The package rpms/java-11-openjdk-portable.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/java-11-openjdk-portable.git/commit/....
Change: +%ifarch %{gdb_arches}
Thanks.
Full change: ============
commit dd97e2b708b53c8ad9011ad0172daeddc37f6066 Author: Jiri Vanek jvanek@redhat.com Date: Wed Nov 29 18:06:03 2023 +0100
Fixed doc and misc name macro
diff --git a/java-11-openjdk-portable.spec b/java-11-openjdk-portable.spec index 986cd5f..88ec160 100644 --- a/java-11-openjdk-portable.spec +++ b/java-11-openjdk-portable.spec @@ -469,12 +469,11 @@ # Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on # top of the JDK archive %define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} -%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\(_[0-9]\)*;portable.docs;g") +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\0.portable.docs;g" | sed "s;openjdkportable;el;g") %define docportablearchive() %{docportablename}.tar.xz -%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\(_[0-9]\)*;portable.misc;g") +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\0.portable.misc;g" | sed "s;openjdkportable;el;g") %define miscportablearchive() %{miscportablename}.tar.xz
- # RPM 4.19 no longer accept our double percentaged %%{nil} passed to %%{1} # so we have to pass in "" but evaluate it, otherwise files record will include it %define jreportablearchiveForFiles() %(echo %{jreportablearchive -- ""}) @@ -1299,8 +1298,6 @@ function packagejdk() { mkdir -p ${packagesdir} pushd ${imagesdir}
- echo "Packaging build from ${imagesdir} to ${packagesdir}..." - if [ "x$suffix" = "x" ] ; then nameSuffix="" else
commit 138da70acb492bff9e4f0777f4216c3f93b0603f Author: Jiri jvanek@redhat.com Date: Wed Nov 29 11:08:00 2023 +0100
Updated to OpenJDK 11.0.21+9 (GA)
- adjsuted generate_source_tarball - removed icedtea_sync - dropped standalone licenses - added usntripped subpkg - added docs subpkg - adjsuted versions of bundled libraries - build refactored to several solid methods following gnu_andrew - Drop local backport of JDK-8243210 which is upstream from 11.0.21+2 - Bump freetype version to 2.13.0 following JDK-8306881 - fixed '--without release' build-ability by moving docs and misc to if-release only
diff --git a/.gitignore b/.gitignore index 0a19a08..1aa9a04 100644 --- a/.gitignore +++ b/.gitignore @@ -114,3 +114,4 @@ /openjdk-jdk11u-jdk-11.0.19+7-4curve.tar.xz /openjdk-jdk11u-jdk-11.0.19+7.tar.xz /openjdk-jdk11u-jdk-11.0.20+8.tar.xz +/openjdk-jdk11u-jdk-11.0.21+9.tar.xz diff --git a/NEWS b/NEWS index 04b170f..b99b7c6 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,308 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 11.0.21 (2023-10-17): +============================================ +Live versions of these release notes can be found at: + * https://bit.ly/openjdk11021 + +* CVEs + - CVE-2023-22081 +* Security fixes + - JDK-8286503, JDK-8312367: Enhance security classes + - JDK-8296581: Better system proxy support + - JDK-8297856: Improve handling of Bidi characters + - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39 + - JDK-8306881, JDK-8307286: Update FreeType to 2.13.0 + - JDK-8309966: Enhanced TLS connections +* Other changes + - JDK-6176679: Application freezes when copying an animated gif image to the system clipboard + - JDK-8023980: JCE doesn't provide any class to handle RSA private key in PKCS#1 + - JDK-8155246: Throw error if default java.security file is missing + - JDK-8158880: test/java/time/tck/java/time/format/TCKDateTimeFormatterBuilder.java fail with zh_CN locale + - JDK-8168261: Use server cipher suites preference by default + - JDK-8181383: com/sun/jdi/OptionTest.java fails intermittently with bind failed: Address already in use + - JDK-8201516: DebugNonSafepoints generates incorrect information + - JDK-8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE" + - JDK-8211343: nsk_jvmti_parseoptions should handle multiple suboptions + - JDK-8212045: Add back the tests that were removed from HashesTest.java and AddExportsTest.java + - JDK-8216059: nsk_jvmti_parseoptions still has dependency on tilde separator + - JDK-8217237: HttpClient does not deal well with multi-valued WWW-Authenticate challenge headers + - JDK-8217395: Update langtools shell tests to use ${EXE_SUFFIX} + - JDK-8217612: (CL)HSDB cannot show some JVM flags + - JDK-8217850: CompressedClassSpaceSizeInJmapHeap fails after JDK-8217612 + - JDK-8218471: generate-unsafe-access-tests.sh does not correctly invoke build.tools.spp.Spp + - JDK-8219628: [TESTBUG] javadoc/doclet/InheritDocForUserTags fails with -othervm + - JDK-8220410: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed with missing expected output + - JDK-8221372: Test vmTestbase/nsk/jvmti/GetThreadState/thrstat001/TestDescription.java times out + - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop" + - JDK-8223573: Replace wildcard address with loopback or local host in tests - part 4 + - JDK-8223714: HTTPSetAuthenticatorTest could be made more resilient + - JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java sometimes detect threads+1 connections + - JDK-8223856: Replace wildcard address with loopback or local host in tests - part 8 + - JDK-8224617: (fs) java/nio/file/FileStore/Basic.java found filesystem twice + - JDK-8224729: Cleanups in sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java + - JDK-8224768: Test ActalisCA.java fails + - JDK-8225012: sanity/client/SwingSet/src/ToolTipDemoTest.java fails on Windows + - JDK-8226221: Update PKCS11 tests to use NSS 3.46 libs + - JDK-8228341: SignTwice.java fails intermittently on Windows + - JDK-8228403: SignTwice.java failed with java.io.FileNotFoundException: File name too long + - JDK-8229147: Linux os::create_thread() overcounts guardpage size with newer glibc (>=2.27) + - JDK-8229333: java/io/File/SetLastModified.java timed out + - JDK-8229338: clean up test/jdk/java/util/RandomAccess/Basic.java + - JDK-8229348: java/net/DatagramSocket/UnreferencedDatagramSockets.java fails intermittently + - JDK-8229481: sun/net/www/protocol/https/ChunkedOutputStream.java failed with a SSLException + - JDK-8229912: [TESTBUG] java/net/Socks/SocksIPv6Test fails without IPv6 + - JDK-8230132: java/net/NetworkInterface/NetworkInterfaceRetrievalTests.java to skip Teredo Tunneling Pseudo-Interface + - JDK-8231037: java/net/InetAddress/ptr/Lookup.java fails intermittently due to reverse lookup failed + - JDK-8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java