ null); ++ ps("Cipher", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); ++ psA("Cipher", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", ++ null); ++ psA("Cipher", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("Cipher", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", ++ null); ++ ++ // PBES2 ++ ps("Cipher", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); ++ ++ ps("Cipher", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); ++ ++ ps("Cipher", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); ++ ++ /* ++ * Key(pair) Generator engines ++ */ ++ ps("KeyGenerator", "DES", ++ "com.sun.crypto.provider.DESKeyGenerator"); ++ psA("KeyGenerator", "DESede", ++ "com.sun.crypto.provider.DESedeKeyGenerator", ++ null); ++ ps("KeyGenerator", "Blowfish", ++ "com.sun.crypto.provider.BlowfishKeyGenerator"); ++ psA("KeyGenerator", "AES", ++ "com.sun.crypto.provider.AESKeyGenerator", ++ null); ++ ps("KeyGenerator", "RC2", ++ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); ++ psA("KeyGenerator", "ARCFOUR", ++ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", ++ null); ++ ps("KeyGenerator", "ChaCha20", ++ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); ++ ps("KeyGenerator", "HmacMD5", ++ "com.sun.crypto.provider.HmacMD5KeyGenerator"); ++ ++ psA("KeyGenerator", "HmacSHA1", ++ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); ++ psA("KeyGenerator", "HmacSHA224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", ++ null); ++ psA("KeyGenerator", "HmacSHA256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", ++ null); ++ psA("KeyGenerator", "HmacSHA384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", ++ null); ++ psA("KeyGenerator", "HmacSHA512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", ++ null); ++ psA("KeyGenerator", "HmacSHA512/224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", ++ null); ++ psA("KeyGenerator", "HmacSHA512/256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", ++ null); ++ ++ psA("KeyGenerator", "HmacSHA3-224", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", ++ null); ++ psA("KeyGenerator", "HmacSHA3-256", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", ++ null); ++ psA("KeyGenerator", "HmacSHA3-384", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", ++ null); ++ psA("KeyGenerator", "HmacSHA3-512", ++ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", ++ null); ++ ++ psA("KeyPairGenerator", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyPairGenerator", ++ null); ++ } + + /* + * Algorithm parameter generation engines +@@ -430,15 +437,17 @@ public final class SunJCE extends Provider { + "DiffieHellman", "com.sun.crypto.provider.DHParameterGenerator", + null); + +- /* +- * Key Agreement engines +- */ +- attrs.clear(); +- attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + +- "|javax.crypto.interfaces.DHPrivateKey"); +- psA("KeyAgreement", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyAgreement", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key Agreement engines ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyClasses", "javax.crypto.interfaces.DHPublicKey" + ++ "|javax.crypto.interfaces.DHPrivateKey"); ++ psA("KeyAgreement", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyAgreement", ++ attrs); ++ } + + /* + * Algorithm Parameter engines +@@ -531,197 +540,199 @@ public final class SunJCE extends Provider { + psA("AlgorithmParameters", "ChaCha20-Poly1305", + "com.sun.crypto.provider.ChaCha20Poly1305Parameters", null); + +- /* +- * Key factories +- */ +- psA("KeyFactory", "DiffieHellman", +- "com.sun.crypto.provider.DHKeyFactory", +- null); +- +- /* +- * Secret-key factories +- */ +- ps("SecretKeyFactory", "DES", +- "com.sun.crypto.provider.DESKeyFactory"); +- +- psA("SecretKeyFactory", "DESede", +- "com.sun.crypto.provider.DESedeKeyFactory", null); +- +- psA("SecretKeyFactory", "PBEWithMD5AndDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", +- null); +- +- /* +- * Internal in-house crypto algorithm used for +- * the JCEKS keystore type. Since this was developed +- * internally, there isn't an OID corresponding to this +- * algorithm. +- */ +- ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndDESede", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", +- null); +- +- psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", +- null); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); +- +- ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", +- "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); +- +- // PBKDF2 +- psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", +- null); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); +- ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", +- "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); +- +- /* +- * MAC +- */ +- attrs.clear(); +- attrs.put("SupportedKeyFormats", "RAW"); +- ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); +- psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", +- attrs); +- psA("Mac", "HmacSHA224", +- "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); +- psA("Mac", "HmacSHA256", +- "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); +- psA("Mac", "HmacSHA384", +- "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); +- psA("Mac", "HmacSHA512", +- "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); +- psA("Mac", "HmacSHA512/224", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); +- psA("Mac", "HmacSHA512/256", +- "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); +- psA("Mac", "HmacSHA3-224", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); +- psA("Mac", "HmacSHA3-256", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); +- psA("Mac", "HmacSHA3-384", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); +- psA("Mac", "HmacSHA3-512", +- "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); +- +- ps("Mac", "HmacPBESHA1", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", +- null, attrs); +- ps("Mac", "HmacPBESHA224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", +- null, attrs); +- ps("Mac", "HmacPBESHA256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", +- null, attrs); +- ps("Mac", "HmacPBESHA384", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", +- null, attrs); +- ps("Mac", "HmacPBESHA512", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", +- null, attrs); +- ps("Mac", "HmacPBESHA512/224", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", +- null, attrs); +- ps("Mac", "HmacPBESHA512/256", +- "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", +- null, attrs); +- +- +- // PBMAC1 +- ps("Mac", "PBEWithHmacSHA1", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); +- ps("Mac", "PBEWithHmacSHA224", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); +- ps("Mac", "PBEWithHmacSHA256", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); +- ps("Mac", "PBEWithHmacSHA384", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); +- ps("Mac", "PBEWithHmacSHA512", +- "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); +- ps("Mac", "SslMacMD5", +- "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); +- ps("Mac", "SslMacSHA1", +- "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); +- +- /* +- * KeyStore +- */ +- ps("KeyStore", "JCEKS", +- "com.sun.crypto.provider.JceKeyStore"); +- +- /* +- * SSL/TLS mechanisms +- * +- * These are strictly internal implementations and may +- * be changed at any time. These names were chosen +- * because PKCS11/SunPKCS11 does not yet have TLS1.2 +- * mechanisms, and it will cause calls to come here. +- */ +- ps("KeyGenerator", "SunTlsPrf", +- "com.sun.crypto.provider.TlsPrfGenerator$V10"); +- ps("KeyGenerator", "SunTls12Prf", +- "com.sun.crypto.provider.TlsPrfGenerator$V12"); +- +- ps("KeyGenerator", "SunTlsMasterSecret", +- "com.sun.crypto.provider.TlsMasterSecretGenerator", +- List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), +- null); +- +- ps("KeyGenerator", "SunTlsKeyMaterial", +- "com.sun.crypto.provider.TlsKeyMaterialGenerator", +- List.of("SunTls12KeyMaterial"), null); +- +- ps("KeyGenerator", "SunTlsRsaPremasterSecret", +- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", +- List.of("SunTls12RsaPremasterSecret"), null); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ psA("KeyFactory", "DiffieHellman", ++ "com.sun.crypto.provider.DHKeyFactory", ++ null); ++ ++ /* ++ * Secret-key factories ++ */ ++ ps("SecretKeyFactory", "DES", ++ "com.sun.crypto.provider.DESKeyFactory"); ++ ++ psA("SecretKeyFactory", "DESede", ++ "com.sun.crypto.provider.DESedeKeyFactory", null); ++ ++ psA("SecretKeyFactory", "PBEWithMD5AndDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES", ++ null); ++ ++ /* ++ * Internal in-house crypto algorithm used for ++ * the JCEKS keystore type. Since this was developed ++ * internally, there isn't an OID corresponding to this ++ * algorithm. ++ */ ++ ps("SecretKeyFactory", "PBEWithMD5AndTripleDES", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndTripleDES"); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndDESede", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndDESede", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC2_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC2_128", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_40", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_40", ++ null); ++ ++ psA("SecretKeyFactory", "PBEWithSHA1AndRC4_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithSHA1AndRC4_128", ++ null); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_128", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_128"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA1AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA1AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA224AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA224AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA256AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA256AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA384AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA384AndAES_256"); ++ ++ ps("SecretKeyFactory", "PBEWithHmacSHA512AndAES_256", ++ "com.sun.crypto.provider.PBEKeyFactory$PBEWithHmacSHA512AndAES_256"); ++ ++ // PBKDF2 ++ psA("SecretKeyFactory", "PBKDF2WithHmacSHA1", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA1", ++ null); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA224", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA224"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA256", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA256"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA384", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA384"); ++ ps("SecretKeyFactory", "PBKDF2WithHmacSHA512", ++ "com.sun.crypto.provider.PBKDF2Core$HmacSHA512"); ++ ++ /* ++ * MAC ++ */ ++ attrs.clear(); ++ attrs.put("SupportedKeyFormats", "RAW"); ++ ps("Mac", "HmacMD5", "com.sun.crypto.provider.HmacMD5", null, attrs); ++ psA("Mac", "HmacSHA1", "com.sun.crypto.provider.HmacSHA1", ++ attrs); ++ psA("Mac", "HmacSHA224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA224", attrs); ++ psA("Mac", "HmacSHA256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA256", attrs); ++ psA("Mac", "HmacSHA384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA384", attrs); ++ psA("Mac", "HmacSHA512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512", attrs); ++ psA("Mac", "HmacSHA512/224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_224", attrs); ++ psA("Mac", "HmacSHA512/256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA512_256", attrs); ++ psA("Mac", "HmacSHA3-224", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_224", attrs); ++ psA("Mac", "HmacSHA3-256", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_256", attrs); ++ psA("Mac", "HmacSHA3-384", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_384", attrs); ++ psA("Mac", "HmacSHA3-512", ++ "com.sun.crypto.provider.HmacCore$HmacSHA3_512", attrs); ++ ++ ps("Mac", "HmacPBESHA1", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA1", ++ null, attrs); ++ ps("Mac", "HmacPBESHA224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA256", ++ null, attrs); ++ ps("Mac", "HmacPBESHA384", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA384", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/224", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_224", ++ null, attrs); ++ ps("Mac", "HmacPBESHA512/256", ++ "com.sun.crypto.provider.HmacPKCS12PBECore$HmacPKCS12PBE_SHA512_256", ++ null, attrs); ++ ++ ++ // PBMAC1 ++ ps("Mac", "PBEWithHmacSHA1", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA1", null, attrs); ++ ps("Mac", "PBEWithHmacSHA224", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA224", null, attrs); ++ ps("Mac", "PBEWithHmacSHA256", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA256", null, attrs); ++ ps("Mac", "PBEWithHmacSHA384", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA384", null, attrs); ++ ps("Mac", "PBEWithHmacSHA512", ++ "com.sun.crypto.provider.PBMAC1Core$HmacSHA512", null, attrs); ++ ps("Mac", "SslMacMD5", ++ "com.sun.crypto.provider.SslMacCore$SslMacMD5", null, attrs); ++ ps("Mac", "SslMacSHA1", ++ "com.sun.crypto.provider.SslMacCore$SslMacSHA1", null, attrs); ++ ++ /* ++ * KeyStore ++ */ ++ ps("KeyStore", "JCEKS", ++ "com.sun.crypto.provider.JceKeyStore"); ++ ++ /* ++ * SSL/TLS mechanisms ++ * ++ * These are strictly internal implementations and may ++ * be changed at any time. These names were chosen ++ * because PKCS11/SunPKCS11 does not yet have TLS1.2 ++ * mechanisms, and it will cause calls to come here. ++ */ ++ ps("KeyGenerator", "SunTlsPrf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V10"); ++ ps("KeyGenerator", "SunTls12Prf", ++ "com.sun.crypto.provider.TlsPrfGenerator$V12"); ++ ++ ps("KeyGenerator", "SunTlsMasterSecret", ++ "com.sun.crypto.provider.TlsMasterSecretGenerator", ++ List.of("SunTls12MasterSecret", "SunTlsExtendedMasterSecret"), ++ null); ++ ++ ps("KeyGenerator", "SunTlsKeyMaterial", ++ "com.sun.crypto.provider.TlsKeyMaterialGenerator", ++ List.of("SunTls12KeyMaterial"), null); ++ ++ ps("KeyGenerator", "SunTlsRsaPremasterSecret", ++ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator", ++ List.of("SunTls12RsaPremasterSecret"), null); ++ } + } + + // Return the instance of this class or create one if needed. +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +index ff2bc942c03..d303ae5c8f3 100644 +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ import java.net.URL; + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -47,6 +48,9 @@ import sun.security.jca.*; + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ * Additional default values of security properties are read from a ++ * system-specific location, if available. ++ * + * @author Benjamin Renaud + * @since 1.1 + */ +@@ -67,6 +71,19 @@ public final class Security { + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ @Override ++ public boolean isPlainKeySupportEnabled() { ++ return SystemConfigurator.isPlainKeySupportEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -99,6 +116,7 @@ public final class Security { + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -193,6 +211,28 @@ public final class Security { + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } ++ } ++ } + } + + /* +diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +index 00000000000..da2af5defda +--- /dev/null ++++ b/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,245 @@ ++/* ++ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++final class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static boolean systemFipsEnabled = false; ++ private static boolean plainKeySupportEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; ++ ++ static { ++ @SuppressWarnings("removal") ++ var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configureSysProps(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ // Remove all security providers ++ Iterator<Entry<Object, Object>> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry<Object, Object> e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } ++ loadedProps = true; ++ systemFipsEnabled = true; ++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", ++ "true"); ++ plainKeySupportEnabled = !"false".equals(plainKeySupport); ++ if (sdebug != null) { ++ if (plainKeySupportEnabled) { ++ sdebug.println("FIPS support enabled with plain key support"); ++ } else { ++ sdebug.println("FIPS support enabled without plain key support"); ++ } ++ } ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ ++ /** ++ * Returns {@code true} if system FIPS alignment is enabled ++ * and plain key support is allowed. Plain key support is ++ * enabled by default but can be disabled with ++ * {@code -Dcom.redhat.fips.plainKeySupport=false}. ++ * ++ * @return a boolean indicating whether plain key support ++ * should be enabled. ++ */ ++ static boolean isPlainKeySupportEnabled() { ++ return plainKeySupportEnabled; ++ } ++ ++ /* ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } ++ } else { ++ return false; ++ } ++ } ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +new file mode 100644 +index 00000000000..3f3caac64dc +--- /dev/null ++++ b/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java +@@ -0,0 +1,31 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.access; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++ boolean isPlainKeySupportEnabled(); ++} +diff --git a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +index f6d3638c3dd..a1ee182d913 100644 +--- a/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java ++++ b/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java +@@ -39,6 +39,7 @@ import java.io.FilePermission; + import java.io.ObjectInputStream; + import java.io.RandomAccessFile; + import java.security.ProtectionDomain; ++import java.security.Security; + import java.security.Signature; + + /** A repository of "shared secrets", which are a mechanism for +@@ -81,6 +82,7 @@ public class SharedSecrets { + private static JavaSecuritySpecAccess javaSecuritySpecAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; + private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { + javaUtilCollectionAccess = juca; +@@ -442,4 +444,15 @@ public class SharedSecrets { + MethodHandles.lookup().ensureInitialized(c); + } catch (IllegalAccessException e) {} + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ if (javaSecuritySystemConfiguratorAccess == null) { ++ ensureClassInitialized(Security.class); ++ } ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java +index 63bb580eb3a..dbbf11bbb22 100644 +--- a/src/java.base/share/classes/module-info.java ++++ b/src/java.base/share/classes/module-info.java +@@ -152,6 +152,8 @@ module java.base { + java.naming, + java.rmi, + jdk.charsets, ++ jdk.crypto.cryptoki, ++ jdk.crypto.ec, + jdk.jartool, + jdk.jlink, + jdk.net, +diff --git a/src/java.base/share/classes/sun/security/provider/SunEntries.java b/src/java.base/share/classes/sun/security/provider/SunEntries.java +index 912cad59714..709d32912ca 100644 +--- a/src/java.base/share/classes/sun/security/provider/SunEntries.java ++++ b/src/java.base/share/classes/sun/security/provider/SunEntries.java +@@ -30,6 +30,7 @@ import java.net.*; + import java.util.*; + import java.security.*; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.action.GetPropertyAction; + import sun.security.util.SecurityProviderConstants; +@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + + public final class SunEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + // the default algo used by SecureRandom class for new SecureRandom() calls + public static final String DEF_SECURE_RANDOM_ALGO; + +@@ -94,99 +99,101 @@ public final class SunEntries { + // common attribute map + HashMap<String, String> attrs = new HashMap<>(3); + +- /* +- * SecureRandom engines +- */ +- attrs.put("ThreadSafe", "true"); +- if (NativePRNG.isAvailable()) { +- add(p, "SecureRandom", "NativePRNG", +- "sun.security.provider.NativePRNG", attrs); +- } +- if (NativePRNG.Blocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGBlocking", +- "sun.security.provider.NativePRNG$Blocking", attrs); +- } +- if (NativePRNG.NonBlocking.isAvailable()) { +- add(p, "SecureRandom", "NativePRNGNonBlocking", +- "sun.security.provider.NativePRNG$NonBlocking", attrs); +- } +- attrs.put("ImplementedIn", "Software"); +- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); +- add(p, "SecureRandom", "SHA1PRNG", +- "sun.security.provider.SecureRandom", attrs); +- +- /* +- * Signature engines +- */ +- attrs.clear(); +- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + +- "|java.security.interfaces.DSAPrivateKey"; +- attrs.put("SupportedKeyClasses", dsaKeyClasses); +- attrs.put("ImplementedIn", "Software"); +- +- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures +- +- addWithAlias(p, "Signature", "SHA1withDSA", +- "sun.security.provider.DSA$SHA1withDSA", attrs); +- addWithAlias(p, "Signature", "NONEwithDSA", +- "sun.security.provider.DSA$RawDSA", attrs); +- +- // for DSA signatures with 224/256-bit digests +- attrs.put("KeySize", "2048"); +- +- addWithAlias(p, "Signature", "SHA224withDSA", +- "sun.security.provider.DSA$SHA224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA256withDSA", +- "sun.security.provider.DSA$SHA256withDSA", attrs); +- +- addWithAlias(p, "Signature", "SHA3-224withDSA", +- "sun.security.provider.DSA$SHA3_224withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-256withDSA", +- "sun.security.provider.DSA$SHA3_256withDSA", attrs); +- +- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests +- +- addWithAlias(p, "Signature", "SHA384withDSA", +- "sun.security.provider.DSA$SHA384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA512withDSA", +- "sun.security.provider.DSA$SHA512withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-384withDSA", +- "sun.security.provider.DSA$SHA3_384withDSA", attrs); +- addWithAlias(p, "Signature", "SHA3-512withDSA", +- "sun.security.provider.DSA$SHA3_512withDSA", attrs); +- +- attrs.remove("KeySize"); ++ if (!systemFipsEnabled) { ++ /* ++ * SecureRandom engines ++ */ ++ attrs.put("ThreadSafe", "true"); ++ if (NativePRNG.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNG", ++ "sun.security.provider.NativePRNG", attrs); ++ } ++ if (NativePRNG.Blocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGBlocking", ++ "sun.security.provider.NativePRNG$Blocking", attrs); ++ } ++ if (NativePRNG.NonBlocking.isAvailable()) { ++ add(p, "SecureRandom", "NativePRNGNonBlocking", ++ "sun.security.provider.NativePRNG$NonBlocking", attrs); ++ } ++ attrs.put("ImplementedIn", "Software"); ++ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); ++ add(p, "SecureRandom", "SHA1PRNG", ++ "sun.security.provider.SecureRandom", attrs); + +- add(p, "Signature", "SHA1withDSAinP1363Format", +- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); +- add(p, "Signature", "NONEwithDSAinP1363Format", +- "sun.security.provider.DSA$RawDSAinP1363Format"); +- add(p, "Signature", "SHA224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); +- add(p, "Signature", "SHA256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); +- add(p, "Signature", "SHA384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); +- add(p, "Signature", "SHA512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); +- add(p, "Signature", "SHA3-224withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); +- add(p, "Signature", "SHA3-256withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); +- add(p, "Signature", "SHA3-384withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); +- add(p, "Signature", "SHA3-512withDSAinP1363Format", +- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); +- /* +- * Key Pair Generator engines +- */ +- attrs.clear(); +- attrs.put("ImplementedIn", "Software"); +- attrs.put("KeySize", "2048"); // for DSA KPG and APG only ++ /* ++ * Signature engines ++ */ ++ attrs.clear(); ++ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + ++ "|java.security.interfaces.DSAPrivateKey"; ++ attrs.put("SupportedKeyClasses", dsaKeyClasses); ++ attrs.put("ImplementedIn", "Software"); ++ ++ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures ++ ++ addWithAlias(p, "Signature", "SHA1withDSA", ++ "sun.security.provider.DSA$SHA1withDSA", attrs); ++ addWithAlias(p, "Signature", "NONEwithDSA", ++ "sun.security.provider.DSA$RawDSA", attrs); ++ ++ // for DSA signatures with 224/256-bit digests ++ attrs.put("KeySize", "2048"); ++ ++ addWithAlias(p, "Signature", "SHA224withDSA", ++ "sun.security.provider.DSA$SHA224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA256withDSA", ++ "sun.security.provider.DSA$SHA256withDSA", attrs); ++ ++ addWithAlias(p, "Signature", "SHA3-224withDSA", ++ "sun.security.provider.DSA$SHA3_224withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-256withDSA", ++ "sun.security.provider.DSA$SHA3_256withDSA", attrs); ++ ++ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests ++ ++ addWithAlias(p, "Signature", "SHA384withDSA", ++ "sun.security.provider.DSA$SHA384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA512withDSA", ++ "sun.security.provider.DSA$SHA512withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-384withDSA", ++ "sun.security.provider.DSA$SHA3_384withDSA", attrs); ++ addWithAlias(p, "Signature", "SHA3-512withDSA", ++ "sun.security.provider.DSA$SHA3_512withDSA", attrs); ++ ++ attrs.remove("KeySize"); ++ ++ add(p, "Signature", "SHA1withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); ++ add(p, "Signature", "NONEwithDSAinP1363Format", ++ "sun.security.provider.DSA$RawDSAinP1363Format"); ++ add(p, "Signature", "SHA224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); ++ add(p, "Signature", "SHA256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); ++ add(p, "Signature", "SHA384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); ++ add(p, "Signature", "SHA512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-224withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-256withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-384withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); ++ add(p, "Signature", "SHA3-512withDSAinP1363Format", ++ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); ++ /* ++ * Key Pair Generator engines ++ */ ++ attrs.clear(); ++ attrs.put("ImplementedIn", "Software"); ++ attrs.put("KeySize", "2048"); // for DSA KPG and APG only + +- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; +- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); +- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; ++ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); ++ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); ++ } + + /* + * Algorithm Parameter Generator engines +@@ -201,40 +208,42 @@ public final class SunEntries { + addWithAlias(p, "AlgorithmParameters", "DSA", + "sun.security.provider.DSAParameters", attrs); + +- /* +- * Key factories +- */ +- addWithAlias(p, "KeyFactory", "DSA", +- "sun.security.provider.DSAKeyFactory", attrs); +- +- /* +- * Digest engines +- */ +- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); +- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); +- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", +- attrs); ++ if (!systemFipsEnabled) { ++ /* ++ * Key factories ++ */ ++ addWithAlias(p, "KeyFactory", "DSA", ++ "sun.security.provider.DSAKeyFactory", attrs); + +- addWithAlias(p, "MessageDigest", "SHA-224", +- "sun.security.provider.SHA2$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-256", +- "sun.security.provider.SHA2$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA-384", +- "sun.security.provider.SHA5$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512", +- "sun.security.provider.SHA5$SHA512", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/224", +- "sun.security.provider.SHA5$SHA512_224", attrs); +- addWithAlias(p, "MessageDigest", "SHA-512/256", +- "sun.security.provider.SHA5$SHA512_256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-224", +- "sun.security.provider.SHA3$SHA224", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-256", +- "sun.security.provider.SHA3$SHA256", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-384", +- "sun.security.provider.SHA3$SHA384", attrs); +- addWithAlias(p, "MessageDigest", "SHA3-512", +- "sun.security.provider.SHA3$SHA512", attrs); ++ /* ++ * Digest engines ++ */ ++ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); ++ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", ++ attrs); ++ ++ addWithAlias(p, "MessageDigest", "SHA-224", ++ "sun.security.provider.SHA2$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-256", ++ "sun.security.provider.SHA2$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-384", ++ "sun.security.provider.SHA5$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512", ++ "sun.security.provider.SHA5$SHA512", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/224", ++ "sun.security.provider.SHA5$SHA512_224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA-512/256", ++ "sun.security.provider.SHA5$SHA512_256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-224", ++ "sun.security.provider.SHA3$SHA224", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-256", ++ "sun.security.provider.SHA3$SHA256", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-384", ++ "sun.security.provider.SHA3$SHA384", attrs); ++ addWithAlias(p, "MessageDigest", "SHA3-512", ++ "sun.security.provider.SHA3$SHA512", attrs); ++ } + + /* + * Certificates +diff --git a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +index ca79f25cc44..225517ac69b 100644 +--- a/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java ++++ b/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java +@@ -27,6 +27,7 @@ package sun.security.rsa; + + import java.util.*; + import java.security.Provider; ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityProviderConstants.getAliases; + + /** +@@ -36,6 +37,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; + */ + public final class SunRsaSignEntries { + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private void add(Provider p, String type, String algo, String cn, + List<String> aliases, HashMap<String, String> attrs) { + services.add(new Provider.Service(p, type, algo, cn, +@@ -56,49 +61,58 @@ public final class SunRsaSignEntries { + // start populating content using the specified provider + // common attribute map + HashMap<String, String> attrs = new HashMap<>(3); +- attrs.put("SupportedKeyClasses", +- "java.security.interfaces.RSAPublicKey" + +- "|java.security.interfaces.RSAPrivateKey"); ++ if (!systemFipsEnabled) { ++ attrs.put("SupportedKeyClasses", ++ "java.security.interfaces.RSAPublicKey" + ++ "|java.security.interfaces.RSAPrivateKey"); ++ } + + add(p, "KeyFactory", "RSA", + "sun.security.rsa.RSAKeyFactory$Legacy", + getAliases("PKCS1"), null); +- add(p, "KeyPairGenerator", "RSA", +- "sun.security.rsa.RSAKeyPairGenerator$Legacy", +- getAliases("PKCS1"), null); +- addA(p, "Signature", "MD2withRSA", +- "sun.security.rsa.RSASignature$MD2withRSA", attrs); +- addA(p, "Signature", "MD5withRSA", +- "sun.security.rsa.RSASignature$MD5withRSA", attrs); +- addA(p, "Signature", "SHA1withRSA", +- "sun.security.rsa.RSASignature$SHA1withRSA", attrs); +- addA(p, "Signature", "SHA224withRSA", +- "sun.security.rsa.RSASignature$SHA224withRSA", attrs); +- addA(p, "Signature", "SHA256withRSA", +- "sun.security.rsa.RSASignature$SHA256withRSA", attrs); +- addA(p, "Signature", "SHA384withRSA", +- "sun.security.rsa.RSASignature$SHA384withRSA", attrs); +- addA(p, "Signature", "SHA512withRSA", +- "sun.security.rsa.RSASignature$SHA512withRSA", attrs); +- addA(p, "Signature", "SHA512/224withRSA", +- "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); +- addA(p, "Signature", "SHA512/256withRSA", +- "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); +- addA(p, "Signature", "SHA3-224withRSA", +- "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); +- addA(p, "Signature", "SHA3-256withRSA", +- "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); +- addA(p, "Signature", "SHA3-384withRSA", +- "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); +- addA(p, "Signature", "SHA3-512withRSA", +- "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ ++ if (!systemFipsEnabled) { ++ add(p, "KeyPairGenerator", "RSA", ++ "sun.security.rsa.RSAKeyPairGenerator$Legacy", ++ getAliases("PKCS1"), null); ++ addA(p, "Signature", "MD2withRSA", ++ "sun.security.rsa.RSASignature$MD2withRSA", attrs); ++ addA(p, "Signature", "MD5withRSA", ++ "sun.security.rsa.RSASignature$MD5withRSA", attrs); ++ addA(p, "Signature", "SHA1withRSA", ++ "sun.security.rsa.RSASignature$SHA1withRSA", attrs); ++ addA(p, "Signature", "SHA224withRSA", ++ "sun.security.rsa.RSASignature$SHA224withRSA", attrs); ++ addA(p, "Signature", "SHA256withRSA", ++ "sun.security.rsa.RSASignature$SHA256withRSA", attrs); ++ addA(p, "Signature", "SHA384withRSA", ++ "sun.security.rsa.RSASignature$SHA384withRSA", attrs); ++ addA(p, "Signature", "SHA512withRSA", ++ "sun.security.rsa.RSASignature$SHA512withRSA", attrs); ++ addA(p, "Signature", "SHA512/224withRSA", ++ "sun.security.rsa.RSASignature$SHA512_224withRSA", attrs); ++ addA(p, "Signature", "SHA512/256withRSA", ++ "sun.security.rsa.RSASignature$SHA512_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-224withRSA", ++ "sun.security.rsa.RSASignature$SHA3_224withRSA", attrs); ++ addA(p, "Signature", "SHA3-256withRSA", ++ "sun.security.rsa.RSASignature$SHA3_256withRSA", attrs); ++ addA(p, "Signature", "SHA3-384withRSA", ++ "sun.security.rsa.RSASignature$SHA3_384withRSA", attrs); ++ addA(p, "Signature", "SHA3-512withRSA", ++ "sun.security.rsa.RSASignature$SHA3_512withRSA", attrs); ++ } + + addA(p, "KeyFactory", "RSASSA-PSS", + "sun.security.rsa.RSAKeyFactory$PSS", attrs); +- addA(p, "KeyPairGenerator", "RSASSA-PSS", +- "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); +- addA(p, "Signature", "RSASSA-PSS", +- "sun.security.rsa.RSAPSSSignature", attrs); ++ ++ if (!systemFipsEnabled) { ++ addA(p, "KeyPairGenerator", "RSASSA-PSS", ++ "sun.security.rsa.RSAKeyPairGenerator$PSS", attrs); ++ addA(p, "Signature", "RSASSA-PSS", ++ "sun.security.rsa.RSAPSSSignature", attrs); ++ } ++ + addA(p, "AlgorithmParameters", "RSASSA-PSS", + "sun.security.rsa.PSSParameters", null); + } +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +index 6ffdfeda18d..775b185fb06 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +@@ -32,6 +32,7 @@ import java.security.cert.*; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; + import javax.net.ssl.*; ++import jdk.internal.access.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { + private static final List<CipherSuite> serverDefaultCipherSuites; + + static { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10, +- ProtocolVersion.SSL30, +- ProtocolVersion.SSL20Hello +- ); +- +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10, ++ ProtocolVersion.SSL30, ++ ProtocolVersion.SSL20Hello ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + + supportedCipherSuites = getApplicableSupportedCipherSuites( + supportedProtocols); +@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { + ProtocolVersion[] candidates; + if (refactored.isEmpty()) { + // Client and server use the same default protocols. +- candidates = new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }; ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } else { ++ candidates = new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + } else { + // Use the customized TLS protocols. + candidates = +diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +index 894e26dfad8..8b16378b96b 100644 +--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java ++++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +@@ -27,6 +27,8 @@ package sun.security.ssl; + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.access.SharedSecrets; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + + /** +@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + List.of("SSL"), null); +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 6d91e3f8e4e..5a355e70cae 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security +@@ -79,6 +79,16 @@ security.provider.tbd=Apple + #endif + security.provider.tbd=SunPKCS11 + ++# ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=SunJSSE ++fips.provider.5=SunJCE ++fips.provider.6=SunRsaSign ++ + # + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. +@@ -289,6 +299,11 @@ policy.ignoreIdentityScope=false + # + keystore.type=pkcs12 + ++# ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ + # + # Controls compatibility mode for JKS and PKCS12 keystore types. + # +@@ -326,6 +341,13 @@ package.definition=sun.misc.,\ + # + security.overridePropertiesFile=true + ++# ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy +index b22f26947af..3ee2ce6ea88 100644 +--- a/src/java.base/share/lib/security/default.policy ++++ b/src/java.base/share/lib/security/default.policy +@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" { + grant codeBase "jrt:/jdk.crypto.ec" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "loadLibrary.sunec"; + permission java.security.SecurityPermission "putProviderProperty.SunEC"; + permission java.security.SecurityPermission "clearProviderProperties.SunEC"; +@@ -130,6 +131,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +new file mode 100644 +index 00000000000..9bb31555f48 +--- /dev/null ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java +@@ -0,0 +1,490 @@ ++/* ++ * Copyright (c) 2021, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package sun.security.pkcs11; ++ ++import java.math.BigInteger; ++import java.security.KeyFactory; ++import java.security.Provider; ++import java.security.Security; ++import java.security.interfaces.RSAPrivateCrtKey; ++import java.security.interfaces.RSAPrivateKey; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.concurrent.locks.ReentrantLock; ++ ++import javax.crypto.Cipher; ++import javax.crypto.SecretKeyFactory; ++import javax.crypto.spec.SecretKeySpec; ++import javax.crypto.spec.DHPrivateKeySpec; ++import javax.crypto.spec.IvParameterSpec; ++ ++import sun.security.jca.JCAUtil; ++import sun.security.pkcs11.TemplateManager; ++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; ++import sun.security.pkcs11.wrapper.CK_MECHANISM; ++import static sun.security.pkcs11.wrapper.PKCS11Constants.*; ++import static sun.security.pkcs11.wrapper.PKCS11Exception.*; ++import sun.security.pkcs11.wrapper.PKCS11Exception; ++import sun.security.rsa.RSAPrivateCrtKeyImpl; ++import sun.security.rsa.RSAUtil; ++import sun.security.rsa.RSAUtil.KeyType; ++import sun.security.util.Debug; ++import sun.security.util.ECUtil; ++ ++final class FIPSKeyImporter { ++ ++ private static final Debug debug = ++ Debug.getInstance("sunpkcs11"); ++ ++ private static volatile P11Key importerKey = null; ++ private static SecretKeySpec exporterKey = null; ++ private static volatile P11Key exporterKeyP11 = null; ++ private static final ReentrantLock importerKeyLock = new ReentrantLock(); ++ // Do not take the exporterKeyLock with the importerKeyLock held. ++ private static final ReentrantLock exporterKeyLock = new ReentrantLock(); ++ private static volatile CK_MECHANISM importerKeyMechanism = null; ++ private static volatile CK_MECHANISM exporterKeyMechanism = null; ++ private static Cipher importerCipher = null; ++ private static Cipher exporterCipher = null; ++ ++ private static volatile Provider sunECProvider = null; ++ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); ++ ++ private static volatile KeyFactory DHKF = null; ++ private static final ReentrantLock DHKFLock = new ReentrantLock(); ++ ++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) ++ throws PKCS11Exception { ++ long keyID = -1; ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be imported in" + ++ " system FIPS mode."); ++ } ++ if (importerKey == null) { ++ importerKeyLock.lock(); ++ try { ++ if (importerKey == null) { ++ if (importerKeyMechanism == null) { ++ // Importer Key creation has not been tried yet. Try it. ++ createImporterKey(token); ++ } ++ if (importerKey == null || importerCipher == null) { ++ if (debug != null) { ++ debug.println("Importer Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ if (debug != null) { ++ debug.println("Importer Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ } ++ long importerKeyID = importerKey.getKeyID(); ++ try { ++ byte[] keyBytes = null; ++ byte[] encKeyBytes = null; ++ long keyClass = 0L; ++ long keyType = 0L; ++ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>(); ++ for (CK_ATTRIBUTE attr : attributes) { ++ if (attr.type == CKA_CLASS) { ++ keyClass = attr.getLong(); ++ } else if (attr.type == CKA_KEY_TYPE) { ++ keyType = attr.getLong(); ++ } ++ attrsMap.put(attr.type, attr); ++ } ++ BigInteger v = null; ++ if (keyClass == CKO_PRIVATE_KEY) { ++ if (keyType == CKK_RSA) { ++ if (debug != null) { ++ debug.println("Importing an RSA private key..."); ++ } ++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( ++ KeyType.RSA, ++ null, ++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ } else if (keyType == CKK_DSA) { ++ if (debug != null) { ++ debug.println("Importing a DSA private key..."); ++ } ++ keyBytes = new sun.security.provider.DSAPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO ++ ).