fails on SLES11 using mozilla-nss-3.14 + - JDK-8231516: network QuickAckTest.java failed due to "SocketException: maximum number of DatagramSockets reached" + - JDK-8232101: (sctp) Add minimal sanity tests for SCTP + - JDK-8232195: Enable BigInteger tests: DivisionOverflow, SymmetricRangeTests and StringConstructorOverflow + - JDK-8232840: java/math/BigInteger/largeMemory/SymmetricRangeTests.java fails due to "OutOfMemoryError: Requested array size exceeds VM limit" + - JDK-8232922: Add java/math/BigInteger/largeMemory/SymmetricRangeTests.java to ProblemList-Xcomp + - JDK-8234808: jdb quoted option parsing broken + - JDK-8236045: [TESTBUG] MismatchedWhiteBox test fails with missing WhiteBox$WhiteBoxPermission.class + - JDK-8237183: Bug ID missing for test in patch which fixed JDK-8230665 + - JDK-8238157: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java test failures because of revocation date + - JDK-8239007: java/math/BigInteger/largeMemory/ tests should be disabled on 32-bit platforms + - JDK-8239264: Clearup the legacy ObjectIdentifier constructor from int array + - JDK-8239333: Mark test AmazonCA.java with intermittent key + - JDK-8239537: cgroup MetricsTester testMemorySubsystem fails sometimes when testing memory.kmem.tcp.usage_in_bytes + - JDK-8240193: loadLibrary("osxsecurity") should not be removed + - JDK-8241097: java/math/BigInteger/largeMemory/SymmetricRangeTests.java requires -XX:+CompactStrings + - JDK-8242151: Improve OID mapping and reuse among JDK security providers for aliases registration + - JDK-8242330: Arrays should be cloned in several JAAS Callback classes + - JDK-8242897: KeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException + - JDK-8243210: ClhsdbScanOops fails with NullPointerException in FileMapHeader.inCopiedVtableSpace + - JDK-8244078: ProcessTools executeTestJvm and createJavaProcessBuilder have inconsistent handling of test.*.opts + - JDK-8247895: SHA1PRNGReseed.java is calling setSeed(0) + - JDK-8247968: test/jdk/javax/crypto/SecretKeyFactory/security.properties has wrong header + - JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken + - JDK-8249699: java/io/ByteArrayOutputStream/MaxCapacity.java should use @requires instead of @ignore + - JDK-8251517: [TESTBUG] com/sun/net/httpserver/bugs/B6393710.java does not scale socket timeout + - JDK-8252530: Fix inconsistencies in hotspot whitebox + - JDK-8254350: CompletableFuture.get may swallow InterruptedException + - JDK-8255348: NPE in PKIXCertPathValidator event logging code + - JDK-8257993: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine/TestDescription.java crash intermittently + - JDK-8259796: timed CompletableFuture.get may swallow InterruptedException + - JDK-8260274: Cipher.init(int, key) does not use highest priority provider for random bytes + - JDK-8260878: com/sun/jdi/JdbOptions.java fails without jfr + - JDK-8260934: java/lang/StringBuilder/HugeCapacity.java fails without Compact Strings + - JDK-8263970: Manual test javax/swing/JTextField/JapaneseReadingAttributes/JapaneseReadingAttributes.java failed + - JDK-8265980: Fix systemDictionary and loaderConstraints printing + - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML + - JDK-8268464: Remove dependancy of TestHttpsServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/https/ tests + - JDK-8269091: javax/sound/sampled/Clip/SetPositionHang.java failed with ArrayIndexOutOfBoundsException: Array index out of range: -4 + - JDK-8270331: [TESTBUG] Error: Not a test or directory containing tests: java/awt/print/PrinterJob/InitToBlack.java + - JDK-8271838: AmazonCA.java interop test fails + - JDK-8273807: Zero: Drop incorrect test block from compiler/startup/NumCompilerThreadsCheck.java + - JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC + - JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/SurrogateTest.java test + - JDK-8275234: java/awt/GraphicsDevice/DisplayModes/CycleDMImage.java is entered twice in ProblemList + - JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java fails with D3D basic render driver + - JDK-8276651: java/lang/ProcessHandle tests fail with "RuntimeException: Input/output error" in java.lang.ProcessHandleImpl$Info.info0 + - JDK-8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out + - JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed out + - JDK-8283756: (zipfs) ZipFSOutputStreamTest.testOutputStream should only check inflated bytes + - JDK-8284524: Create an automated test for JDK-4422362 + - JDK-8284767: Create an automated test for JDK-4422535 + - JDK-8284772: GHA: Use GCC Major Version Dependencies Only + - JDK-8284910: Buffer clean in PasswordCallback + - JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java failed with Default Button not pressed for L&F: com.sun.java.swing.plaf.motif.MotifLookAndFeel + - JDK-8286172: Create an automated test for JDK-4516019 + - JDK-8286481: Exception printed to stdout on Windows when storing transparent image in clipboard + - JDK-8286620: Create regression test for verifying setMargin() of JRadioButton + - JDK-8289508: Improve test coverage for XPath Axes: ancestor, ancestor-or-self, preceding, and preceding-sibling + - JDK-8289748: C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM + - JDK-8291444: GHA builds/tests won't run manually if disabled from automatic running + - JDK-8291830: jvmti/RedefineClasses/StressRedefine failed: assert(!is_null(v)) failed: narrow klass value can never be zero + - JDK-8292033: Move jdk.X509Certificate event logic to JCA layer + - JDK-8292297: Fix up loading of override java.security properties file + - JDK-8292443: Weak CAS VarHandle/Unsafe tests should test always-failing cases + - JDK-8293180: JQuery UI license file not updated + - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections + - JDK-8293657: sun/management/jmxremote/bootstrap/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException: Remote host terminated the handshake" + - JDK-8293858: Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG + - JDK-8295737: macOS: Print content cut off when width > height with portrait orientation + - JDK-8295894: Remove SECOM certificate that is expiring in September 2023 + - JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java fails intermittently on a VM + - JDK-8297437: javadoc cannot link to old docs (with old style anchors) + - JDK-8297523: Various GetPrimitiveArrayCritical miss result - NULL check + - JDK-8297587: Upgrade JLine to 3.22.0 + - JDK-8297681: Unnecessary color conversion during 4BYTE_ABGR_PRE to INT_ARGB_PRE blit + - JDK-8297730: C2: Arraycopy intrinsic throws incorrect exception + - JDK-8297887: Update Siphash + - JDK-8297923: java.awt.ScrollPane broken after multiple scroll up/down + - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs + - JDK-8298921: Create a regression test for JDK-8139581 + - JDK-8298974: Add ftcolor.c to imported freetype sources + - JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java fails on SLES12 ppc64le when testing Memory and Swap Limit + - JDK-8299658: C1 compilation crashes in LinearScan::resolve_exception_edge + - JDK-8299713: Test javax/swing/JTableHeader/6889007/bug6889007.java failed: Wrong type of cursor + - JDK-8300098: java/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3 + - JDK-8300659: Refactor TestMemoryAwareness to use WhiteBox api for host values + - JDK-8300751: [17u] Remove duplicate entry in javac.properties + - JDK-8301269: Update Commons BCEL to Version 6.7.0 + - JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument + - JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit + - JDK-8301959: Compile command in compiler.loopopts.TestRemoveEmptyCountedLoop does not work + - JDK-8302161: Upgrade jQuery UI to version 1.13.2 + - JDK-8302182: Update Public Suffix List to 88467c9 + - JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during unrolling + - JDK-8303809: Dispose context in SPNEGO NegotiatorImpl + - JDK-8304054: Linux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed + - JDK-8304498: JShell does not switch to raw mode when there is no /bin/test + - JDK-8304867: Explicitly disable dtrace for ppc builds + - JDK-8305074: ProblemList javax/net/ssl/DTLS/RespondToRetransmit.java + - JDK-8305421: Work around JDK-8305420 in CDSJDITest.java + - JDK-8305763: Parsing a URI with an underscore goes through a silent exception, negatively impacting performance + - JDK-8305766: ProblemList runtime/CompressedOops/CompressedClassPointers.java + - JDK-8305950: Have -XshowSettings option display tzdata version + - JDK-8306133: Open source few AWT Drag & Drop related tests + - JDK-8306137: Open source several AWT ScrollPane related tests + - JDK-8306484: Open source several AWT Choice jtreg tests + - JDK-8306636: Disable compiler/c2/Test6905845.java with -XX:TieredStopAtLevel=3 + - JDK-8306638: Open source some AWT tests related to datatransfer and Toolkit + - JDK-8306682: Open source a few more AWT Choice tests + - JDK-8306718: Optimize and opensource some old AWT tests + - JDK-8306954: Open source five Focus related tests + - JDK-8306955: Open source several JComboBox jtreg tests + - JDK-8307078: Opensource and clean up five more AWT Focus related tests + - JDK-8307080: Open source some more JComboBox jtreg tests + - JDK-8307128: Open source some drag and drop tests 4 + - JDK-8307133: Open source some JTable jtreg tests + - JDK-8307135: java/awt/dnd/NotReallySerializableTest/NotReallySerializableTest.java failed + - JDK-8307301: Update HarfBuzz to 7.2.0 + - JDK-8307569: Build with gcc8 is broken after JDK-8307301 + - JDK-8307572: AArch64: Vector registers are clobbered by some macroassemblers + - JDK-8307603: [AIX] Broken build after JDK-8307301 + - JDK-8307604: gcc12 based Alpine build broken build after JDK-8307301 + - JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has invalid jtreg `@requires` clause + - JDK-8308156: VerifyCACerts.java misses blank in error output + - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails + - JDK-8309108: Bump update version for OpenJDK: jdk-11.0.21 + - JDK-8309138: Fix container tests for jdks with symlinked conf dir + - JDK-8310054: ScrollPane insets are incorrect + - JDK-8310176: JDK 11 G1 crash during full GC with +UseStringDeduplication + - JDK-8310620: [11u] Problemlist failing aot tests on macos x64 + - JDK-8311033: [macos] PrinterJob does not take into account Sides attribute + - JDK-8311689: Wrong visible amount in Adjustable of ScrollPane + - JDK-8312138: jcmd VM.metaspace vslist has no newline character before the Class: label. + - JDK-8312555: Ideographic characters aren't stretched by AffineTransform.scale(2, 1) + - JDK-8313159: [11u] Fix test SSLEngineKeyLimit.java after Merge error + - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) + - JDK-8313796: AsyncGetCallTrace crash on unreadable interpreter method pointer + - JDK-8313803: [11u] Exclude jdk/jfr/event/sampling/TestStackFrameLineNumbers.java + - JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le + - JDK-8314086: [11u] A typo in the fix for JDK-8312462 is causing test failure in ChildAlwaysOnTopTest.java + - JDK-8314950: CMS may miss NMT tag after mark stack expansion + - JDK-8314960: Add Certigna Root CA - 2 + - JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack() + - JDK-8315529: [11u] Exclude some failing Z-GC tests + - JDK-8317040: Exclude cleaner test failing on older releases + - JDK-8317644: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.21 + +Notes on individual issues: +=========================== + +security-libs/javax.net.ssl: + +JDK-8301700: The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit +=================================================================================================== +The JDK implementation of TLS 1.2 now uses a default Diffie Hellman +keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and +either the client or server does not support FFDHE. + +The JDK TLS implementation supports FFDHE, which can negotiate a +stronger keysize, and this is enabled by default. + +As a workaround, users can revert to the previous key size by setting +the `jdk.tls.ephemeralDHKeySize` system property to 1024 (at their own +risk). + +This change does not affect TLS 1.3 as the minimum DH group size is +already 2048 bits. + +JDK-8168261: Use Server Cipher Suites Preference by Default +=========================================================== +The SunJSSE provider has been updated to use the local server-side +cipher suite preferences by default. Previously, the server would use +the preferences specified by the connecting client. To revert to the +previous behaviour, use `SSLParameters.setUseCipherSuitesOrder(false)` +on the server side. + +security-libs/javax.crypto: + +JDK-8023980: JDK Now Accepts RSA Keys in PKCS#1 Format +====================================================== +RSA private and public keys in PKCS#1 