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_EC) { ++ if (debug != null) { ++ debug.println("Importing an EC private key..."); ++ } ++ if (sunECProvider == null) { ++ sunECProviderLock.lock(); ++ try { ++ if (sunECProvider == null) { ++ sunECProvider = Security.getProvider("SunEC"); ++ } ++ } finally { ++ sunECProviderLock.unlock(); ++ } ++ } ++ keyBytes = ECUtil.generateECPrivateKey( ++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ECUtil.getECParameterSpec(sunECProvider, ++ attrsMap.get(CKA_EC_PARAMS).getByteArray())) ++ .getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else if (keyType == CKK_DH) { ++ if (debug != null) { ++ debug.println("Importing a Diffie-Hellman private key..."); ++ } ++ if (DHKF == null) { ++ DHKFLock.lock(); ++ try { ++ if (DHKF == null) { ++ DHKF = KeyFactory.getInstance( ++ "DH", P11Util.getSunJceProvider()); ++ } ++ } finally { ++ DHKFLock.unlock(); ++ } ++ } ++ DHPrivateKeySpec spec = new DHPrivateKeySpec ++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) ++ ? v : BigInteger.ZERO, ++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) ++ ? v : BigInteger.ZERO); ++ keyBytes = DHKF.generatePrivate(spec).getEncoded(); ++ if (token.config.getNssNetscapeDbWorkaround() && ++ attrsMap.get(CKA_NETSCAPE_DB) == null) { ++ attrsMap.put(CKA_NETSCAPE_DB, ++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); ++ } ++ } else { ++ if (debug != null) { ++ debug.println("Unrecognized private key type."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ } else if (keyClass == CKO_SECRET_KEY) { ++ if (debug != null) { ++ debug.println("Importing a secret key..."); ++ } ++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); ++ } ++ if (keyBytes == null || keyBytes.length == 0) { ++ if (debug != null) { ++ debug.println("Private or secret key plain bytes could" + ++ " not be obtained. Import failed."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key importer"); ++ } ++ attributes = new CK_ATTRIBUTE[attrsMap.size()]; ++ attrsMap.values().toArray(attributes); ++ importerKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ encKeyBytes = importerCipher.doFinal(keyBytes); ++ } finally { ++ importerKeyLock.unlock(); ++ } ++ attributes = token.getAttributes(TemplateManager.O_IMPORT, ++ keyClass, keyType, attributes); ++ keyID = token.p11.C_UnwrapKey(hSession, ++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); ++ if (debug != null) { ++ debug.println("Imported key ID: " + keyID); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ importerKey.releaseKeyID(); ++ } ++ return Long.valueOf(keyID); ++ } ++ ++ static void exportKey(SunPKCS11 sunPKCS11, long hSession, long hObject, ++ long keyClass, long keyType, Map<Long, CK_ATTRIBUTE> sensitiveAttrs) ++ throws PKCS11Exception { ++ Token token = sunPKCS11.getToken(); ++ if (debug != null) { ++ debug.println("Private or Secret key will be exported in" + ++ " system FIPS mode."); ++ } ++ if (exporterKeyP11 == null) { ++ try { ++ exporterKeyLock.lock(); ++ if (exporterKeyP11 == null) { ++ if (exporterKeyMechanism == null) { ++ // Exporter Key creation has not been tried yet. Try it. ++ createExporterKey(token); ++ } ++ if (exporterKeyP11 == null || exporterCipher == null) { ++ if (debug != null) { ++ debug.println("Exporter Key could not be" + ++ " generated."); ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ if (debug != null) { ++ debug.println("Exporter Key successfully" + ++ " generated."); ++ } ++ } ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ } ++ long exporterKeyID = exporterKeyP11.getKeyID(); ++ try { ++ byte[] wrappedKeyBytes = token.p11.C_WrapKey(hSession, ++ exporterKeyMechanism, exporterKeyID, hObject); ++ byte[] plainExportedKey = null; ++ exporterKeyLock.lock(); ++ try { ++ // No need to reset the cipher object because no multi-part ++ // operations are performed. ++ plainExportedKey = exporterCipher.doFinal(wrappedKeyBytes); ++ } finally { ++ exporterKeyLock.unlock(); ++ } ++ if (keyClass == CKO_PRIVATE_KEY) { ++ exportPrivateKey(sensitiveAttrs, keyType, plainExportedKey); ++ } else if (keyClass == CKO_SECRET_KEY) { ++ checkAttrs(sensitiveAttrs, "CKO_SECRET_KEY", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = plainExportedKey; ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " fips key exporter"); ++ } ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } finally { ++ exporterKeyP11.releaseKeyID(); ++ } ++ } ++ ++ private static void exportPrivateKey( ++ Map<Long, CK_ATTRIBUTE> sensitiveAttrs, long keyType, ++ byte[] plainExportedKey) throws Throwable { ++ if (keyType == CKK_RSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, ++ CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT); ++ RSAPrivateKey rsaPKey = RSAPrivateCrtKeyImpl.newKey( ++ RSAUtil.KeyType.RSA, "PKCS#8", plainExportedKey ++ ); ++ CK_ATTRIBUTE attr; ++ if ((attr = sensitiveAttrs.get(CKA_PRIVATE_EXPONENT)) != null) { ++ attr.pValue = rsaPKey.getPrivateExponent().toByteArray(); ++ } ++ if (rsaPKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey rsaPCrtKey = (RSAPrivateCrtKey) rsaPKey; ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_PRIME_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_1)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentP().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_EXPONENT_2)) != null) { ++ attr.pValue = rsaPCrtKey.getPrimeExponentQ().toByteArray(); ++ } ++ if ((attr = sensitiveAttrs.get(CKA_COEFFICIENT)) != null) { ++ attr.pValue = rsaPCrtKey.getCrtCoefficient().toByteArray(); ++ } ++ } else { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_RSA", ++ CKA_PRIVATE_EXPONENT); ++ } ++ } else if (keyType == CKK_DSA) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_DSA", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ new sun.security.provider.DSAPrivateKey(plainExportedKey) ++ .getX().toByteArray(); ++ } else if (keyType == CKK_EC) { ++ checkAttrs(sensitiveAttrs, "CKO_PRIVATE_KEY CKK_EC", CKA_VALUE); ++ // CKA_VALUE is guaranteed to be present, since sensitiveAttrs' ++ // size is greater than 0 and no invalid attributes exist ++ sensitiveAttrs.get(CKA_VALUE).pValue = ++ ECUtil.decodePKCS8ECPrivateKey(plainExportedKey) ++ .getS().toByteArray(); ++ } else { ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " unsupported CKO_PRIVATE_KEY key type: " + keyType); ++ } ++ } ++ ++ private static void checkAttrs(Map<Long, CK_ATTRIBUTE> sensitiveAttrs, ++ String keyName, long... validAttrs) ++ throws PKCS11Exception { ++ int sensitiveAttrsCount = sensitiveAttrs.size(); ++ if (sensitiveAttrsCount <= validAttrs.length) { ++ int validAttrsCount = 0; ++ for (long validAttr : validAttrs) { ++ if (sensitiveAttrs.containsKey(validAttr)) validAttrsCount++; ++ } ++ if (validAttrsCount == sensitiveAttrsCount) return; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ " invalid attribute types for a " + keyName + " key object"); ++ } ++ ++ private static void createImporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Importer Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ try { ++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, ++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { ++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), ++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); ++ Session s = null; ++ try { ++ s = token.getObjSession(); ++ long keyID = token.p11.C_GenerateKey( ++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), ++ attributes); ++ if (debug != null) { ++ debug.println("Importer Key ID: " + keyID); ++ } ++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", ++ 256 >> 3, null); ++ } catch (PKCS11Exception e) { ++ // best effort ++ } finally { ++ token.releaseSession(s); ++ } ++ if (importerKey != null) { ++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, ++ new IvParameterSpec( ++ (byte[])importerKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ importerKey = null; ++ importerCipher = null; ++ // importerKeyMechanism value is kept initialized to indicate that ++ // Importer Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Importer Key"); ++ } ++ } ++ } ++ ++ private static void createExporterKey(Token token) { ++ if (debug != null) { ++ debug.println("Generating Exporter Key..."); ++ } ++ byte[] iv = new byte[16]; ++ JCAUtil.getSecureRandom().nextBytes(iv); ++ exporterKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); ++ byte[] exporterKeyRaw = new byte[32]; ++ JCAUtil.getSecureRandom().nextBytes(exporterKeyRaw); ++ exporterKey = new SecretKeySpec(exporterKeyRaw, "AES"); ++ try { ++ SecretKeyFactory skf = SecretKeyFactory.getInstance("AES"); ++ exporterKeyP11 = (P11Key)(skf.translateKey(exporterKey)); ++ if (exporterKeyP11 != null) { ++ exporterCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); ++ exporterCipher.init(Cipher.DECRYPT_MODE, exporterKey, ++ new IvParameterSpec( ++ (byte[])exporterKeyMechanism.pParameter), null); ++ } ++ } catch (Throwable t) { ++ // best effort ++ exporterKey = null; ++ exporterKeyP11 = null; ++ exporterCipher = null; ++ // exporterKeyMechanism value is kept initialized to indicate that ++ // Exporter Key creation has been tried and failed. ++ if (debug != null) { ++ debug.println("Error generating the Exporter Key"); ++ } ++ } ++ } ++} +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +index 9b69072280e..b403e6d3c6d 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +@@ -37,6 +37,8 @@ import javax.crypto.*; + import javax.crypto.interfaces.*; + import javax.crypto.spec.*; + ++import jdk.internal.access.SharedSecrets; ++ + import sun.security.rsa.RSAUtil.KeyType; + import sun.security.rsa.RSAPublicKeyImpl; + import sun.security.rsa.RSAPrivateCrtKeyImpl; +@@ -69,6 +71,9 @@ import sun.security.jca.JCAUtil; + */ + abstract class P11Key implements Key, Length { + ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ + private static final long serialVersionUID = -2575874101938349339L; + + private static final String PUBLIC = "public"; +@@ -379,7 +384,8 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_SENSITIVE), + new CK_ATTRIBUTE(CKA_EXTRACTABLE), + }); +- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { ++ if (!plainKeySupportEnabled && (attributes[1].getBoolean() || ++ (attributes[2].getBoolean() == false))) { + return new P11PrivateKey + (session, keyID, algorithm, keyLength, attributes); + } else { +@@ -461,7 +467,8 @@ abstract class P11Key implements Key, Length { + } + public String getFormat() { + token.ensureValid(); +- if (sensitive || (extractable == false)) { ++ if (!plainKeySupportEnabled && ++ (sensitive || (extractable == false))) { + return null; + } else { + return "RAW"; +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index 112b639aa96..5549cd9ed4e 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -26,6 +26,9 @@ + package sun.security.pkcs11; + + import java.io.*; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.*; +@@ -42,6 +45,7 @@ import javax.security.auth.callback.PasswordCallback; + + import com.sun.crypto.provider.ChaCha20Poly1305Parameters; + ++import jdk.internal.access.SharedSecrets; + import jdk.internal.misc.InnocuousThread; + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; +@@ -62,6 +66,37 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ ++ private static final boolean plainKeySupportEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); ++ ++ private static final MethodHandle fipsImportKey; ++ private static final MethodHandle fipsExportKey; ++ static { ++ MethodHandle fipsImportKeyTmp = null; ++ MethodHandle fipsExportKeyTmp = null; ++ if (plainKeySupportEnabled) { ++ try { ++ fipsImportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "importKey", ++ MethodType.methodType(Long.class, SunPKCS11.class, ++ long.class, CK_ATTRIBUTE[].class)); ++ fipsExportKeyTmp = MethodHandles.lookup().findStatic( ++ FIPSKeyImporter.class, "exportKey", ++ MethodType.methodType(void.class, SunPKCS11.class, ++ long.class, long.class, ++ long.class, long.class, Map.class)); ++ } catch (Throwable t) { ++ throw new SecurityException("FIPS key importer-exporter" + ++ " initialization failed", t); ++ } ++ } ++ fipsImportKey = fipsImportKeyTmp; ++ fipsExportKey = fipsExportKeyTmp; ++ } ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -320,10 +355,19 @@ public final class SunPKCS11 extends AuthProvider { + // request multithreaded access first + initArgs.flags = CKF_OS_LOCKING_OK; + PKCS11 tmpPKCS11; ++ MethodHandle fipsKeyImporter = null; ++ MethodHandle fipsKeyExporter = null; ++ if (plainKeySupportEnabled) { ++ fipsKeyImporter = MethodHandles.insertArguments( ++ fipsImportKey, 0, this); ++ fipsKeyExporter = MethodHandles.insertArguments( ++ fipsExportKey, 0, this); ++ } + try { + tmpPKCS11 = PKCS11.getInstance( + library, functionList, initArgs, +- config.getOmitInitialize()); ++ config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } catch (PKCS11Exception e) { + if (debug != null) { + debug.println("Multi-threaded initialization failed: " + e); +@@ -339,7 +383,8 @@ public final class SunPKCS11 extends AuthProvider { + initArgs.flags = 0; + } + tmpPKCS11 = PKCS11.getInstance(library, +- functionList, initArgs, config.getOmitInitialize()); ++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter, ++ fipsKeyExporter); + } + p11 = tmpPKCS11; + +@@ -379,6 +424,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +index 5c0aacd1a67..372a50dd587 100644 +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java +@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper; + + import java.io.File; + import java.io.IOException; ++import java.lang.invoke.MethodHandle; ++import java.lang.invoke.MethodHandles; ++import java.lang.invoke.MethodType; + import java.util.*; + + import java.security.AccessController; +@@ -152,16 +155,30 @@ public class PKCS11 { + + public static synchronized PKCS11 getInstance(String pkcs11ModulePath, + String functionList, CK_C_INITIALIZE_ARGS pInitArgs, +- boolean omitInitialize) throws IOException, PKCS11Exception { ++ boolean omitInitialize, MethodHandle fipsKeyImporter, ++ MethodHandle fipsKeyExporter) ++ throws IOException, PKCS11Exception { + // we may only call C_Initialize once per native .so/.dll + // so keep a cache using the (non-canonicalized!) path + PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); + if (pkcs11 == null) { ++ boolean nssFipsMode = fipsKeyImporter != null && ++ fipsKeyExporter != null; + if ((pInitArgs != null) + && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { +- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, ++ fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); ++ } + } else { +- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ if (nssFipsMode) { ++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, ++ functionList, fipsKeyImporter, fipsKeyExporter); ++ } else { ++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); ++ } + } + if (omitInitialize == false) { + try { +@@ -1911,4 +1928,194 @@ static class SynchronizedPKCS11 extends PKCS11 { + super.C_GenerateRandom(hSession, randomData); + } + } ++ ++// PKCS11 subclass that allows using plain private or secret keys in ++// FIPS-configured NSS Software Tokens. Only used when System FIPS ++// is enabled. ++static class FIPSPKCS11 extends PKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ FIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(PKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ FIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.PKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // Creating sensitive key objects from plain key material in a ++ // FIPS-configured NSS Software Token is not allowed. We apply ++ // a key-unwrapping scheme to achieve so. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++// FIPSPKCS11 synchronized counterpart. ++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { ++ private MethodHandle fipsKeyImporter; ++ private MethodHandle fipsKeyExporter; ++ private MethodHandle hC_GetAttributeValue; ++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, ++ MethodHandle fipsKeyImporter, MethodHandle fipsKeyExporter) ++ throws IOException { ++ super(pkcs11ModulePath, functionListName); ++ this.fipsKeyImporter = fipsKeyImporter; ++ this.fipsKeyExporter = fipsKeyExporter; ++ try { ++ hC_GetAttributeValue = MethodHandles.insertArguments( ++ MethodHandles.lookup().findSpecial(SynchronizedPKCS11.class, ++ "C_GetAttributeValue", MethodType.methodType( ++ void.class, long.class, long.class, ++ CK_ATTRIBUTE[].class), ++ SynchronizedFIPSPKCS11.class), 0, this); ++ } catch (Throwable t) { ++ throw new RuntimeException( ++ "sun.security.pkcs11.wrapper.SynchronizedPKCS11" + ++ "::C_GetAttributeValue method not found.", t); ++ } ++ } ++ ++ public synchronized long C_CreateObject(long hSession, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ // See FIPSPKCS11::C_CreateObject. ++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { ++ try { ++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) ++ .longValue(); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ return super.C_CreateObject(hSession, pTemplate); ++ } ++ ++ public synchronized void C_GetAttributeValue(long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ FIPSPKCS11Helper.C_GetAttributeValue(hC_GetAttributeValue, ++ fipsKeyExporter, hSession, hObject, pTemplate); ++ } ++} ++ ++private static class FIPSPKCS11Helper { ++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ if (attr.type == CKA_CLASS && ++ (attr.getLong() == CKO_PRIVATE_KEY || ++ attr.getLong() == CKO_SECRET_KEY)) { ++ return true; ++ } ++ } ++ return false; ++ } ++ static void C_GetAttributeValue(MethodHandle hC_GetAttributeValue, ++ MethodHandle fipsKeyExporter, long hSession, long hObject, ++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { ++ Map<Long, CK_ATTRIBUTE> sensitiveAttrs = new HashMap<>(); ++ List<CK_ATTRIBUTE> nonSensitiveAttrs = new LinkedList<>(); ++ FIPSPKCS11Helper.getAttributesBySensitivity(pTemplate, ++ sensitiveAttrs, nonSensitiveAttrs); ++ try { ++ if (sensitiveAttrs.size() > 0) { ++ long keyClass = -1L; ++ long keyType = -1L; ++ try { ++ // Secret and private keys have both class and type ++ // attributes, so we can query them at once. ++ CK_ATTRIBUTE[] queryAttrs = new CK_ATTRIBUTE[]{ ++ new CK_ATTRIBUTE(CKA_CLASS), ++ new CK_ATTRIBUTE(CKA_KEY_TYPE), ++ }; ++ hC_GetAttributeValue.invoke(hSession, hObject, queryAttrs); ++ keyClass = queryAttrs[0].getLong(); ++ keyType = queryAttrs[1].getLong(); ++ } catch (PKCS11Exception e) { ++ // If the query fails, the object is neither a secret nor a ++ // private key. As this case won't be handled with the FIPS ++ // Key Exporter, we keep keyClass initialized to -1L. ++ } ++ if (keyClass == CKO_SECRET_KEY || keyClass == CKO_PRIVATE_KEY) { ++ fipsKeyExporter.invoke(hSession, hObject, keyClass, keyType, ++ sensitiveAttrs); ++ if (nonSensitiveAttrs.size() > 0) { ++ CK_ATTRIBUTE[] pNonSensitiveAttrs = ++ new CK_ATTRIBUTE[nonSensitiveAttrs.size()]; ++ int i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ pNonSensitiveAttrs[i++] = nonSensAttr; ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, ++ pNonSensitiveAttrs); ++ // libj2pkcs11 allocates new CK_ATTRIBUTE objects, so we ++ // update the reference on the previous