format can now be accepted by +JDK providers, such as the RSA `KeyFactory.impl` from the SunRsaSign +provider. The RSA private or public key object should have the PKCS#1 +format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA +private key and public key. + +security-libs/javax.security: + +JDK-8242330: Arrays should be cloned in several JAAS Callback classes +===================================================================== +In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays +were not cloned when passed into a constructor or returned. This +allowed an external program to get access to the internal fields of +these classes. The classes have been updated to return cloned arrays. + +tools/launcher: + +JDK-8305950: `-XshowSettings:locale` Output Now Includes Tzdata Version +======================================================================= +The `-XshowSettings` launcher option has been enhanced to print the +tzdata version used by the JDK. The tzdata version is displayed as +part of the `locale` showSettings option. + +Example output using `-X:showSettings:locale`: + +Locale settings: + default locale = English + default display locale = English + default format locale = English + tzdata version = 2023c + +security-libs/java.security: + +JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate +================================================================== +The following root certificate from SECOM Trust System has been +removed from the `cacerts` keystore: + +Alias Name: secomscrootca1 [jdk] +Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP + +JDK-8314960: Added Certigna Root CA Certificate +=============================================== +The following root certificate has been added to the cacerts +truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR + +JDK-8155246: Throw Error If Default java.security File Fails to Load +==================================================================== +A hardcoded set of security properties was used in previous releases +when the `java.security` file could not be loaded. This set of +properties were poorly maintained and it was not obvious to the user +that they were being utilised. This release instead throws an +`InternalError` if the `java.security` file can not be loaded. + +New in release OpenJDK 11.0.20.1 (2023-08-24): +============================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk110201 + +* Other changes + - JDK-8313765: Invalid CEN header (invalid zip64 extra data field size) + - JDK-8314678: Bump update version for OpenJDK: jdk-11.0.20.1 + New in release OpenJDK 11.0.20 (2023-07-18): ============================================= Live versions of these release notes can be found at: @@ -4842,4 +5144,3 @@ This new system property sets the pool size of the internal function is equivalent to the `org.apache.xml.security.parser.pool-size` system property used in Apache Santuario and has the same default value of 20. - diff --git a/discover_trees.sh b/discover_trees.sh new file mode 100755 index 0000000..8c31278 --- /dev/null +++ b/discover_trees.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +# Copyright (C) 2020 Red Hat, Inc. +# Written by Andrew John Hughes gnu.andrew@redhat.com. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see https://www.gnu.org/licenses/. + +TREE=${1} + +if test "x${TREE}" = "x"; then + TREE=${PWD} +fi + +if [ -e ${TREE}/nashorn/.hg -o -e ${TREE}/nashorn/merge.changeset ] ; then + NASHORN="nashorn" ; +fi + +if [ -e ${TREE}/corba/.hg -o -e ${TREE}/corba/merge.changeset ] ; then + CORBA="corba"; +fi + +if [ -e ${TREE}/jaxp/.hg -o -e ${TREE}/jaxp/merge.changeset ] ; then + JAXP="jaxp"; +fi + +if [ -e ${TREE}/jaxws/.hg -o -e ${TREE}/jaxws/merge.changeset ] ; then + JAXWS="jaxws"; +fi + +if [ -e ${TREE}/langtools/.hg -o -e ${TREE}/langtools/merge.changeset ] ; then + LANGTOOLS="langtools"; +fi + +if [ -e ${TREE}/jdk/.hg -o -e ${TREE}/jdk/merge.changeset ] ; then + JDK="jdk"; +fi + +if [ -e ${TREE}/hotspot/.hg -o -e ${TREE}/hotspot/merge.changeset ] ; then + HOTSPOT="hotspot"; +fi + +SUBTREES="${CORBA} ${JAXP} ${JAXWS} ${LANGTOOLS} ${NASHORN} ${JDK} ${HOTSPOT}"; +echo ${SUBTREES} diff --git a/fips-11u-b34fb09a5c.patch b/fips-11u-f93a863b56.patch similarity index 96% rename from fips-11u-b34fb09a5c.patch rename to fips-11u-f93a863b56.patch index 02ce6df..3690cb8 100644 --- a/fips-11u-b34fb09a5c.patch +++ b/fips-11u-f93a863b56.patch @@ -89,7 +89,7 @@ index 3787b12600..dab108a82b 100644 LCMS_CFLAGS:=@LCMS_CFLAGS@ LCMS_LIBS:=@LCMS_LIBS@ diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk -index 4cd656a086..e1fc94b5b4 100644 +index b40d3114b9..0d1d83cf3e 100644 --- a/make/lib/Lib-java.base.gmk +++ b/make/lib/Lib-java.base.gmk @@ -178,6 +178,31 @@ ifeq ($(call isTargetOsType, unix), true) @@ -401,7 +401,7 @@ index 0000000000..8dcb7d9073 + } +} diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java -index b36510a376..ad5182e1e7 100644 +index 5b9552058b..b46de49211 100644 --- a/src/java.base/share/classes/java/security/Security.java +++ b/src/java.base/share/classes/java/security/Security.java @@ -32,6 +32,7 @@ import java.net.URL; @@ -412,16 +412,17 @@ index b36510a376..ad5182e1e7 100644 import jdk.internal.misc.SharedSecrets; import jdk.internal.util.StaticProperty; import sun.security.util.Debug; -@@ -47,12 +48,20 @@ import sun.security.jca.*; +@@ -47,6 +48,9 @@ import sun.security.jca.*; * implementation-specific location, which is typically the properties file * {@code conf/security/java.security} in the Java installation directory. * + * <p>Additional default values of security properties are read from a + * system-specific location, if available.</p> + * - * @author Benjamin Renaud - * @since 1.1 - */ + * @implNote If the properties file fails to load, the JDK implementation will + * throw an unspecified error when initializing the {@code Security} class. + * +@@ -56,6 +60,11 @@ import sun.security.jca.*;
public final class Security {
@@ -433,7 +434,7 @@ index b36510a376..ad5182e1e7 100644 /* Are we debugging? -- for developers */ private static final Debug sdebug = Debug.getInstance("properties"); -@@ -67,6 +76,19 @@ public final class Security { +@@ -70,6 +79,19 @@ public final class Security { }
static { @@ -453,26 +454,19 @@ index b36510a376..ad5182e1e7 100644 // doPrivileged here because there are multiple // things in initialize that might require privs. // (the FileInputStream call and the File.exists call, -@@ -83,6 +105,7 @@ public final class Security { +@@ -85,6 +107,7 @@ public final class Security { + private static void initialize() { props = new Properties(); - boolean loadedProps = false; boolean overrideAll = false; + boolean systemSecPropsEnabled = false;
// first load the system properties file // to determine the value of security.overridePropertiesFile -@@ -98,6 +121,7 @@ public final class Security { - if (sdebug != null) { - sdebug.println("reading security properties file: " + - propFile); -+ sdebug.println(props.toString()); - } - } catch (IOException e) { - if (sdebug != null) { -@@ -192,6 +216,61 @@ public final class Security { +@@ -105,9 +128,63 @@ public final class Security { } + loadProps(null, extraPropFile, overrideAll); } - ++ + boolean sysUseProps = Boolean.valueOf(System.getProperty(SYS_PROP_SWITCH, "false")); + boolean secUseProps = Boolean.valueOf(props.getProperty(SEC_PROP_SWITCH)); + if (sdebug != null) { @@ -492,9 +486,7 @@ index b36510a376..ad5182e1e7 100644 + } + } + -+ // FIPS support depends on the contents of java.security so -+ // ensure it has loaded first -+ if (loadedProps && systemSecPropsEnabled) { ++ if (systemSecPropsEnabled) { + boolean shouldEnable; + String sysProp = System.getProperty("com.redhat.fips"); + if (sysProp == null) { @@ -530,15 +522,19 @@ index b36510a376..ad5182e1e7 100644 + } }
- /* +- private static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { ++ static boolean loadProps(File masterFile, String extraPropFile, boolean overrideAll) { + InputStream is = null; + try { + if (masterFile != null && masterFile.exists()) { diff --git a/src/java.base/share/classes/java/security/SystemConfigurator.java b/src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 -index 0000000000..90f6dd2ebc +index 0000000000..49bf17ea17 --- /dev/null +++ b/src/java.base/share/classes/java/security/SystemConfigurator.java -@@ -0,0 +1,248 @@ +@@ -0,0 +1,231 @@ +/* -+ * Copyright (c) 2019, 2021, Red Hat, Inc. ++ * Copyright (c) 2019, 2023, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * @@ -616,26 +612,9 @@ index 0000000000..90f6dd2ebc + * security.useSystemPropertiesFile is true. + */ + static boolean configureSysProps(Properties props) { -+ boolean systemSecPropsLoaded = false; -+ -+ try (BufferedInputStream bis = -+ new BufferedInputStream( -+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { -+ props.load(bis); -+ systemSecPropsLoaded = true; -+ if (sdebug != null) { -+ sdebug.println("reading system security properties file " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ sdebug.println(props.toString()); -+ } -+ } catch (IOException e) { -+ if (sdebug != null) { -+ sdebug.println("unable to load security properties from " + -+ CRYPTO_POLICIES_JAVA_CONFIG); -+ e.printStackTrace(); -+ } -+ } -+ return systemSecPropsLoaded; ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ return Security.loadProps(null, CRYPTO_POLICIES_JAVA_CONFIG, false); + } + + /* @@ -1035,7 +1014,7 @@ index e06b2a588c..315a2ce370 100644 candidates = new ProtocolVersion[] { ProtocolVersion.TLS13, diff --git a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java -index c50ba93ecf..de2a91a478 100644 +index 2a2b5d7568..891796f19b 100644 --- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java +++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java @@ -27,6 +27,8 @@ package sun.security.ssl; @@ -1046,7 +1025,7 @@ index c50ba93ecf..de2a91a478 100644 +import jdk.internal.misc.SharedSecrets; import sun.security.rsa.SunRsaSignEntries; import static sun.security.util.SecurityConstants.PROVIDER_VER; - import static sun.security.provider.SunEntries.createAliases; + import static sun.security.util.SecurityProviderConstants.*; @@ -195,8 +197,13 @@ public abstract class SunJSSE extends java.security.Provider { "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); ps("SSLContext", "TLSv1.2", @@ -1062,12 +1041,12 @@ index c50ba93ecf..de2a91a478 100644 + } ps("SSLContext", "TLS", "sun.security.ssl.SSLContextImpl$TLSContext", - (isfips? null : createAliases("SSL")), null); + (isfips? null : List.of("SSL")), null); diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security -index 9af64321c4..957cd78a55 100644 +index c0eed3f884..b03bd9f896 100644 --- a/src/java.base/share/conf/security/java.security +++ b/src/java.base/share/conf/security/java.security -@@ -85,6 +85,14 @@ security.provider.tbd=Apple +@@ -88,6 +88,14 @@ security.provider.tbd=Apple security.provider.tbd=SunPKCS11 #endif
@@ -1082,7 +1061,7 @@ index 9af64321c4..957cd78a55 100644 # # A list of preferred providers for specific algorithms. These providers will # be searched for matching algorithms before the list of registered providers. -@@ -298,6 +306,11 @@ policy.ignoreIdentityScope=false +@@ -301,6 +309,11 @@ policy.ignoreIdentityScope=false # keystore.type=pkcs12
@@ -1094,7 +1073,7 @@ index 9af64321c4..957cd78a55 100644 # # Controls compatibility mode for JKS and PKCS12 keystore types. # -@@ -335,6 +348,13 @@ package.definition=sun.misc.,\ +@@ -338,6 +351,13 @@ package.definition=sun.misc.,\ # security.overridePropertiesFile=true
@@ -1405,7 +1384,7 @@ index 0000000000..b848a1fd78 + } +} diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index cf7cd19b68..69cda46f85 100644 +index ffbd671246..bdaad67e06 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java @@ -26,6 +26,9 @@ @@ -1427,7 +1406,7 @@ index cf7cd19b68..69cda46f85 100644 import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; -@@ -60,6 +65,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +@@ -61,6 +66,29 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; */ public final class SunPKCS11 extends AuthProvider {
@@ -1457,7 +1436,7 @@ index cf7cd19b68..69cda46f85 100644 private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -317,10 +345,15 @@ public final class SunPKCS11 extends AuthProvider { +@@ -318,10 +346,15 @@ public final class SunPKCS11 extends AuthProvider { // request multithreaded access first initArgs.flags = CKF_OS_LOCKING_OK; PKCS11 tmpPKCS11; @@ -1474,7 +1453,7 @@ index cf7cd19b68..69cda46f85 100644 } catch (PKCS11Exception e) { if (debug != null) { debug.println("Multi-threaded initialization failed: " + e); -@@ -336,7 +369,7 @@ public final class SunPKCS11 extends AuthProvider { +@@ -337,7 +370,7 @@ public final class SunPKCS11 extends AuthProvider { initArgs.flags = 0; } tmpPKCS11 = PKCS11.getInstance(library, @@ -1483,7 +1462,7 @@ index cf7cd19b68..69cda46f85 100644 } p11 = tmpPKCS11;