CK_ATTRIBUTEs ++ i = 0; ++ for (CK_ATTRIBUTE nonSensAttr : nonSensitiveAttrs) { ++ nonSensAttr.pValue = pNonSensitiveAttrs[i++].pValue; ++ } ++ } ++ return; ++ } ++ } ++ hC_GetAttributeValue.invoke(hSession, hObject, pTemplate); ++ } catch (Throwable t) { ++ if (t instanceof PKCS11Exception) { ++ throw (PKCS11Exception)t; ++ } ++ throw new PKCS11Exception(CKR_GENERAL_ERROR, ++ t.getMessage()); ++ } ++ } ++ private static void getAttributesBySensitivity(CK_ATTRIBUTE[] pTemplate, ++ Map<Long, CK_ATTRIBUTE> sensitiveAttrs, ++ List<CK_ATTRIBUTE> nonSensitiveAttrs) { ++ for (CK_ATTRIBUTE attr : pTemplate) { ++ long type = attr.type; ++ // Aligned with NSS' sftk_isSensitive in lib/softoken/pkcs11u.c ++ if (type == CKA_VALUE || type == CKA_PRIVATE_EXPONENT || ++ type == CKA_PRIME_1 || type == CKA_PRIME_2 || ++ type == CKA_EXPONENT_1 || type == CKA_EXPONENT_2 || ++ type == CKA_COEFFICIENT) { ++ sensitiveAttrs.put(type, attr); ++ } else { ++ nonSensitiveAttrs.add(attr); ++ } ++ } ++ } ++} + } +diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +index 8c9e4f9dbe6..883dc04758e 100644 +--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java ++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java +@@ -38,6 +38,7 @@ import java.util.HashMap; + import java.util.Iterator; + import java.util.List; + ++import jdk.internal.access.SharedSecrets; + import sun.security.ec.ed.EdDSAAlgorithmParameters; + import sun.security.ec.ed.EdDSAKeyFactory; + import sun.security.ec.ed.EdDSAKeyPairGenerator; +@@ -56,6 +57,10 @@ public final class SunEC extends Provider { + + private static final long serialVersionUID = -2279741672933606418L; + ++ private static final boolean systemFipsEnabled = ++ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled(); ++ + private static class ProviderServiceA extends ProviderService { + ProviderServiceA(Provider p, String type, String algo, String cn, + HashMap<String, String> attrs) { +@@ -249,85 +254,86 @@ public final class SunEC extends Provider { + + putXDHEntries(); + putEdDSAEntries(); +- +- /* +- * Signature engines +- */ +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", +- null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", +- ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "NONEwithECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$RawinP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA1withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); +- +- putService(new ProviderService(this, "Signature", +- "SHA3-224withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-256withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-384withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); +- putService(new ProviderService(this, "Signature", +- "SHA3-512withECDSAinP1363Format", +- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); +- +- /* +- * Key Pair Generator engine +- */ +- putService(new ProviderService(this, "KeyPairGenerator", +- "EC", "sun.security.ec.ECKeyPairGenerator", +- List.of("EllipticCurve"), ATTRS)); +- +- /* +- * Key Agreement engine +- */ +- putService(new ProviderService(this, "KeyAgreement", +- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ if (!systemFipsEnabled) { ++ /* ++ * Signature engines ++ */ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", ++ null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "NONEwithECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$RawinP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA1withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); ++ ++ putService(new ProviderService(this, "Signature", ++ "SHA3-224withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-256withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-384withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); ++ putService(new ProviderService(this, "Signature", ++ "SHA3-512withECDSAinP1363Format", ++ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); ++ ++ /* ++ * Key Pair Generator engine ++ */ ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EC", "sun.security.ec.ECKeyPairGenerator", ++ List.of("EllipticCurve"), ATTRS)); ++ ++ /* ++ * Key Agreement engine ++ */ ++ putService(new ProviderService(this, "KeyAgreement", ++ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); ++ } + } + + private void putXDHEntries() { +@@ -344,23 +350,25 @@ public final class SunEC extends Provider { + "X448", "sun.security.ec.XDHKeyFactory.X448", + ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", +- ATTRS)); +- +- putService(new ProviderService(this, "KeyAgreement", +- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyAgreement", +- "X448", "sun.security.ec.XDHKeyAgreement.X448", +- ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "KeyAgreement", ++ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyAgreement", ++ "X448", "sun.security.ec.XDHKeyAgreement.X448", ++ ATTRS)); ++ } + } + + private void putEdDSAEntries() { +@@ -375,21 +383,23 @@ public final class SunEC extends Provider { + putService(new ProviderServiceA(this, "KeyFactory", + "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); + +- putService(new ProviderService(this, "KeyPairGenerator", +- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", +- ATTRS)); +- putService(new ProviderServiceA(this, "KeyPairGenerator", +- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", +- ATTRS)); +- +- putService(new ProviderService(this, "Signature", +- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); +- putService(new ProviderServiceA(this, "Signature", +- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ if (!systemFipsEnabled) { ++ putService(new ProviderService(this, "KeyPairGenerator", ++ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", ++ ATTRS)); ++ putService(new ProviderServiceA(this, "KeyPairGenerator", ++ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", ++ ATTRS)); ++ ++ putService(new ProviderService(this, "Signature", ++ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); ++ putService(new ProviderServiceA(this, "Signature", ++ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); ++ } + + } + } diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 121bd41..057f7ad 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -327,6 +327,8 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 +# Define current Git revision for the FIPS support patches +%global fipsver 3625385b13d # Standard JPackage naming and versioning defines %global origin openjdk @@ -334,7 +336,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 1 +%global rpmrelease 2 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -1301,41 +1303,31 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Follow system wide crypto policy RHBZ#1249083 -Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# PR3695: Allow use of system crypto policy to be disabled by the user -Patch5: pr3695-toggle_system_crypto_policy.patch -# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo +# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch -# FIPS support patches +# Crypto policy and FIPS support patches +# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u +# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Follow system wide crypto policy +# PR3695: Allow use of system crypto policy to be disabled by the user # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -Patch1001: rh1655466-global_crypto_and_fips.patch # RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -Patch1002: rh1818909-fips_default_keystore_type.patch # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch # RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -Patch1007: rh1915071-always_initialise_configurator_access.patch # RH1929465: Improve system FIPS detection -Patch1008: rh1929465-improve_system_FIPS_detection.patch -Patch1011: rh1929465-dont_define_unused_throwioexception.patch # RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -Patch1009: rh1995150-disable_non-fips_crypto.patch # RH1996182: Login to the NSS software token in FIPS mode -Patch1010: rh1996182-login_to_nss_software_token.patch -Patch1012: rh1996182-extend_security_policy.patch # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues -Patch1014: rh2021263-fips_ensure_security_initialised.patch -Patch1015: rh2021263-fips_missing_native_returns.patch # RH2052819: Fix FIPS reliance on crypto policies -Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch # RH2052829: Detect NSS at Runtime for FIPS detection -Patch1017: rh2052829-fips_runtime_nss_detection.patch # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch +# RH2023467: Enable FIPS keys export +# RH2094027: SunEC runtime permission for FIPS +Patch1001: fips-17u-%{fipsver}.patch ############################################# # @@ -1745,29 +1737,15 @@ pushd %{top_level_dir_name} %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 %patch6 -p1 %patch7 -p1 +# Add crypto policy and FIPS support +%patch1001 -p1 +# nss.cfg PKCS11 support; must come last as it also alters java.security +%patch1000 -p1 popd # openjdk -%patch1000 %patch600 -%patch1001 -%patch1002 -%patch1004 -%patch1007 -%patch1008 -%patch1009 -%patch1010 -%patch1011 -%patch1012 -%patch1013 -%patch1014 -%patch1015 -%patch1016 -%patch1017 -%patch1018 # Extract systemtap tapsets %if %{with_systemtap} @@ -2539,6 +2517,12 @@ cjc.mainProgram(args) %endif %changelog +* Sun Jun 12 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-2 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS + * Sun Apr 24 2022 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:17.0.3.0.7-1 - April 2022 security update to jdk 17.0.3+7 - Update release notes to 17.0.3.0+7 diff --git a/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch deleted file mode 100644 index 4efbe9a..0000000 --- a/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch +++ /dev/null @@ -1,88 +0,0 @@ - -# HG changeset patch -# User andrew -# Date 1478057514 0 -# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c -# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a -PR3183: Support Fedora/RHEL system crypto policy -diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100 -+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000 -@@ -43,6 +43,9 @@ - * implementation-specific location, which is typically the properties file - * {@code conf/security/java.security} in the Java installation directory. - * -+ * Additional default values of security properties are read from a -+ * system-specific location, if available. -+ * - * @author Benjamin Renaud - * @since 1.1 - */ -@@ -52,6 +55,10 @@ - private static final Debug sdebug = - Debug.getInstance("properties"); - -+ /* System property file*/ -+ private static final String SYSTEM_PROPERTIES = -+ "/etc/crypto-policies/back-ends/java.config"; -+ - /* The java.security properties */ - private static Properties props; - -@@ -93,6 +100,7 @@ - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -114,6 +122,31 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ -+ if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security ---- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100 -+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000 -@@ -276,6 +276,13 @@ - security.overridePropertiesFile=true - - # -+# Determines whether this properties file will be appended to -+# using the system properties file stored at -+# /etc/crypto-policies/back-ends/java.config -+# -+security.useSystemPropertiesFile=true -+ -+# - # Determines the default key and trust manager factory algorithms for - # the javax.net.ssl package. - # diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch deleted file mode 100644 index 3799237..0000000 --- a/pr3695-toggle_system_crypto_policy.patch +++ /dev/null @@ -1,78 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1545198926 0 -# Wed Dec 19 05:55:26 2018 +0000 -# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 -# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c -PR3695: Allow use of system crypto policy to be disabled by the user -Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile - -diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java ---- a/src/java.base/share/classes/java/security/Security.java -+++ b/src/java.base/share/classes/java/security/Security.java -@@ -125,31 +125,6 @@ - } - - if ("true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -- loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } -- } -- } -- -- if ("true".equalsIgnoreCase(props.getProperty - ("security.overridePropertiesFile"))) { - - String extraPropFile = System.getProperty -@@ -215,6 +190,33 @@ - } - } - -+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -+ if (disableSystemProps == null && -+ "true".equalsIgnoreCase(props.getProperty -+ ("security.useSystemPropertiesFile"))) { -+ -+ // now load the system file, if it exists, so its values -+ // will win if they conflict with the earlier values -+ try (BufferedInputStream bis = -+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -+ props.load(bis); -+ loadedProps = true; -+ -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ SYSTEM_PROPERTIES); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println -+ ("unable to load security properties from " + -+ SYSTEM_PROPERTIES); -+ e.printStackTrace(); -+ } -+ } -+ } -+ - if (!loadedProps) { - initializeStatic(); - if (sdebug != null) { diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch index 7be1fae..b552b99 100644 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -1,7 +1,7 @@ -diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security -index 534bdae5a16..2df2b59cbf6 100644 ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security +diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security +index 5a355e70cae..c730ea26ea2 100644 +--- a/src/java.base/share/conf/security/java.security ++++ b/src/java.base/share/conf/security/java.security @@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI security.provider.tbd=Apple #endif @@ -9,4 +9,4 @@ index 534bdae5a16..2df2b59cbf6 100644 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # - # A list of preferred providers for specific algorithms. These providers will + # Security providers used when global crypto-policies are set to FIPS. diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch deleted file mode 100644 index 80cd91c..0000000 --- a/rh1655466-global_crypto_and_fips.patch +++ /dev/null @@ -1,205 +0,0 @@ -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -196,26 +196,8 @@ - if (disableSystemProps == null && - "true".equalsIgnoreCase(props.getProperty - ("security.useSystemPropertiesFile"))) { -- -- // now load the system file, if it exists, so its values -- // will win if they conflict with the earlier values -- try (BufferedInputStream bis = -- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { -- props.load(bis); -+ if (SystemConfigurator.configure(props)) { - loadedProps = true; -- -- if (sdebug != null) { -- sdebug.println("reading system security properties file " + -- SYSTEM_PROPERTIES); -- sdebug.println(props.toString()); -- } -- } catch (IOException e) { -- if (sdebug != null) { -- sdebug.println -- ("unable to load security properties from " + -- SYSTEM_PROPERTIES); -- e.printStackTrace(); -- } - } - } - -diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java -new file mode 100644 ---- /dev/null -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,151 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. -+ * -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package java.security; -+ -+import java.io.BufferedInputStream; -+import java.io.FileInputStream; -+import java.io.IOException; -+ -+import java.nio.file.Files; -+import java.nio.file.Path; -+ -+import java.util.Iterator; -+import java.util.Map.Entry; -+import java.util.Properties; -+import java.util.function.Consumer; -+import java.util.regex.Matcher; -+import java.util.regex.Pattern; -+ -+import sun.security.util.Debug; -+ -+/** -+ * Internal class to align OpenJDK with global crypto-policies. -+ * Called from java.security.Security class initialization, -+ * during startup. -+ * -+ */ -+ -+class SystemConfigurator { -+ -+ private static final Debug sdebug = -+ Debug.getInstance("properties"); -+ -+ private static final String CRYPTO_POLICIES_BASE_DIR = -+ "/etc/crypto-policies"; -+ -+ private static final String CRYPTO_POLICIES_JAVA_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; -+ -+ private static final String CRYPTO_POLICIES_CONFIG = -+ CRYPTO_POLICIES_BASE_DIR + "/config"; -+ -+ private static final class SecurityProviderInfo { -+ int number; -+ String key; -+ String value; -+ SecurityProviderInfo(int number, String key, String value) { -+ this.number = number; -+ this.key = key; -+ this.value = value; -+ } -+ } -+ -+ /* -+ * Invoked when java.security.Security class is initialized, if -+ * java.security.disableSystemPropertiesFile property is not set and -+ * security.useSystemPropertiesFile is true. -+ */ -+ static boolean configure(Properties props) { -+ boolean loadedProps = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ loadedProps = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ -+ try { -+ if (enableFips()) { -+ if (sdebug != null) { sdebug.println("FIPS mode detected"); } -+ loadedProps = false; -+ // Remove all security providers -+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator(); -+ while (i.hasNext()) { -+ Entry<Object, Object> e = i.next(); -+ if (((String) e.getKey()).startsWith("security.provider")) { -+ if (sdebug != null) { sdebug.println("Removing provider: " + e); } -+ i.remove(); -+ } -+ } -+ // Add FIPS security providers -+ String fipsProviderValue = null; -+ for (int n = 1; -+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { -+ String fipsProviderKey = "security.provider." + n; -+ if (sdebug != null) { -+ sdebug.println("Adding provider " + n + ": " + -+ fipsProviderKey + "=" + fipsProviderValue); -+ } -+ props.put(fipsProviderKey, fipsProviderValue); -+ } -+ loadedProps = true; -+ } -+ } catch (Exception e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load FIPS configuration"); -+ e.printStackTrace(); -+ } -+ } -+ return loadedProps; -+ } -+ -+ /* -+ * FIPS is enabled only if crypto-policies are set to "FIPS" -+ * and the com.redhat.fips property is true. -+ */ -+ private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (fipsEnabled) { -+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -+ return pattern.matcher(cryptoPoliciesConfig).find(); -+ } else { -+ return false; -+ } -+ } -+} -diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -87,6 +87,14 @@ - #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # -+# Security providers used when global crypto-policies are set to FIPS. -+# -+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg -+fips.provider.2=SUN -+fips.provider.3=SunEC -+fips.provider.4=SunJSSE -+ -+# - # A list of preferred providers for specific algorithms. These providers will - # be searched for matching algorithms before the list of registered providers. - # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch deleted file mode 100644 index ff34f3e..0000000 --- a/rh1818909-fips_default_keystore_type.