-@@ -376,6 +409,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -377,6 +410,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 408ebce..849cff2 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -8,7 +8,7 @@ # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=openjdk # REPO_NAME=jdk11u -# VERSION=jdk-11.0.18+10 +# VERSION=jdk-11.0.21+9 # or to eg prepare systemtap: # icedtea7's jstack and other tapsets # VERSION=6327cf1cea9e @@ -29,8 +29,6 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz -# Corresponding IcedTea version -ICEDTEA_VERSION=6.0
if [ "x$1" = "xhelp" ] ; then echo -e "Behaviour may be specified by setting the following variables:\n" @@ -41,7 +39,7 @@ if [ "x$1" = "xhelp" ] ; then echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" - echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" + echo "TO_COMPRESS - what part of clone to pack (default is ${VERSION})" echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" exit 1; fi @@ -117,8 +115,8 @@ if [ "x$REPO_ROOT" = "x" ] ; then fi;
if [ "x$TO_COMPRESS" = "x" ] ; then - TO_COMPRESS="openjdk" - echo "No targets to be compressed specified, ; default to ${TO_COMPRESS}" + TO_COMPRESS="${VERSION}" + echo "No targets to be compressed specified ; default to ${TO_COMPRESS}" fi;
echo -e "Settings:" @@ -140,41 +138,41 @@ else mkdir "${FILE_NAME_ROOT}" pushd "${FILE_NAME_ROOT}" echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" - git clone -b ${VERSION} ${REPO_ROOT} openjdk + git clone -b ${VERSION} ${REPO_ROOT} ${VERSION} popd fi pushd "${FILE_NAME_ROOT}" # UnderlineTaglet.java has a BSD license with a field-of-use restriction, making it non-Free - if [ -d openjdk/test ] ; then + if [ -d ${VERSION}/test ] ; then echo "Removing langtools test case with non-Free license" - rm -vf openjdk/test/langtools/tools/javadoc/api/basic/taglets/UnderlineTaglet.java + rm -vf ${VERSION}/test/langtools/tools/javadoc/api/basic/taglets/UnderlineTaglet.java fi
# Generate .src-rev so build has knowledge of the revision the tarball was created from mkdir build pushd build - sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK} + sh ${PWD}/../${VERSION}/configure --with-boot-jdk=${BOOT_JDK} make store-source-revision popd rm -rf build
# Remove commit checks - echo "Removing $(find openjdk -name '.jcheck' -print)" - find openjdk -name '.jcheck' -print0 | xargs -0 rm -rf + echo "Removing $(find ${VERSION} -name '.jcheck' -print)" + find ${VERSION} -name '.jcheck' -print0 | xargs -0 rm -rf
# Remove history and GHA - echo "find openjdk -name '.hgtags'" - find openjdk -name '.hgtags' -exec rm -fv '{}' '+' - echo "find openjdk -name '.hgignore'" - find openjdk -name '.hgignore' -exec rm -fv '{}' '+' - echo "find openjdk -name '.gitattributes'" - find openjdk -name '.gitattributes' -exec rm -fv '{}' '+' - echo "find openjdk -name '.gitignore'" - find openjdk -name '.gitignore' -exec rm -fv '{}' '+' - echo "find openjdk -name '.git'" - find openjdk -name '.git' -exec rm -rfv '{}' '+' - echo "find openjdk -name '.github'" - find openjdk -name '.github' -exec rm -rfv '{}' '+' + echo "find ${VERSION} -name '.hgtags'" + find ${VERSION} -name '.hgtags' -exec rm -fv '{}' '+' + echo "find ${VERSION} -name '.hgignore'" + find ${VERSION} -name '.hgignore' -exec rm -fv '{}' '+' + echo "find ${VERSION} -name '.gitattributes'" + find ${VERSION} -name '.gitattributes' -exec rm -fv '{}' '+' + echo "find ${VERSION} -name '.gitignore'" + find ${VERSION} -name '.gitignore' -exec rm -fv '{}' '+' + echo "find ${VERSION} -name '.git'" + find ${VERSION} -name '.git' -exec rm -rfv '{}' '+' + echo "find ${VERSION} -name '.github'" + find ${VERSION} -name '.github' -exec rm -rfv '{}' '+'
echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then diff --git a/icedtea_sync.sh b/icedtea_sync.sh index e5c54f3..09d9504 100755 --- a/icedtea_sync.sh +++ b/icedtea_sync.sh @@ -1,192 +1 @@ -#!/bin/bash - -# Copyright (C) 2019 Red Hat, Inc. -# Written by Andrew John Hughes gnu.andrew@redhat.com. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. - -ICEDTEA_USE_VCS=true - -ICEDTEA_VERSION=3.15.0 -ICEDTEA_URL=https://icedtea.classpath.org/download/source -ICEDTEA_SIGNING_KEY=CFDA0F9B35964222 - -ICEDTEA_HG_URL=https://icedtea.classpath.org/hg/icedtea11 - -set -e - -RPM_DIR=${PWD} -if [ ! -f ${RPM_DIR}/jconsole.desktop.in ] ; then - echo "Not in RPM source tree."; - exit 1; -fi - -if test "x${TMPDIR}" = "x"; then - TMPDIR=/tmp; -fi -WORKDIR=${TMPDIR}/it.sync - -echo "Using working directory ${WORKDIR}" -mkdir ${WORKDIR} -pushd ${WORKDIR} - -if test "x${WGET}" = "x"; then - WGET=$(which wget); - if test "x${WGET}" = "x"; then - echo "wget not found"; - exit 1; - fi -fi - -if test "x${TAR}" = "x"; then - TAR=$(which tar) - if test "x${TAR}" = "x"; then - echo "tar not found"; - exit 2; - fi -fi - -echo "Dependencies:"; -echo -e "\tWGET: ${WGET}"; -echo -e "\tTAR: ${TAR}\n"; - -if test "x${ICEDTEA_USE_VCS}" = "xtrue"; then - echo "Mode: Using VCS"; - - if test "x${GREP}" = "x"; then - GREP=$(which grep); - if test "x${GREP}" = "x"; then - echo "grep not found"; - exit 3; - fi - fi - - if test "x${CUT}" = "x"; then - CUT=$(which cut); - if test "x${CUT}" = "x"; then - echo "cut not found"; - exit 4; - fi - fi - - if test "x${TR}" = "x"; then - TR=$(which tr); - if test "x${TR}" = "x"; then - echo "tr not found"; - exit 5; - fi - fi - - if test "x${HG}" = "x"; then - HG=$(which hg); - if test "x${HG}" = "x"; then - echo "hg not found"; - exit 6; - fi - fi - - echo "Dependencies:"; - echo -e "\tGREP: ${GREP}"; - echo -e "\tCUT: ${CUT}"; - echo -e "\tTR: ${TR}"; - echo -e "\tHG: ${HG}"; - - echo "Checking out repository from VCS..."; - ${HG} clone ${ICEDTEA_HG_URL} icedtea - - echo "Obtaining version from configure.ac..."; - ROOT_VER=$(${GREP} '^AC_INIT' icedtea/configure.ac|${CUT} -d ',' -f 2|${TR} -d '[][:space:]') - echo "Root version from configure: ${ROOT_VER}"; - - VCS_REV=$(${HG} log -R icedtea --template '{node|short}' -r tip) - echo "VCS revision: ${VCS_REV}"; - - ICEDTEA_VERSION="${ROOT_VER}-${VCS_REV}" - echo "Creating icedtea-${ICEDTEA_VERSION}"; - mkdir icedtea-${ICEDTEA_VERSION} - echo "Copying required files from checkout to icedtea-${ICEDTEA_VERSION}"; - # Commented out for now as IcedTea 6's jconsole.desktop.in is outdated - #cp -a icedtea/jconsole.desktop.in ../icedtea-${ICEDTEA_VERSION} - cp -a ${RPM_DIR}/jconsole.desktop.in icedtea-${ICEDTEA_VERSION} - cp -a icedtea/tapset