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 -@@ -123,6 +123,33 @@ - } - props.put(fipsProviderKey, fipsProviderValue); - } -+ // Add other security properties -+ String keystoreTypeValue = (String) props.get("fips.keystore.type"); -+ if (keystoreTypeValue != null) { -+ String nonFipsKeystoreType = props.getProperty("keystore.type"); -+ props.put("keystore.type", keystoreTypeValue); -+ if (keystoreTypeValue.equals("PKCS11")) { -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ } -+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { -+ // If no trustStoreType has been set, use the -+ // previous keystore.type under FIPS mode. In -+ // a default configuration, the Trust Store will -+ // be 'cacerts' (JKS type). -+ System.setProperty("javax.net.ssl.trustStoreType", -+ nonFipsKeystoreType); -+ } -+ if (sdebug != null) { -+ sdebug.println("FIPS mode default keystore.type = " + -+ keystoreTypeValue); -+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -+ System.getProperty("javax.net.ssl.keyStore", "")); -+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + -+ System.getProperty("javax.net.ssl.trustStoreType", "")); -+ } -+ } - loadedProps = true; - } - } catch (Exception e) { -diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux ---- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 -+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 -@@ -299,6 +299,11 @@ - keystore.type=pkcs12 - - # -+# Default keystore type used when global crypto-policies are set to FIPS. -+# -+fips.keystore.type=PKCS11 -+ -+# - # Controls compatibility mode for JKS and PKCS12 keystore types. - # - # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch deleted file mode 100644 index 8dcd9a8..0000000 --- a/rh1860986-disable_tlsv1.3_in_fips_mode.patch +++ /dev/null @@ -1,318 +0,0 @@ -diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index f9baf8c9742..60fa75cab45 100644 ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -1,11 +1,13 @@ - /* -- * Copyright (c) 2019, Red Hat, Inc. -+ * Copyright (c) 2019, 2020, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as -- * published by the Free Software Foundation. -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -@@ -34,10 +36,10 @@ import java.nio.file.Path; - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.function.Consumer; --import java.util.regex.Matcher; - import java.util.regex.Pattern; - -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; -+import jdk.internal.access.SharedSecrets; - import sun.security.util.Debug; - - /** -@@ -47,7 +49,7 @@ import sun.security.util.Debug; - * - */ - --class SystemConfigurator { -+final class SystemConfigurator { - - private static final Debug sdebug = - Debug.getInstance("properties"); -@@ -61,15 +63,16 @@ class SystemConfigurator { - private static final String CRYPTO_POLICIES_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/config"; - -- private static final class SecurityProviderInfo { -- int number; -- String key; -- String value; -- SecurityProviderInfo(int number, String key, String value) { -- this.number = number; -- this.key = key; -- this.value = value; -- } -+ private static boolean systemFipsEnabled = false; -+ -+ static { -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); - } - - /* -@@ -128,9 +131,9 @@ class SystemConfigurator { - String nonFipsKeystoreType = props.getProperty("keystore.type"); - props.put("keystore.type", keystoreTypeValue); - if (keystoreTypeValue.equals("PKCS11")) { -- // If keystore.type is PKCS11, javax.net.ssl.keyStore -- // must be "NONE". See JDK-8238264. -- System.setProperty("javax.net.ssl.keyStore", "NONE"); -+ // If keystore.type is PKCS11, javax.net.ssl.keyStore -+ // must be "NONE". See JDK-8238264. -+ System.setProperty("javax.net.ssl.keyStore", "NONE"); - } - if (System.getProperty("javax.net.ssl.trustStoreType") == null) { - // If no trustStoreType has been set, use the -@@ -144,12 +147,13 @@ class SystemConfigurator { - sdebug.println("FIPS mode default keystore.type = " + - keystoreTypeValue); - sdebug.println("FIPS mode javax.net.ssl.keyStore = " + -- System.getProperty("javax.net.ssl.keyStore", "")); -+ System.getProperty("javax.net.ssl.keyStore", "")); - sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + - System.getProperty("javax.net.ssl.trustStoreType", "")); - } - } - loadedProps = true; -+ systemFipsEnabled = true; - } - } catch (Exception e) { - if (sdebug != null) { -@@ -160,13 +164,30 @@ class SystemConfigurator { - return loadedProps; - } - -+ /** -+ * Returns whether or not global system FIPS alignment is enabled. -+ * -+ * Value is always 'false' before java.security.Security class is -+ * initialized. -+ * -+ * Call from out of this package through SharedSecrets: -+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ * .isSystemFipsEnabled(); -+ * -+ * @return a boolean value indicating whether or not global -+ * system FIPS alignment is enabled. -+ */ -+ static boolean isSystemFipsEnabled() { -+ return systemFipsEnabled; -+ } -+ - /* - * FIPS is enabled only if crypto-policies are set to "FIPS" - * and the com.redhat.fips property is true. - */ - private static boolean enableFips() throws Exception { -- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -- if (fipsEnabled) { -+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); -+ if (shouldEnable) { - String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); - if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } - Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -new file mode 100644 -index 00000000000..a31e93ec02e ---- /dev/null -+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -0,0 +1,30 @@ -+/* -+ * Copyright (c) 2020, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package jdk.internal.access; -+ -+public interface JavaSecuritySystemConfiguratorAccess { -+ boolean isSystemFipsEnabled(); -+} -diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index f6d3638c3dd..5a2c9eb0c46 100644 ---- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -81,6 +81,7 @@ public class SharedSecrets { - private static JavaSecuritySpecAccess javaSecuritySpecAccess; - private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; - private static JavaxCryptoSpecAccess javaxCryptoSpecAccess; -+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; - - public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) { - javaUtilCollectionAccess = juca; -@@ -442,4 +443,12 @@ public class SharedSecrets { - MethodHandles.lookup().ensureInitialized(c); - } catch (IllegalAccessException e) {} - } -+ -+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { -+ javaSecuritySystemConfiguratorAccess = jssca; -+ } -+ -+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ return javaSecuritySystemConfiguratorAccess; -+ } - } -diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -index 6ffdfeda18d..775b185fb06 100644 ---- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java -@@ -32,6 +32,7 @@ import java.security.cert.*; - import java.util.*; - import java.util.concurrent.locks.ReentrantLock; - import javax.net.ssl.*; -+import jdk.internal.access.SharedSecrets; - import sun.security.action.GetPropertyAction; - import sun.security.provider.certpath.AlgorithmChecker; - import sun.security.validator.Validator; -@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi { - private static final List<CipherSuite> serverDefaultCipherSuites; - - static { -- supportedProtocols = Arrays.asList( -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10, -- ProtocolVersion.SSL30, -- ProtocolVersion.SSL20Hello -- ); -- -- serverDefaultProtocols = getAvailableProtocols( -- new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }); -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } else { -+ supportedProtocols = Arrays.asList( -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10, -+ ProtocolVersion.SSL30, -+ ProtocolVersion.SSL20Hello -+ ); -+ -+ serverDefaultProtocols = getAvailableProtocols( -+ new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }); -+ } - - supportedCipherSuites = getApplicableSupportedCipherSuites( - supportedProtocols); -@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi { - ProtocolVersion[] candidates; - if (refactored.isEmpty()) { - // Client and server use the same default protocols. -- candidates = new ProtocolVersion[] { -- ProtocolVersion.TLS13, -- ProtocolVersion.TLS12, -- ProtocolVersion.TLS11, -- ProtocolVersion.TLS10 -- }; -+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } else { -+ candidates = new ProtocolVersion[] { -+ ProtocolVersion.TLS13, -+ ProtocolVersion.TLS12, -+ ProtocolVersion.TLS11, -+ ProtocolVersion.TLS10 -+ }; -+ } - } else { - // Use the customized TLS protocols. - candidates = -diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index 894e26dfad8..8b16378b96b 100644 ---- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -@@ -27,6 +27,8 @@ package sun.security.ssl; - - import java.security.*; - import java.util.*; -+ -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - - /** -@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider { - "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); - ps("SSLContext", "TLSv1.2", - "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); -- ps("SSLContext", "TLSv1.3", -- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled()) { -+ // RH1860986: TLSv1.3 key derivation not supported with -+ // the Security Providers available in system FIPS mode. -+ ps("SSLContext", "TLSv1.3", -+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); -+ } - ps("SSLContext", "TLS", - "sun.security.ssl.SSLContextImpl$TLSContext", - List.of("SSL"), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch deleted file mode 100644 index 513fbbf..0000000 --- a/rh1915071-always_initialise_configurator_access.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index f1633afb627..ce32c939253 100644 ---- openjdk/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -32,6 +32,7 @@ import java.net.URL; - - import jdk.internal.event.EventHelper; - import jdk.internal.event.SecurityPropertyModificationEvent; -+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; - import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.util.Debug; -@@ -74,6 +75,15 @@ public final class Security { - } - - static { -+ // Initialise here as used by code with system properties disabled -+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -+ new JavaSecuritySystemConfiguratorAccess() { -+ @Override -+ public boolean isSystemFipsEnabled() { -+ return SystemConfigurator.isSystemFipsEnabled(); -+ } -+ }); -+ - // doPrivileged here because there are multiple - // things in initialize that might require privs. - // (the FileInputStream call and the File.exists call, -@@ -194,9 +204,8 @@ public final class Security { - } - - String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); -- if (disableSystemProps == null && -- "true".equalsIgnoreCase(props.getProperty -- ("security.useSystemPropertiesFile"))) { -+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && -+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { - if (SystemConfigurator.configure(props)) { - loadedProps = true; - } -diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 60fa75cab45..10b54aa4ce4 100644 ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -38,8 +38,6 @@ import java.util.Map.Entry; - import java.util.Properties; - import java.util.regex.Pattern; - --import jdk.internal.access.JavaSecuritySystemConfiguratorAccess; --import jdk.internal.access.SharedSecrets; - import sun.security.util.Debug; - - /** -@@ -65,16 +63,6 @@ final class SystemConfigurator { - - private static boolean systemFipsEnabled = false; - -- static { -- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( -- new JavaSecuritySystemConfiguratorAccess() { -- @Override -- public boolean isSystemFipsEnabled() { -- return SystemConfigurator.isSystemFipsEnabled(); -- } -- }); -- } -- - /* - * Invoked when java.security.Security class is initialized, if - * java.security.disableSystemPropertiesFile property is not set and diff --git a/rh1929465-dont_define_unused_throwioexception.patch b/rh1929465-dont_define_unused_throwioexception.patch deleted file mode 100644 index eba090f..0000000 --- a/rh1929465-dont_define_unused_throwioexception.patch +++ /dev/null @@ -1,69 +0,0 @@ -commit 90e344e7d4987af610fa0054c92d18fe1c2edd41 -Author: Andrew Hughes <gnu.andrew(a)redhat.com> -Date: Sat Aug 28 01:15:28 2021 +0100 - - RH1929465: Don't define unused throwIOException function when using NSS detection - -diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -index 6f4656bfcb6..38919d6bb0f 100644 ---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -34,14 +34,34 @@ - - #include "java_security_SystemConfigurator.h" - --#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" - #define MSG_MAX_SIZE 96 - - static jmethodID debugPrintlnMethodID = NULL; - static jobject debugObj = NULL; - --static void throwIOException(JNIEnv *env, const char *msg); --static void dbgPrint(JNIEnv *env, const char* msg); -+// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read -+#ifndef SYSCONF_NSS -+ -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+#endif -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} - - /* - * Class: java_security_SystemConfigurator -@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - - #endif // SYSCONF_NSS - } -- --static void throwIOException(JNIEnv *env, const char *msg) --{ -- jclass cls = (*env)->FindClass(env, "java/io/IOException"); -- if (cls != 0) -- (*env)->ThrowNew(env, cls, msg); --} -- --static void dbgPrint(JNIEnv *env, const char* msg) --{ -- jstring jMsg; -- if (debugObj != NULL) { -- jMsg = (*env)->NewStringUTF(env, msg); -- CHECK_NULL(jMsg); -- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -- } --} diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch deleted file mode 100644 index 4dfd1d4..0000000 --- a/rh1929465-improve_system_FIPS_detection.patch +++ /dev/null @@ -1,428 +0,0 @@ -diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4 -new file mode 100644 -index 00000000000..b2b1c1787da ---- /dev/null -+++ openjdk/make/autoconf/lib-sysconf.m4 -@@ -0,0 +1,84 @@ -+# -+# Copyright (c) 2021, Red Hat, Inc. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. Oracle designates this -+# particular file as subject to the "Classpath" exception as provided -+# by Oracle in the LICENSE file that accompanied this code. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+################################################################################ -+# Setup system configuration libraries -+################################################################################ -+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], -+[ -+ ############################################################################### -+ # -+ # Check for the NSS library -+ # -+ -+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) -+ -+ # default is not available -+ DEFAULT_SYSCONF_NSS=no -+ -+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], -+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], -+ [ -+ case "${enableval}" in -+ yes) -+ sysconf_nss=yes -+ ;; -+ *) -+ sysconf_nss=no -+ ;; -+ esac -+ ], -+ [ -+ sysconf_nss=${DEFAULT_SYSCONF_NSS} -+ ]) -+ AC_MSG_RESULT([$sysconf_nss]) -+ -+ USE_SYSCONF_NSS=false -+ if test "x${sysconf_nss}" = "xyes"; then -+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) -+ if test "x${NSS_FOUND}" = "xyes"; then -+ AC_MSG_CHECKING([for system FIPS support in NSS]) -+ saved_libs="${LIBS}" -+ saved_cflags="${CFLAGS}" -+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" -+ LIBS="${LIBS} ${NSS_LIBS}" -+ AC_LANG_PUSH([C]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]], -+ [[SECMOD_GetSystemFIPSEnabled()]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]) -+ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) -+ AC_LANG_POP([C]) -+ CFLAGS="${saved_cflags}" -+ LIBS="${saved_libs}" -+ USE_SYSCONF_NSS=true -+ else -+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API -+ dnl in nss3/pk11pub.h. -+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) -+ fi -+ fi -+ AC_SUBST(USE_SYSCONF_NSS) -+]) -diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 -index a65d91ee974..a8f054c1397 100644 ---- openjdk/make/autoconf/libraries.m4 -+++ openjdk/make/autoconf/libraries.m4 -@@ -33,6 +33,7 @@ m4_include([lib-std.m4]) - m4_include([lib-x11.m4]) - m4_include([lib-fontconfig.m4]) - m4_include([lib-tests.m4]) -+m4_include([lib-sysconf.m4]) - - ################################################################################ - # Determine which libraries are needed for this configuration -@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], - LIB_SETUP_BUNDLED_LIBS - LIB_SETUP_MISC_LIBS - LIB_TESTS_SETUP_GTEST -+ LIB_SETUP_SYSCONF_LIBS - - BASIC_JDKLIB_LIBS="" - if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then -diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in -index 29445c8c24f..9b1b512a34a 100644 ---- openjdk/make/autoconf/spec.gmk.in -+++ openjdk/make/autoconf/spec.gmk.in -@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@ - # Libraries - # - -+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ -+NSS_LIBS:=@NSS_LIBS@ -+NSS_CFLAGS:=@NSS_CFLAGS@ -+ - USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ - LCMS_CFLAGS:=@LCMS_CFLAGS@ - LCMS_LIBS:=@LCMS_LIBS@ -diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk -index 5658ff342e5..cb7a56852f7 100644 ---- openjdk/make/modules/java.base/Lib.gmk -+++ openjdk/make/modules/java.base/Lib.gmk -@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true) - endif - endif - -+################################################################################ -+# Create the systemconf library -+ -+LIBSYSTEMCONF_CFLAGS := -+LIBSYSTEMCONF_CXXFLAGS := -+ -+ifeq ($(USE_SYSCONF_NSS), true) -+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS -+endif -+ -+ifeq ($(OPENJDK_BUILD_OS), linux) -+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ -+ NAME := systemconf, \ -+ OPTIMIZATION := LOW, \ -+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ -+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ -+ LDFLAGS := $(LDFLAGS_JDKLIB) \ -+ $(call SET_SHARED_LIBRARY_ORIGIN), \ -+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ -+ )) -+ -+ TARGETS += $(BUILD_LIBSYSTEMCONF) -+endif -+ - ################################################################################ - # Create the symbols file for static builds. - -diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -new file mode 100644 -index 00000000000..6f4656bfcb6 ---- /dev/null -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -0,0 +1,168 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#include <dlfcn.h> -+#include <jni.h> -+#include <jni_util.h> -+#include <stdio.h> -+ -+#ifdef SYSCONF_NSS -+#include <nss3/pk11pub.h> -+#endif //SYSCONF_NSS -+ -+#include "java_security_SystemConfigurator.h" -+ -+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" -+#define MSG_MAX_SIZE 96 -+ -+static jmethodID debugPrintlnMethodID = NULL; -+static jobject debugObj = NULL; -+ -+static void throwIOException(JNIEnv *env, const char *msg); -+static void dbgPrint(JNIEnv *env, const char* msg); -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnLoad -+ */ -+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ jclass sysConfCls, debugCls; -+ jfieldID sdebugFld; -+ -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return JNI_EVERSION; /* JNI version not supported */ -+ } -+ -+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); -+ if (sysConfCls == NULL) { -+ printf("libsystemconf: SystemConfigurator class not found\n"); -+ return JNI_ERR; -+ } -+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, -+ "sdebug", "Lsun/security/util/Debug;"); -+ if (sdebugFld == NULL) { -+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); -+ if (debugObj != NULL) { -+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); -+ if (debugCls == NULL) { -+ printf("libsystemconf: Debug class not found\n"); -+ return JNI_ERR; -+ } -+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, -+ "println", "(Ljava/lang/String;)V"); -+ if (debugPrintlnMethodID == NULL) { -+ printf("libsystemconf: Debug::println(String) method not found\n"); -+ return JNI_ERR; -+ } -+ debugObj = (*env)->NewGlobalRef(env, debugObj); -+ } -+ -+ return (*env)->GetVersion(env); -+} -+ -+/* -+ * Class: java_security_SystemConfigurator -+ * Method: JNI_OnUnload -+ */ -+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) -+{ -+ JNIEnv *env; -+ -+ if (debugObj != NULL) { -+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { -+ return; /* Should not happen */ -+ } -+ (*env)->DeleteGlobalRef(env, debugObj); -+ } -+} -+ -+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled -+ (JNIEnv *env, jclass cls) -+{ -+ int fips_enabled; -+ char msg[MSG_MAX_SIZE]; -+ int msg_bytes; -+ -+#ifdef SYSCONF_NSS -+ -+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); -+ fips_enabled = SECMOD_GetSystemFIPSEnabled(); -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -+ " SECMOD_GetSystemFIPSEnabled return value"); -+ } -+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); -+ -+#else // SYSCONF_NSS -+ -+ FILE *fe; -+ -+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); -+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { -+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ } -+ fips_enabled = fgetc(fe); -+ fclose(fe); -+ if (fips_enabled == EOF) { -+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ } -+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ -+ " read character is '%c'", fips_enabled); -+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { -+ dbgPrint(env, msg); -+ } else { -+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ -+ " read character"); -+ } -+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); -+ -+#endif // SYSCONF_NSS -+} -+ -+static void throwIOException(JNIEnv *env, const char *msg) -+{ -+ jclass cls = (*env)->FindClass(env, "java/io/IOException"); -+ if (cls != 0) -+ (*env)->ThrowNew(env, cls, msg); -+} -+ -+static void dbgPrint(JNIEnv *env, const char* msg) -+{ -+ jstring jMsg; -+ if (debugObj != NULL) { -+ jMsg = (*env)->NewStringUTF(env, msg); -+ CHECK_NULL(jMsg); -+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); -+ } -+} -diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 10b54aa4ce4..6aa1419dfd0 100644 ---- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019, 2020, Red Hat, Inc. -+ * Copyright (c) 2019, 2021, Red Hat, Inc. - * - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * -@@ -30,13 +30,9 @@ import java.io.BufferedInputStream; - import java.io.FileInputStream; - import java.io.IOException; - --import java.nio.file.Files; --import java.nio.file.Path; -- - import java.util.Iterator; - import java.util.Map.Entry; - import java.util.Properties; --import java.util.regex.Pattern; - - import sun.security.util.Debug; - -@@ -58,11 +54,23 @@ final class SystemConfigurator { - private static final String CRYPTO_POLICIES_JAVA_CONFIG = - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - -- private static final String CRYPTO_POLICIES_CONFIG = -- CRYPTO_POLICIES_BASE_DIR + "/config"; -- - private static boolean systemFipsEnabled = false; - -+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; -+ -+ private static native boolean getSystemFIPSEnabled() -+ throws IOException; -+ -+ static { -+ @SuppressWarnings("removal") -+ var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() { -+ public Void run() { -+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); -+ return null; -+ } -+ }); -+ } -+ - /* - * Invoked when java.security.Security class is initialized, if - * java.security.disableSystemPropertiesFile property is not set and -@@ -170,16 +178,34 @@ final class SystemConfigurator { - } - - /* -- * FIPS is enabled only if crypto-policies are set to "FIPS" -- * and the com.redhat.fips property is true. -+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips -+ * system property is true (default) and the system is in FIPS mode. -+ * -+ * There are 2 possible ways in which OpenJDK detects that the system -+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is -+ * available at OpenJDK's built-time, it is called; 2) otherwise, the -+ * /proc/sys/crypto/fips_enabled file is read. - */ - private static boolean enableFips() throws Exception { - boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); - if (shouldEnable) { -- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); -- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } -- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); -- return pattern.matcher(cryptoPoliciesConfig).find(); -+ if (sdebug != null) { -+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); -+ } -+ try { -+ shouldEnable = getSystemFIPSEnabled(); -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " -+ + shouldEnable); -+ } -+ return shouldEnable; -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); -+ sdebug.println(e.getMessage()); -+ } -+ throw e; -+ } - } else { - return false; - } diff --git a/rh1991003-enable_fips_keys_import.patch b/rh1991003-enable_fips_keys_import.patch deleted file mode 100644 index 79d2743..0000000 --- a/rh1991003-enable_fips_keys_import.patch +++ /dev/null @@ -1,579 +0,0 @@ -commit abcd0954643eddbf826d96291d44a143038ab750 -Author: Martin Balao <mbalao(a)redhat.com> -Date: Sun Oct 10 18:14:01 2021 +0100 - - RH1991003: Enable the import of plain keys into the NSS software token. - - This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false - -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index ce32c939253..dc7020ce668 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -82,6 +82,10 @@ public final class Security { - public boolean isSystemFipsEnabled() { - return SystemConfigurator.isSystemFipsEnabled(); - } -+ @Override -+ public boolean isPlainKeySupportEnabled() { -+ return SystemConfigurator.isPlainKeySupportEnabled(); -+ } - }); - - // doPrivileged here because there are multiple -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 6aa1419dfd0..ecab722848e 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -55,6 +55,7 @@ final class SystemConfigurator { - CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; - - private static boolean systemFipsEnabled = false; -+ private static boolean plainKeySupportEnabled = false; - - private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; - -@@ -150,6 +151,16 @@ final class SystemConfigurator { - } - loadedProps = true; - systemFipsEnabled = true; -+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport", -+ "true"); -+ plainKeySupportEnabled = !"false".equals(plainKeySupport); -+ if (sdebug != null) { -+ if (plainKeySupportEnabled) { -+ sdebug.println("FIPS support enabled with plain key support"); -+ } else { -+ sdebug.println("FIPS support enabled without plain key support"); -+ } -+ } - } - } catch (Exception e) { - if (sdebug != null) { -@@ -177,6 +188,19 @@ final class SystemConfigurator { - return systemFipsEnabled; - } - -+ /** -+ * Returns {@code true} if system FIPS alignment is enabled -+ * and plain key support is allowed. Plain key support is -+ * enabled by default but can be disabled with -+ * {@code -Dcom.redhat.fips.plainKeySupport=false}. -+ * -+ * @return a boolean indicating whether plain key support -+ * should be enabled. -+ */ -+ static boolean isPlainKeySupportEnabled() { -+ return plainKeySupportEnabled; -+ } -+ - /* - * OpenJDK FIPS mode will be enabled only if the com.redhat.fips - * system property is true (default) and the system is in FIPS mode. -diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -index a31e93ec02e..3f3caac64dc 100644 ---- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java -@@ -27,4 +27,5 @@ package jdk.internal.access; - - public interface JavaSecuritySystemConfiguratorAccess { - boolean isSystemFipsEnabled(); -+ boolean isPlainKeySupportEnabled(); - } -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -new file mode 100644 -index 00000000000..bee3a1e1537 ---- /dev/null -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java -@@ -0,0 +1,291 @@ -+/* -+ * Copyright (c) 2021, Red Hat, Inc. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11; -+ -+import java.math.BigInteger; -+import java.security.KeyFactory; -+import java.security.Provider; -+import java.security.Security; -+import java.util.HashMap; -+import java.util.Map; -+import java.util.concurrent.locks.ReentrantLock; -+ -+import javax.crypto.Cipher; -+import javax.crypto.spec.DHPrivateKeySpec; -+import javax.crypto.spec.IvParameterSpec; -+ -+import sun.security.jca.JCAUtil; -+import sun.security.pkcs11.TemplateManager; -+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE; -+import sun.security.pkcs11.wrapper.CK_MECHANISM; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; -+import static sun.security.pkcs11.wrapper.PKCS11Exception.*; -+import sun.security.pkcs11.wrapper.PKCS11Exception; -+import sun.security.rsa.RSAUtil.KeyType; -+import sun.security.util.Debug; -+import sun.security.util.ECUtil; -+ -+final class FIPSKeyImporter { -+ -+ private static final Debug debug = -+ Debug.getInstance("sunpkcs11"); -+ -+ private static P11Key importerKey = null; -+ private static final ReentrantLock importerKeyLock = new ReentrantLock(); -+ private static CK_MECHANISM importerKeyMechanism = null; -+ private static Cipher importerCipher = null; -+ -+ private static Provider sunECProvider = null; -+ private static final ReentrantLock sunECProviderLock = new ReentrantLock(); -+ -+ private static KeyFactory DHKF = null; -+ private static final ReentrantLock DHKFLock = new ReentrantLock(); -+ -+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes) -+ throws PKCS11Exception { -+ long keyID = -1; -+ Token token = sunPKCS11.getToken(); -+ if (debug != null) { -+ debug.println("Private or Secret key will be imported in" + -+ " system FIPS mode."); -+ } -+ if (importerKey == null) { -+ importerKeyLock.lock(); -+ try { -+ if (importerKey == null) { -+ if (importerKeyMechanism == null) { -+ // Importer Key creation has not been tried yet. Try it. -+ createImporterKey(token); -+ } -+ if (importerKey == null || importerCipher == null) { -+ if (debug != null) { -+ debug.println("Importer Key could not be" + -+ " generated."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ if (debug != null) { -+ debug.println("Importer Key successfully" + -+ " generated."); -+ } -+ } -+ } finally { -+ importerKeyLock.unlock(); -+ } -+ } -+ long importerKeyID = importerKey.getKeyID(); -+ try { -+ byte[] keyBytes = null; -+ byte[] encKeyBytes = null; -+ long keyClass = 0L; -+ long keyType = 0L; -+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>(); -+ for (CK_ATTRIBUTE attr : attributes) { -+ if (attr.type == CKA_CLASS) { -+ keyClass = attr.getLong(); -+ } else if (attr.type == CKA_KEY_TYPE) { -+ keyType = attr.getLong(); -+ } -+ attrsMap.put(attr.type, attr); -+ } -+ BigInteger v = null; -+ if (keyClass == CKO_PRIVATE_KEY) { -+ if (keyType == CKK_RSA) { -+ if (debug != null) { -+ debug.println("Importing an RSA private key..."); -+ } -+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey( -+ KeyType.RSA, -+ null, -+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ } else if (keyType == CKK_DSA) { -+ if (debug != null) { -+ debug.println("Importing a DSA private key..."); -+ } -+ keyBytes = new sun.security.provider.DSAPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO -+ ).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_EC) { -+ if (debug != null) { -+ debug.println("Importing an EC private key..."); -+ } -+ if (sunECProvider == null) { -+ sunECProviderLock.lock(); -+ try { -+ if (sunECProvider == null) { -+ sunECProvider = Security.getProvider("SunEC"); -+ } -+ } finally { -+ sunECProviderLock.unlock(); -+ } -+ } -+ keyBytes = ECUtil.generateECPrivateKey( -+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ECUtil.getECParameterSpec(sunECProvider, -+ attrsMap.get(CKA_EC_PARAMS).getByteArray())) -+ .getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else if (keyType == CKK_DH) { -+ if (debug != null) { -+ debug.println("Importing a Diffie-Hellman private key..."); -+ } -+ if (DHKF == null) { -+ DHKFLock.lock(); -+ try { -+ if (DHKF == null) { -+ DHKF = KeyFactory.getInstance( -+ "DH", P11Util.getSunJceProvider()); -+ } -+ } finally { -+ DHKFLock.unlock(); -+ } -+ } -+ DHPrivateKeySpec spec = new DHPrivateKeySpec -+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null) -+ ? v : BigInteger.ZERO, -+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null) -+ ? v : BigInteger.ZERO); -+ keyBytes = DHKF.generatePrivate(spec).getEncoded(); -+ if (token.config.getNssNetscapeDbWorkaround() && -+ attrsMap.get(CKA_NETSCAPE_DB) == null) { -+ attrsMap.put(CKA_NETSCAPE_DB, -+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO)); -+ } -+ } else { -+ if (debug != null) { -+ debug.println("Unrecognized private key type."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } else if (keyClass == CKO_SECRET_KEY) { -+ if (debug != null) { -+ debug.println("Importing a secret key..."); -+ } -+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray(); -+ } -+ if (keyBytes == null || keyBytes.length == 0) { -+ if (debug != null) { -+ debug.println("Private or secret key plain bytes could" + -+ " not be obtained. Import failed."); -+ } -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey, -+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter), -+ null); -+ attributes = new CK_ATTRIBUTE[attrsMap.size()]; -+ attrsMap.values().toArray(attributes); -+ encKeyBytes = importerCipher.doFinal(keyBytes); -+ attributes = token.getAttributes(TemplateManager.O_IMPORT, -+ keyClass, keyType, attributes); -+ keyID = token.p11.C_UnwrapKey(hSession, -+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes); -+ if (debug != null) { -+ debug.println("Imported key ID: " + keyID); -+ } -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } finally { -+ importerKey.releaseKeyID(); -+ } -+ return Long.valueOf(keyID); -+ } -+ -+ private static void createImporterKey(Token token) { -+ if (debug != null) { -+ debug.println("Generating Importer Key..."); -+ } -+ byte[] iv = new byte[16]; -+ JCAUtil.getSecureRandom().nextBytes(iv); -+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv); -+ try { -+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE, -+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] { -+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), -+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)}); -+ Session s = null; -+ try { -+ s = token.getObjSession(); -+ long keyID = token.p11.C_GenerateKey( -+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN), -+ attributes); -+ if (debug != null) { -+ debug.println("Importer Key ID: " + keyID); -+ } -+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES", -+ 256 >> 3, null); -+ } catch (PKCS11Exception e) { -+ // best effort -+ } finally { -+ token.releaseSession(s); -+ } -+ if (importerKey != null) { -+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -+ } -+ } catch (Throwable t) { -+ // best effort -+ importerKey = null; -+ importerCipher = null; -+ // importerKeyMechanism value is kept initialized to indicate that -+ // Importer Key creation has been tried and failed. -+ } -+ } -+} -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 5d3963ea893..42c72b393fd 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -26,6 +26,9 @@ - package sun.security.pkcs11; - - import java.io.*; -+import java.lang.invoke.MethodHandle; -+import java.lang.invoke.MethodHandles; -+import java.lang.invoke.MethodType; - import java.util.*; - - import java.security.*; -@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider { - private static final boolean systemFipsEnabled = SharedSecrets - .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); - -+ private static final boolean plainKeySupportEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled(); -+ -+ private static final MethodHandle fipsImportKey; -+ static { -+ MethodHandle fipsImportKeyTmp = null; -+ if (plainKeySupportEnabled) { -+ try { -+ fipsImportKeyTmp = MethodHandles.lookup().findStatic( -+ FIPSKeyImporter.class, "importKey", -+ MethodType.methodType(Long.class, SunPKCS11.class, -+ long.class, CK_ATTRIBUTE[].class)); -+ } catch (Throwable t) { -+ throw new SecurityException("FIPS key importer initialization" + -+ " failed", t); -+ } -+ } -+ fipsImportKey = fipsImportKeyTmp; -+ } -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider { - // request multithreaded access first - initArgs.flags = CKF_OS_LOCKING_OK; - PKCS11 tmpPKCS11; -+ MethodHandle fipsKeyImporter = null; -+ if (plainKeySupportEnabled) { -+ fipsKeyImporter = MethodHandles.insertArguments( -+ fipsImportKey, 0, this); -+ } - try { - tmpPKCS11 = PKCS11.getInstance( - library, functionList, initArgs, -- config.getOmitInitialize()); -+ config.getOmitInitialize(), fipsKeyImporter); - } catch (PKCS11Exception e) { - if (debug != null) { - debug.println("Multi-threaded initialization failed: " + e); -@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider { - initArgs.flags = 0; - } - tmpPKCS11 = PKCS11.getInstance(library, -- functionList, initArgs, config.getOmitInitialize()); -+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter); - } - p11 = tmpPKCS11; - -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -index 5c0aacd1a67..4d80145cb91 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java -@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper; - - import java.io.File; - import java.io.IOException; -+import java.lang.invoke.MethodHandle; - import java.util.*; - - import java.security.AccessController; -@@ -152,16 +153,28 @@ public class PKCS11 { - - public static synchronized PKCS11 getInstance(String pkcs11ModulePath, - String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -- boolean omitInitialize) throws IOException, PKCS11Exception { -+ boolean omitInitialize, MethodHandle fipsKeyImporter) -+ throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); - if (pkcs11 == null) { -+ boolean nssFipsMode = fipsKeyImporter != null; - if ((pInitArgs != null) - && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) { -- pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList, -+ fipsKeyImporter); -+ } else { -+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList); -+ } - } else { -- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ if (nssFipsMode) { -+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath, -+ functionList, fipsKeyImporter); -+ } else { -+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList); -+ } - } - if (omitInitialize == false) { - try { -@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 { - super.C_GenerateRandom(hSession, randomData); - } - } -+ -+// PKCS11 subclass that allows using plain private or secret keys in -+// FIPS-configured NSS Software Tokens. Only used when System FIPS -+// is enabled. -+static class FIPSPKCS11 extends PKCS11 { -+ private MethodHandle fipsKeyImporter; -+ FIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // Creating sensitive key objects from plain key material in a -+ // FIPS-configured NSS Software Token is not allowed. We apply -+ // a key-unwrapping scheme to achieve so. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+// FIPSPKCS11 synchronized counterpart. -+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 { -+ private MethodHandle fipsKeyImporter; -+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName, -+ MethodHandle fipsKeyImporter) throws IOException { -+ super(pkcs11ModulePath, functionListName); -+ this.fipsKeyImporter = fipsKeyImporter; -+ } -+ -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ // See FIPSPKCS11::C_CreateObject. -+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) { -+ try { -+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate)) -+ .longValue(); -+ } catch (Throwable t) { -+ throw new PKCS11Exception(CKR_GENERAL_ERROR); -+ } -+ } -+ return super.C_CreateObject(hSession, pTemplate); -+ } -+} -+ -+private static class FIPSPKCS11Helper { -+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) { -+ for (CK_ATTRIBUTE attr : pTemplate) { -+ if (attr.type == CKA_CLASS && -+ (attr.getLong() == CKO_PRIVATE_KEY || -+ attr.getLong() == CKO_SECRET_KEY)) { -+ return true; -+ } -+ } -+ return false; -+ } -+} - } -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -index e2d6d371bec..dc5e7eefdd3 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java -@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception { - return "0x" + Functions.toFullHexString((int)errorCode); - } - -+ /** -+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with -+ * no extra info for the error message. -+ */ -+ public PKCS11Exception(long errorCode) { -+ this(errorCode, null); -+ } -+ - /** - * Constructor taking the error code (the CKR_* constants in PKCS#11) and - * extra info for error message. diff --git a/rh1995150-disable_non-fips_crypto.patch b/rh1995150-disable_non-fips_crypto.patch deleted file mode 100644 index de06552..0000000 --- a/rh1995150-disable_non-fips_crypto.patch +++ /dev/null @@ -1,591 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 63bb580eb3a..238735c0c8c 100644 ---- openjdk.orig/src/java.base/share/classes/module-info.java -+++ openjdk/src/java.base/share/classes/module-info.java -@@ -152,6 +152,7 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.ec, - jdk.jartool, - jdk.jlink, - jdk.net, -diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -index 912cad59714..7cb5ebcde51 100644 ---- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java -+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java -@@ -30,6 +30,7 @@ import java.net.*; - import java.util.*; - import java.security.*; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.util.StaticProperty; - import sun.security.action.GetPropertyAction; - import sun.security.util.SecurityProviderConstants; -@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases; - - public final class SunEntries { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - // the default algo used by SecureRandom class for new SecureRandom() calls - public static final String DEF_SECURE_RANDOM_ALGO; - -@@ -94,147 +99,149 @@ public final class SunEntries { - // common attribute map - HashMap<String, String> attrs = new HashMap<>(3); - -- /* -- * SecureRandom engines -- */ -- attrs.put("ThreadSafe", "true"); -- if (NativePRNG.isAvailable()) { -- add(p, "SecureRandom", "NativePRNG", -- "sun.security.provider.NativePRNG", attrs); -- } -- if (NativePRNG.Blocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGBlocking", -- "sun.security.provider.NativePRNG$Blocking", attrs); -- } -- if (NativePRNG.NonBlocking.isAvailable()) { -- add(p, "SecureRandom", "NativePRNGNonBlocking", -- "sun.security.provider.NativePRNG$NonBlocking", attrs); -- } -- attrs.put("ImplementedIn", "Software"); -- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -- add(p, "SecureRandom", "SHA1PRNG", -- "sun.security.provider.SecureRandom", attrs); -- -- /* -- * Signature engines -- */ -- attrs.clear(); -- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -- "|java.security.interfaces.DSAPrivateKey"; -- attrs.put("SupportedKeyClasses", dsaKeyClasses); -- attrs.put("ImplementedIn", "Software"); -- -- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -- -- addWithAlias(p, "Signature", "SHA1withDSA", -- "sun.security.provider.DSA$SHA1withDSA", attrs); -- addWithAlias(p, "Signature", "NONEwithDSA", -- "sun.security.provider.DSA$RawDSA", attrs); -- -- // for DSA signatures with 224/256-bit digests -- attrs.put("KeySize", "2048"); -- -- addWithAlias(p, "Signature", "SHA224withDSA", -- "sun.security.provider.DSA$SHA224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA256withDSA", -- "sun.security.provider.DSA$SHA256withDSA", attrs); -- -- addWithAlias(p, "Signature", "SHA3-224withDSA", -- "sun.security.provider.DSA$SHA3_224withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-256withDSA", -- "sun.security.provider.DSA$SHA3_256withDSA", attrs); -- -- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -- -- addWithAlias(p, "Signature", "SHA384withDSA", -- "sun.security.provider.DSA$SHA384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA512withDSA", -- "sun.security.provider.DSA$SHA512withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-384withDSA", -- "sun.security.provider.DSA$SHA3_384withDSA", attrs); -- addWithAlias(p, "Signature", "SHA3-512withDSA", -- "sun.security.provider.DSA$SHA3_512withDSA", attrs); -- -- attrs.remove("KeySize"); -- -- add(p, "Signature", "SHA1withDSAinP1363Format", -- "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -- add(p, "Signature", "NONEwithDSAinP1363Format", -- "sun.security.provider.DSA$RawDSAinP1363Format"); -- add(p, "Signature", "SHA224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -- add(p, "Signature", "SHA256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -- add(p, "Signature", "SHA384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -- add(p, "Signature", "SHA512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -- add(p, "Signature", "SHA3-224withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -- add(p, "Signature", "SHA3-256withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -- add(p, "Signature", "SHA3-384withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -- add(p, "Signature", "SHA3-512withDSAinP1363Format", -- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -- /* -- * Key Pair Generator engines -- */ -- attrs.clear(); -- attrs.put("ImplementedIn", "Software"); -- attrs.put("KeySize", "2048"); // for DSA KPG and APG only -+ if (!systemFipsEnabled) { -+ /* -+ * SecureRandom engines -+ */ -+ attrs.put("ThreadSafe", "true"); -+ if (NativePRNG.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNG", -+ "sun.security.provider.NativePRNG", attrs); -+ } -+ if (NativePRNG.Blocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGBlocking", -+ "sun.security.provider.NativePRNG$Blocking", attrs); -+ } -+ if (NativePRNG.NonBlocking.isAvailable()) { -+ add(p, "SecureRandom", "NativePRNGNonBlocking", -+ "sun.security.provider.NativePRNG$NonBlocking", attrs); -+ } -+ attrs.put("ImplementedIn", "Software"); -+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs); -+ add(p, "SecureRandom", "SHA1PRNG", -+ "sun.security.provider.SecureRandom", attrs); - -- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); -+ /* -+ * Signature engines -+ */ -+ attrs.clear(); -+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + -+ "|java.security.interfaces.DSAPrivateKey"; -+ attrs.put("SupportedKeyClasses", dsaKeyClasses); -+ attrs.put("ImplementedIn", "Software"); -+ -+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures -+ -+ addWithAlias(p, "Signature", "SHA1withDSA", -+ "sun.security.provider.DSA$SHA1withDSA", attrs); -+ addWithAlias(p, "Signature", "NONEwithDSA", -+ "sun.security.provider.DSA$RawDSA", attrs); -+ -+ // for DSA signatures with 224/256-bit digests -+ attrs.put("KeySize", "2048"); -+ -+ addWithAlias(p, "Signature", "SHA224withDSA", -+ "sun.security.provider.DSA$SHA224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA256withDSA", -+ "sun.security.provider.DSA$SHA256withDSA", attrs); -+ -+ addWithAlias(p, "Signature", "SHA3-224withDSA", -+ "sun.security.provider.DSA$SHA3_224withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-256withDSA", -+ "sun.security.provider.DSA$SHA3_256withDSA", attrs); -+ -+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests -+ -+ addWithAlias(p, "Signature", "SHA384withDSA", -+ "sun.security.provider.DSA$SHA384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA512withDSA", -+ "sun.security.provider.DSA$SHA512withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-384withDSA", -+ "sun.security.provider.DSA$SHA3_384withDSA", attrs); -+ addWithAlias(p, "Signature", "SHA3-512withDSA", -+ "sun.security.provider.DSA$SHA3_512withDSA", attrs); -+ -+ attrs.remove("KeySize"); -+ -+ add(p, "Signature", "SHA1withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA1withDSAinP1363Format"); -+ add(p, "Signature", "NONEwithDSAinP1363Format", -+ "sun.security.provider.DSA$RawDSAinP1363Format"); -+ add(p, "Signature", "SHA224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA224withDSAinP1363Format"); -+ add(p, "Signature", "SHA256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA256withDSAinP1363Format"); -+ add(p, "Signature", "SHA384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA384withDSAinP1363Format"); -+ add(p, "Signature", "SHA512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA512withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-224withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-256withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-384withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format"); -+ add(p, "Signature", "SHA3-512withDSAinP1363Format", -+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format"); -+ /* -+ * Key Pair Generator engines -+ */ -+ attrs.clear(); -+ attrs.put("ImplementedIn", "Software"); -+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only - -- /* -- * Algorithm Parameter Generator engines -- */ -- addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -- "sun.security.provider.DSAParameterGenerator", attrs); -- attrs.remove("KeySize"); -+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; -+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); -+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs); - -- /* -- * Algorithm Parameter engines -- */ -- addWithAlias(p, "AlgorithmParameters", "DSA", -- "sun.security.provider.DSAParameters", attrs); -+ /* -+ * Algorithm Parameter Generator engines -+ */ -+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA", -+ "sun.security.provider.DSAParameterGenerator", attrs); -+ attrs.remove("KeySize"); - -- /* -- * Key factories -- */ -- addWithAlias(p, "KeyFactory", "DSA", -- "sun.security.provider.DSAKeyFactory", attrs); -+ /* -+ * Algorithm Parameter engines -+ */ -+ addWithAlias(p, "AlgorithmParameters", "DSA", -+ "sun.security.provider.DSAParameters", attrs); - -- /* -- * Digest engines -- */ -- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -- attrs); -+ /* -+ * Key factories -+ */ -+ addWithAlias(p, "KeyFactory", "DSA", -+ "sun.security.provider.DSAKeyFactory", attrs); - -- addWithAlias(p, "MessageDigest", "SHA-224", -- "sun.security.provider.SHA2$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-256", -- "sun.security.provider.SHA2$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA-384", -- "sun.security.provider.SHA5$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512", -- "sun.security.provider.SHA5$SHA512", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/224", -- "sun.security.provider.SHA5$SHA512_224", attrs); -- addWithAlias(p, "MessageDigest", "SHA-512/256", -- "sun.security.provider.SHA5$SHA512_256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-224", -- "sun.security.provider.SHA3$SHA224", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-256", -- "sun.security.provider.SHA3$SHA256", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-384", -- "sun.security.provider.SHA3$SHA384", attrs); -- addWithAlias(p, "MessageDigest", "SHA3-512", -- "sun.security.provider.SHA3$SHA512", attrs); -+ /* -+ * Digest engines -+ */ -+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs); -+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA", -+ attrs); -+ -+ addWithAlias(p, "MessageDigest", "SHA-224", -+ "sun.security.provider.SHA2$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-256", -+ "sun.security.provider.SHA2$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-384", -+ "sun.security.provider.SHA5$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512", -+ "sun.security.provider.SHA5$SHA512", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/224", -+ "sun.security.provider.SHA5$SHA512_224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA-512/256", -+ "sun.security.provider.SHA5$SHA512_256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-224", -+ "sun.security.provider.SHA3$SHA224", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-256", -+ "sun.security.provider.SHA3$SHA256", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-384", -+ "sun.security.provider.SHA3$SHA384", attrs); -+ addWithAlias(p, "MessageDigest", "SHA3-512", -+ "sun.security.provider.SHA3$SHA512", attrs); -+ } - - /* - * Certificates -diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -index 8c9e4f9dbe6..883dc04758e 100644 ---- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java -@@ -38,6 +38,7 @@ import java.util.HashMap; - import java.util.Iterator; - import java.util.List; - -+import jdk.internal.access.SharedSecrets; - import sun.security.ec.ed.EdDSAAlgorithmParameters; - import sun.security.ec.ed.EdDSAKeyFactory; - import sun.security.ec.ed.EdDSAKeyPairGenerator; -@@ -56,6 +57,10 @@ public final class SunEC extends Provider { - - private static final long serialVersionUID = -2279741672933606418L; - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - private static class ProviderServiceA extends ProviderService { - ProviderServiceA(Provider p, String type, String algo, String cn, - HashMap<String, String> attrs) { -@@ -249,85 +254,86 @@ public final class SunEC extends Provider { - - putXDHEntries(); - putEdDSAEntries(); -- -- /* -- * Signature engines -- */ -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -- null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -- ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "NONEwithECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$RawinP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA1withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -- -- putService(new ProviderService(this, "Signature", -- "SHA3-224withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-256withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-384withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -- putService(new ProviderService(this, "Signature", -- "SHA3-512withECDSAinP1363Format", -- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -- -- /* -- * Key Pair Generator engine -- */ -- putService(new ProviderService(this, "KeyPairGenerator", -- "EC", "sun.security.ec.ECKeyPairGenerator", -- List.of("EllipticCurve"), ATTRS)); -- -- /* -- * Key Agreement engine -- */ -- putService(new ProviderService(this, "KeyAgreement", -- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ if (!systemFipsEnabled) { -+ /* -+ * Signature engines -+ */ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw", -+ null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "NONEwithECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$RawinP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA1withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA1inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA512inP1363Format")); -+ -+ putService(new ProviderService(this, "Signature", -+ "SHA3-224withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-256withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-384withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format")); -+ putService(new ProviderService(this, "Signature", -+ "SHA3-512withECDSAinP1363Format", -+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format")); -+ -+ /* -+ * Key Pair Generator engine -+ */ -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "EC", "sun.security.ec.ECKeyPairGenerator", -+ List.of("EllipticCurve"), ATTRS)); -+ -+ /* -+ * Key Agreement engine -+ */ -+ putService(new ProviderService(this, "KeyAgreement", -+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS)); -+ } - } - - private void putXDHEntries() { -@@ -344,23 +350,25 @@ public final class SunEC extends Provider { - "X448", "sun.security.ec.XDHKeyFactory.X448", - ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -- ATTRS)); -- -- putService(new ProviderService(this, "KeyAgreement", -- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyAgreement", -- "X448", "sun.security.ec.XDHKeyAgreement.X448", -- ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "KeyAgreement", -+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyAgreement", -+ "X448", "sun.security.ec.XDHKeyAgreement.X448", -+ ATTRS)); -+ } - } - - private void putEdDSAEntries() { -@@ -375,21 +383,23 @@ public final class SunEC extends Provider { - putService(new ProviderServiceA(this, "KeyFactory", - "Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS)); - -- putService(new ProviderService(this, "KeyPairGenerator", -- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -- ATTRS)); -- putService(new ProviderServiceA(this, "KeyPairGenerator", -- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -- ATTRS)); -- -- putService(new ProviderService(this, "Signature", -- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -- putService(new ProviderServiceA(this, "Signature", -- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ if (!systemFipsEnabled) { -+ putService(new ProviderService(this, "KeyPairGenerator", -+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519", -+ ATTRS)); -+ putService(new ProviderServiceA(this, "KeyPairGenerator", -+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448", -+ ATTRS)); -+ -+ putService(new ProviderService(this, "Signature", -+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS)); -+ putService(new ProviderServiceA(this, "Signature", -+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS)); -+ } - - } - } diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch deleted file mode 100644 index 7622622..0000000 --- a/rh1996182-extend_security_policy.patch +++ /dev/null @@ -1,18 +0,0 @@ -commit bfd7c5dae9c15266799cb885b8c60199217b65b9 -Author: Andrew Hughes <gnu.andrew(a)redhat.com> -Date: Mon Aug 30 16:14:14 2021 +0100 - - RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access - -diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy -index 8356e56367b..23925f048be 100644 ---- openjdk.orig/src/java.base/share/lib/security/default.policy -+++ openjdk/src/java.base/share/lib/security/default.policy -@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.com.sun.crypto.provider"; -+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access"; - permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch deleted file mode 100644 index 96a8204..0000000 --- a/rh1996182-login_to_nss_software_token.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923 -Author: Martin Balao <mbalao(a)redhat.com> -Date: Sat Aug 28 00:35:44 2021 +0100 - - RH1996182: Login to the NSS Software Token in FIPS Mode - -diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java -index 238735c0c8c..dbbf11bbb22 100644 ---- openjdk.orig/src/java.base/share/classes/module-info.java -+++ openjdk/src/java.base/share/classes/module-info.java -@@ -152,6 +152,7 @@ module java.base { - java.naming, - java.rmi, - jdk.charsets, -+ jdk.crypto.cryptoki, - jdk.crypto.ec, - jdk.jartool, - jdk.jlink, -diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 112b639aa96..5d3963ea893 100644 ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback; - - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; - -+import jdk.internal.access.SharedSecrets; - import jdk.internal.misc.InnocuousThread; - import sun.security.util.Debug; - import sun.security.util.ResourcesMgr; -@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*; - */ - public final class SunPKCS11 extends AuthProvider { - -+ private static final boolean systemFipsEnabled = SharedSecrets -+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); -+ - private static final long serialVersionUID = -1354835039035306505L; - - static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider { - if (nssModule != null) { - nssModule.setProvider(this); - } -+ if (systemFipsEnabled) { -+ // The NSS Software Token in FIPS 140-2 mode requires a user -+ // login for most operations. See sftk_fipsCheck. The NSS DB -+ // (/etc/pki/nssdb) PIN is empty. -+ Session session = null; -+ try { -+ session = token.getOpSession(); -+ p11.C_Login(session.id(), CKU_USER, new char[] {}); -+ } catch (PKCS11Exception p11e) { -+ if (debug != null) { -+ debug.println("Error during token login: " + -+ p11e.getMessage()); -+ } -+ throw p11e; -+ } finally { -+ token.releaseSession(session); -+ } -+ } - } catch (Exception e) { - if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { - throw new UnsupportedOperationException diff --git a/rh2021263-fips_ensure_security_initialised.patch b/rh2021263-fips_ensure_security_initialised.patch deleted file mode 100644 index 8dc0122..0000000 --- a/rh2021263-fips_ensure_security_initialised.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 4ac1a03b3ec73358988553fe9e200130847ea3b4 -Author: Andrew Hughes <gnu.andrew(a)redhat.com> -Date: Mon Jan 10 20:19:40 2022 +0000 - - RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance - -diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -index 5a2c9eb0c46..a1ee182d913 100644 ---- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java -@@ -39,6 +39,7 @@ import java.io.FilePermission; - import java.io.ObjectInputStream; - import java.io.RandomAccessFile; - import java.security.ProtectionDomain; -+import java.security.Security; - import java.security.Signature; - - /** A repository of "shared secrets", which are a mechanism for -@@ -449,6 +450,9 @@ public class SharedSecrets { - } - - public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { -+ if (javaSecuritySystemConfiguratorAccess == null) { -+ ensureClassInitialized(Security.class); -+ } - return javaSecuritySystemConfiguratorAccess; - } - } diff --git a/rh2021263-fips_missing_native_returns.patch b/rh2021263-fips_missing_native_returns.patch deleted file mode 100644 index 5a056ce..0000000 --- a/rh2021263-fips_missing_native_returns.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 8f6e35dc9e9289aed290b36e260beeda76986bb5 -Author: Fridrich Strba <fstrba(a)suse.com> -Date: Mon Jan 10 19:32:01 2022 +0000 - - RH2021263: Return in C code after having generated Java exception - -diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -index 38919d6bb0f..caf678a7dd6 100644 ---- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c -+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c -@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn - dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); - if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { - throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - fips_enabled = fgetc(fe); - fclose(fe); - if (fips_enabled == EOF) { - throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); -+ return JNI_FALSE; - } - msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ - " read character is '%c'", fips_enabled); diff --git a/rh2021263-fips_separate_policy_and_fips_init.patch b/rh2021263-fips_separate_policy_and_fips_init.patch deleted file mode 100644 index b5351a8..0000000 --- a/rh2021263-fips_separate_policy_and_fips_init.patch +++ /dev/null @@ -1,99 +0,0 @@ -commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 -Author: Andrew Hughes <gnu.andrew(a)redhat.com> -Date: Tue Jan 18 02:09:27 2022 +0000 - - RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support - -diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java -index 28ab1846173..f9726741afd 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/Security.java -+++ openjdk/src/java.base/share/classes/java/security/Security.java -@@ -61,10 +61,6 @@ public final class Security { - private static final Debug sdebug = - Debug.getInstance("properties"); - -- /* System property file*/ -- private static final String SYSTEM_PROPERTIES = -- "/etc/crypto-policies/back-ends/java.config"; -- - /* The java.security properties */ - private static Properties props; - -@@ -206,22 +202,36 @@ public final class Security { - } - } - -+ if (!loadedProps) { -+ initializeStatic(); -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties " + -+ "-- using defaults"); -+ } -+ } -+ - String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); - if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && - "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { -- if (SystemConfigurator.configure(props)) { -- loadedProps = true; -+ if (!SystemConfigurator.configureSysProps(props)) { -+ if (sdebug != null) { -+ sdebug.println("WARNING: System properties could not be loaded."); -+ } - } - } - -- if (!loadedProps) { -- initializeStatic(); -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps) { -+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); - if (sdebug != null) { -- sdebug.println("unable to load security properties " + -- "-- using defaults"); -+ if (fipsEnabled) { -+ sdebug.println("FIPS support enabled."); -+ } else { -+ sdebug.println("FIPS support disabled."); -+ } - } - } -- - } - - /* -diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -index 874c6221ebe..b7ed41acf0f 100644 ---- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java -+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -76,7 +76,7 @@ final class SystemConfigurator { - * java.security.disableSystemPropertiesFile property is not set and - * security.useSystemPropertiesFile is true. - */ -- static boolean configure(Properties props) { -+ static boolean configureSysProps(Properties props) { - boolean loadedProps = false; - - try (BufferedInputStream bis = -@@ -96,11 +96,19 @@ final class SystemConfigurator { - e.printStackTrace(); - } - } -+ return loadedProps; -+ } -+ -+ /* -+ * Invoked at the end of java.security.Security initialisation -+ * if java.security properties have been loaded -+ */ -+ static boolean configureFIPS(Properties props) { -+ boolean loadedProps = false; - - try { - if (enableFips()) { - if (sdebug != null) { sdebug.println("FIPS mode detected"); } -- loadedProps = false; - // Remove all security providers - Iterator<Entry<Object, Object>> i = props.entrySet().iterator(); - while (i.hasNext()) { diff --git a/rh2052070-enable_algorithmparameters_in_fips_mode.patch b/rh2052070-enable_algorithmparameters_in_fips_mode.patch deleted file mode 100644 index 7488ea5..0000000 --- a/rh2052070-enable_algorithmparameters_in_fips_mode.patch +++ /dev/null @@ -1,1182 +0,0 @@ -commit 6e74f283739af0d867df01d20f82865f559a45ea -Author: Martin Balao <mbalao(a)redhat.com> -Date: Mon Feb 28 04:58:05 2022 +0000 - - RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode - -diff --git openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -index a020e1c15d8..6d459fdec01 100644 ---- openjdk.orig/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -+++ openjdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java -@@ -31,6 +31,7 @@ import java.security.SecureRandom; - import java.security.PrivilegedAction; - import java.util.HashMap; - import java.util.List; -+import jdk.internal.access.SharedSecrets; - import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.util.SecurityProviderConstants.*; - -@@ -78,6 +79,10 @@ import static sun.security.util.SecurityProviderConstants.*; - - public final class SunJCE extends Provider { - -+ private static final boolean systemFipsEnabled = -+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess() -+ .isSystemFipsEnabled(); -+ - @java.io.Serial - private static final long serialVersionUID = 6812507587804302833L; - -@@ -143,285 +148,287 @@ public final class SunJCE extends Provider { - void putEntries() { - // reuse attribute map and reset before each reuse - HashMap<String, String> attrs = new HashMap<>(3); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -- + "|OAEPWITHMD5ANDMGF1PADDING" -- + "|OAEPWITHSHA1ANDMGF1PADDING" -- + "|OAEPWITHSHA-1ANDMGF1PADDING" -- + "|OAEPWITHSHA-224ANDMGF1PADDING" -- + "|OAEPWITHSHA-256ANDMGF1PADDING" -- + "|OAEPWITHSHA-384ANDMGF1PADDING" -- + "|OAEPWITHSHA-512ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -- + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -- attrs.put("SupportedKeyClasses", -- "java.security.interfaces.RSAPublicKey" + -- "|java.security.interfaces.RSAPrivateKey"); -- ps("Cipher", "RSA", -- "com.sun.crypto.provider.RSACipher", null, attrs); -- -- // common block cipher modes, pads -- final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -- "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -- "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -- final String BLOCK_MODES128 = BLOCK_MODES + -- "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -- "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -- final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DES", -- "com.sun.crypto.provider.DESCipher", null, attrs); -- psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -- attrs); -- ps("Cipher", "Blowfish", -- "com.sun.crypto.provider.BlowfishCipher", null, attrs); -- -- ps("Cipher", "RC2", -- "com.sun.crypto.provider.RC2Cipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", BLOCK_MODES128); -- attrs.put("SupportedPaddings", BLOCK_PADS); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES", -- "com.sun.crypto.provider.AESCipher$General", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "AES/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -- attrs); -- ps("Cipher", "AES/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_128/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_128/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_128/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_128/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_128/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_192/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_192/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_192/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_192/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_192/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -- attrs); -- -- psA("Cipher", "AES_256/ECB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CBC/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -- attrs); -- psA("Cipher", "AES_256/OFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/CFB/NoPadding", -- "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -- attrs); -- psA("Cipher", "AES_256/KW/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -- attrs); -- ps("Cipher", "AES_256/KW/PKCS5Padding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -- null, attrs); -- psA("Cipher", "AES_256/KWP/NoPadding", -- "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "GCM"); -- attrs.put("SupportedKeyFormats", "RAW"); -- -- ps("Cipher", "AES/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -- attrs); -- psA("Cipher", "AES_128/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES128", -- attrs); -- psA("Cipher", "AES_192/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES192", -- attrs); -- psA("Cipher", "AES_256/GCM/NoPadding", -- "com.sun.crypto.provider.GaloisCounterMode$AES256", -- attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "CBC"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "DESedeWrap", -- "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -- -- attrs.clear(); -- attrs.put("SupportedModes", "ECB"); -- attrs.put("SupportedPaddings", "NOPADDING"); -- attrs.put("SupportedKeyFormats", "RAW"); -- psA("Cipher", "ARCFOUR", -- "com.sun.crypto.provider.ARCFOURCipher", attrs); -- -- attrs.clear(); -- attrs.put("SupportedKeyFormats", "RAW"); -- ps("Cipher", "ChaCha20", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -- null, attrs); -- psA("Cipher", "ChaCha20-Poly1305", -- "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -- attrs); -- -- // PBES1 -- psA("Cipher", "PBEWithMD5AndDES", -- "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -- null); -- ps("Cipher", "PBEWithMD5AndTripleDES", -- "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -- psA("Cipher", "PBEWithSHA1AndDESede", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -- null); -- psA("Cipher", "PBEWithSHA1AndRC2_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -- null); -- psA("Cipher", "PBEWithSHA1AndRC4_40", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -- null); -- -- psA("Cipher", "PBEWithSHA1AndRC4_128", -- "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -- null); -- -- // PBES2 -- ps("Cipher", "PBEWithHmacSHA1AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_128", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -- -- ps("Cipher", "PBEWithHmacSHA1AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA224AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA256AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA384AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -- -- ps("Cipher", "PBEWithHmacSHA512AndAES_256", -- "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -- -- /* -- * Key(pair) Generator engines -- */ -- ps("KeyGenerator", "DES", -- "com.sun.crypto.provider.DESKeyGenerator"); -- psA("KeyGenerator", "DESede", -- "com.sun.crypto.provider.DESedeKeyGenerator", -- null); -- ps("KeyGenerator", "Blowfish", -- "com.sun.crypto.provider.BlowfishKeyGenerator"); -- psA("KeyGenerator", "AES", -- "com.sun.crypto.provider.AESKeyGenerator", -- null); -- ps("KeyGenerator", "RC2", -- "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -- psA("KeyGenerator", "ARCFOUR", -- "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -- null); -- ps("KeyGenerator", "ChaCha20", -- "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -- ps("KeyGenerator", "HmacMD5", -- "com.sun.crypto.provider.HmacMD5KeyGenerator"); -- -- psA("KeyGenerator", "HmacSHA1", -- "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -- psA("KeyGenerator", "HmacSHA224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -- null); -- psA("KeyGenerator", "HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -- null); -- psA("KeyGenerator", "HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -- null); -- psA("KeyGenerator", "HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -- null); -- psA("KeyGenerator", "HmacSHA512/224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -- null); -- psA("KeyGenerator", "HmacSHA512/256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -- null); -- -- psA("KeyGenerator", "HmacSHA3-224", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -- null); -- psA("KeyGenerator", "HmacSHA3-256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -- null); -- psA("KeyGenerator", "HmacSHA3-384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_384", -- null); -- psA("KeyGenerator", "HmacSHA3-512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_512", -- null); -- -- psA("KeyPairGenerator", "DiffieHellman", -- "com.sun.crypto.provider.DHKeyPairGenerator", -- null); -+ if (!systemFipsEnabled) { -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING|PKCS1PADDING|OAEPPADDING" -+ + "|OAEPWITHMD5ANDMGF1PADDING" -+ + "|OAEPWITHSHA1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-256ANDMGF1PADDING" -+ + "|OAEPWITHSHA-384ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/224ANDMGF1PADDING" -+ + "|OAEPWITHSHA-512/256ANDMGF1PADDING"); -+ attrs.put("SupportedKeyClasses", -+ "java.security.interfaces.RSAPublicKey" + -+ "|java.security.interfaces.RSAPrivateKey"); -+ ps("Cipher", "RSA", -+ "com.sun.crypto.provider.RSACipher", null, attrs); -+ -+ // common block cipher modes, pads -+ final String BLOCK_MODES = "ECB|CBC|PCBC|CTR|CTS|CFB|OFB" + -+ "|CFB8|CFB16|CFB24|CFB32|CFB40|CFB48|CFB56|CFB64" + -+ "|OFB8|OFB16|OFB24|OFB32|OFB40|OFB48|OFB56|OFB64"; -+ final String BLOCK_MODES128 = BLOCK_MODES + -+ "|CFB72|CFB80|CFB88|CFB96|CFB104|CFB112|CFB120|CFB128" + -+ "|OFB72|OFB80|OFB88|OFB96|OFB104|OFB112|OFB120|OFB128"; -+ final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING"; -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DES", -+ "com.sun.crypto.provider.DESCipher", null, attrs); -+ psA("Cipher", "DESede", "com.sun.crypto.provider.DESedeCipher", -+ attrs); -+ ps("Cipher", "Blowfish", -+ "com.sun.crypto.provider.BlowfishCipher", null, attrs); -+ -+ ps("Cipher", "RC2", -+ "com.sun.crypto.provider.RC2Cipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", BLOCK_MODES128); -+ attrs.put("SupportedPaddings", BLOCK_PADS); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES", -+ "com.sun.crypto.provider.AESCipher$General", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "AES/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_128/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_128/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_128/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_128/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES128_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_192/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_192/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_192/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_192/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES192_KWP_NoPadding", -+ attrs); -+ -+ psA("Cipher", "AES_256/ECB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CBC/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/OFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/CFB/NoPadding", -+ "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding", -+ attrs); -+ psA("Cipher", "AES_256/KW/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_NoPadding", -+ attrs); -+ ps("Cipher", "AES_256/KW/PKCS5Padding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KW_PKCS5Padding", -+ null, attrs); -+ psA("Cipher", "AES_256/KWP/NoPadding", -+ "com.sun.crypto.provider.KeyWrapCipher$AES256_KWP_NoPadding", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "GCM"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ -+ ps("Cipher", "AES/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AESGCM", null, -+ attrs); -+ psA("Cipher", "AES_128/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES128", -+ attrs); -+ psA("Cipher", "AES_192/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES192", -+ attrs); -+ psA("Cipher", "AES_256/GCM/NoPadding", -+ "com.sun.crypto.provider.GaloisCounterMode$AES256", -+ attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "CBC"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "DESedeWrap", -+ "com.sun.crypto.provider.DESedeWrapCipher", null, attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedModes", "ECB"); -+ attrs.put("SupportedPaddings", "NOPADDING"); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ psA("Cipher", "ARCFOUR", -+ "com.sun.crypto.provider.ARCFOURCipher", attrs); -+ -+ attrs.clear(); -+ attrs.put("SupportedKeyFormats", "RAW"); -+ ps("Cipher", "ChaCha20", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Only", -+ null, attrs); -+ psA("Cipher", "ChaCha20-Poly1305", -+ "com.sun.crypto.provider.ChaCha20Cipher$ChaCha20Poly1305", -+ attrs); -+ -+ // PBES1 -+ psA("Cipher", "PBEWithMD5AndDES", -+ "com.sun.crypto.provider.PBEWithMD5AndDESCipher", -+ null); -+ ps("Cipher", "PBEWithMD5AndTripleDES", -+ "com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher"); -+ psA("Cipher", "PBEWithSHA1AndDESede", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC2_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128", -+ null); -+ psA("Cipher", "PBEWithSHA1AndRC4_40", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40", -+ null); -+ -+ psA("Cipher", "PBEWithSHA1AndRC4_128", -+ "com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128", -+ null); -+ -+ // PBES2 -+ ps("Cipher", "PBEWithHmacSHA1AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_128", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_128"); -+ -+ ps("Cipher", "PBEWithHmacSHA1AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA1AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA224AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA224AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA256AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA256AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA384AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA384AndAES_256"); -+ -+ ps("Cipher", "PBEWithHmacSHA512AndAES_256", -+ "com.sun.crypto.provider.PBES2Core$HmacSHA512AndAES_256"); -+ -+ /* -+ * Key(pair) Generator engines -+ */ -+ ps("KeyGenerator", "DES", -+ "com.sun.crypto.provider.DESKeyGenerator"); -+ psA("KeyGenerator", "DESede", -+ "com.sun.crypto.provider.DESedeKeyGenerator", -+ null); -+ ps("KeyGenerator", "Blowfish", -+ "com.sun.crypto.provider.BlowfishKeyGenerator"); -+ psA("KeyGenerator", "AES", -+ "com.sun.crypto.provider.AESKeyGenerator", -+ null); -+ ps("KeyGenerator", "RC2", -+ "com.sun.crypto.provider.KeyGeneratorCore$RC2KeyGenerator"); -+ psA("KeyGenerator", "ARCFOUR", -+ "com.sun.crypto.provider.KeyGeneratorCore$ARCFOURKeyGenerator", -+ null); -+ ps("KeyGenerator", "ChaCha20", -+ "com.sun.crypto.provider.KeyGeneratorCore$ChaCha20KeyGenerator"); -+ ps("KeyGenerator", "HmacMD5", -+ "com.sun.crypto.provider.HmacMD5KeyGenerator"); -+ -+ psA("KeyGenerator", "HmacSHA1", -+ "com.sun.crypto.provider.HmacSHA1KeyGenerator", null); -+ psA("KeyGenerator", "HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA224", -+ null); -+ psA("KeyGenerator", "HmacSHA256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA256", -+ null); -+ psA("KeyGenerator", "HmacSHA384", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA384", -+ null); -+ psA("KeyGenerator", "HmacSHA512", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512", -+ null); -+ psA("KeyGenerator", "HmacSHA512/224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_224", -+ null); -+ psA("KeyGenerator", "HmacSHA512/256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA512_256", -+ null); -+ -+ psA("KeyGenerator", "HmacSHA3-224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_224", -+ null); -+ psA("KeyGenerator", "HmacSHA3-256", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacKG$SHA3_256", -+ null); -+ psA("KeyGenerator", "HmacSHA3-384", -+ "co