icedtea-${ICEDTEA_VERSION} - - rm -rf icedtea -else - echo "Mode: Using tarball"; - - if test "x${ICEDTEA_VERSION}" = "x"; then - echo "No IcedTea version specified for tarball download."; - exit 3; - fi - - if test "x${CHECKSUM}" = "x"; then - CHECKSUM=$(which sha256sum) - if test "x${CHECKSUM}" = "x"; then - echo "sha256sum not found"; - exit 4; - fi - fi - - if test "x${PGP}" = "x"; then - PGP=$(which gpg) - if test "x${PGP}" = "x"; then - echo "gpg not found"; - exit 5; - fi - fi - - echo "Dependencies:"; - echo -e "\tCHECKSUM: ${CHECKSUM}"; - echo -e "\tPGP: ${PGP}\n"; - - echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}..."; - if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then - echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed."; - exit 6; - fi - - echo "Downloading IcedTea release tarball..."; - ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz - echo "Downloading IcedTea tarball signature..."; - ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig - echo "Downloading IcedTea tarball checksums..."; - ${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256 - - echo "Verifying checksums..."; - ${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256 - - echo "Checking signature..."; - ${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig - - echo "Extracting files..."; - ${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \ - icedtea-${ICEDTEA_VERSION}/tapset \ - icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in - - rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz - rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig - rm -vf icedtea-${ICEDTEA_VERSION}.sha256 -fi - -echo "Replacing desktop files..."; -mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in ${RPM_DIR} - -echo "Creating new tapset tarball..."; -mv -v icedtea-${ICEDTEA_VERSION} openjdk -${TAR} cJf ${RPM_DIR}/tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk - -rm -rvf openjdk - -popd -rm -rf ${WORKDIR} +# this file is intentionally not use din portables, use tarball from main rpms diff --git a/java-11-openjdk-portable.spec b/java-11-openjdk-portable.spec index eba37b7..986cd5f 100644 --- a/java-11-openjdk-portable.spec +++ b/java-11-openjdk-portable.spec @@ -29,6 +29,8 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Remove build artifacts by default +%bcond_with artifacts # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm # Build with system libraries @@ -41,8 +43,6 @@ %define __os_install_post %{nil} %endif
-%global unpacked_licenses %{_datarootdir}/licenses - # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} %define __brp_strip_static_archive %{nil} @@ -66,10 +66,6 @@ # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 %global _find_debuginfo_opts -g
-# With LTO flags enabled, debuginfo checks fail for some reason. Disable -# LTO for a passing build. This really needs to be looked at. -%define _lto_cflags %{nil} - # note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros # also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch # see the difference between global and define: @@ -157,9 +153,14 @@ # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 # Set of architectures where we verify backtraces with gdb +# s390x fails on RHEL 7 so we exclude it there +%if (0%{?rhel} > 0 && 0%{?rhel} < 8) +%global gdb_arches %{arm} %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 %{zero_arches} +%else %global gdb_arches %{jit_arches} %{zero_arches} +%endif
-# By default, we build a debug build during main build on JIT architectures +# By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} %ifarch %{debug_arches} %global include_debug_build 1 @@ -241,10 +242,10 @@ %global static_libs_target %{nil} %endif
-# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM -%global debug_symbols internal - -# unlike portables,the rpms have to use static_libs_target very dynamically +# The static libraries are produced under the same configuration as the main +# build for portables, as we expect in-tree libraries to be used throughout. +# If system libraries are enabled, the static libraries will also use them +# which may cause issues. %global bootstrap_targets images %{static_libs_target} legacy-jre-image %global release_targets images docs-zip %{static_libs_target} legacy-jre-image # No docs nor bootcycle for debug builds @@ -252,14 +253,18 @@ # Target to use to just build HotSpot %global hotspot_target hotspot
+ +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} + # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 # We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) # We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings # We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ -# removal of -g is portable build specific to achieve no debug for release -%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||' | sed -e 's|-g ||') -%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||' | sed -e 's|-g ||') +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') %global ourldflags %{__global_ldflags}
# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path @@ -338,20 +343,19 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 20 +%global updatever 21 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place %global buildjdkver %{featurever} -# We don't add any LTS designator for STS packages (Fedora and EPEL). -# We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. -%if 0%{?rhel} && !0%{?epel} +# Add LTS designator for RHEL builds +%if 0%{?rhel} %global lts_designator "LTS" %global lts_designator_zip -%{lts_designator} %else - %global lts_designator "" - %global lts_designator_zip "" + %global lts_designator "" + %global lts_designator_zip "" %endif # JDK to use for bootstrapping %global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk @@ -370,32 +374,39 @@ # Define what url should JVM offer in case of a crash report # order may be important, epel may have rhel declared %if 0%{?epel} -%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&componen... +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&componen... %else %if 0%{?fedora} # Does not work for rawhide, keeps the version field empty -%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%%7Bn... +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%%7Bc... %else %if 0%{?rhel} -%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20L... +%global oj_vendor_bug_url https://access.redhat.com/support/cases/ %else %global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi %endif %endif %endif -%global oj_vendor_version (Red_Hat-%{version}-%{release}) +%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease})
# Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver b34fb09a5c +%global fipsver f93a863b56 +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
# Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK -%global top_level_dir_name %{origin} +%global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 8 +%global buildver 9 %global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit @@ -410,14 +421,6 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -%global javaver %{featurever} - -# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames -%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) - -# The tag used to create the OpenJDK tarball -%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
# Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): @@ -445,6 +448,7 @@ # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -465,6 +469,11 @@ # Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on # top of the JDK archive %define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\(_[0-9]\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\(_[0-9]\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz +
# RPM 4.19 no longer accept our double percentaged %%{nil} passed to %%{1} # so we have to pass in "" but evaluate it, otherwise files record will include it @@ -478,7 +487,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*%{freetype_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -494,6 +503,12 @@ %global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ %endif
+# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif
%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} %define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} @@ -516,20 +531,6 @@ %global alternatives_requires %{_sbindir}/alternatives %endif
-%if %{with_systemtap} -# Where to install systemtap tapset (links) -# We would like these to be in a package specific sub-dir, -# but currently systemtap doesn't support that, so we have to -# use the root tapset dir for now. To distinguish between 64 -# and 32 bit architectures we place the tapsets under the arch -# specific dir (note that systemtap will only pickup the tapset -# for the primary arch for now). Systemtap uses the machine name -# aka target_cpu as architecture specific directory name. -%global tapsetroot /usr/share/systemtap -%global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{stapinstall} -%endif - # x86 is no longer supported %if 0%{?java_arches:1} ExclusiveArch: %{java_arches} @@ -537,8 +538,8 @@ ExclusiveArch: %{java_arches} ExcludeArch: %{ix86} %endif
-# Portables have no rpo (requires/provides), but thsoe are awesome for orientation in spec -# also scriptlets are hapily missing and files are handled old fashion +# Portables have no repo (requires/provides), but these are awesome for orientation in spec +# Also scriptlets are happily missing and files are handled old fashion # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: } @@ -549,6 +550,14 @@ ExcludeArch: %{ix86} %define java_static_libs_rpo() %{expand: }
+%define java_unstripped_rpo() %{expand: +} + +%define java_docs_rpo() %{expand: +} + +%define java_misc_rpo() %{expand: +}
# Prevent brp-java-repack-jars from being run %global __jar_repack 0 @@ -594,7 +603,6 @@ Group: Development/Languages License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA URL: http://openjdk.java.net/
- # The source tarball, generated using generate_source_tarball.sh Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
@@ -615,8 +623,7 @@ Source10: NEWS Source11: nss.cfg.in
# Removed libraries that we link instead -# Disabled in portables -#Source12: remove-intree-libraries.sh +Source12: remove-intree-libraries.sh
# Ensure we aren't using the limited crypto policy Source13: TestCryptoLevel.java @@ -636,14 +643,6 @@ Source17: nss.fips.cfg.in # Ensure translations are available for new timezones Source18: TestTranslations.java
-%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -# boot jdk for portable build root on -Source1001: ojdk17-aarch64-17.35.tar.gz -Source1002: ojdk17-ppc64le-17.35.tar.gz -Source1003: ojdk17-x86_64-17.35.tar.gz -Source1004: ojdk17-s390x-17.35.tar.gz -%endif - ############################################ # # RPM/distribution specific patches @@ -652,8 +651,6 @@ Source1004: ojdk17-s390x-17.35.tar.gz
# Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) @@ -694,10 +691,12 @@ Patch1001: fips-11u-%{fipsver}.patch
############################################# # -# OpenJDK patches in need of upstreaming +# Upstreamable patches # +# This section includes patches which need to +# be reviewed & pushed to the current development +# tree of OpenJDK. ############################################# - Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
############################################# @@ -709,10 +708,35 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 # need to be reviewed & pushed to the appropriate # updates tree of OpenJDK. ############################################# -Patch2001: jdk8242332-rh2108712-sha3-sunpkcs11.patch +Patch2002: jdk8242332-rh2108712-sha3-sunpkcs11.patch
-# JDK-8271148: static-libs-image target --with-native-debug-symbols=external doesn't produce debug info -Patch7777: jdk8271148-external_doesnt_produce_debuginfo.patch +############################################# +# +# Patches appearing in 11.0.21 +# +# This section includes patches which are present +# in the listed OpenJDK 11u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# + +############################################# +# +# Patches appearing in 11.0.22 +# +# This section includes patches which are present +# in the listed OpenJDK 8u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# +# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar +Patch2000: jdk8312489-max_sig_default_increase.patch + +############################################# +# +# Portable build specific patches +# +#############################################
BuildRequires: autoconf BuildRequires: automake @@ -722,6 +746,7 @@ BuildRequires: cups-devel BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel +BuildRequires: file BuildRequires: fontconfig-devel BuildRequires: freetype-devel %if (0%{?rhel} > 0 && 0%{?rhel} < 8) @@ -749,28 +774,24 @@ BuildRequires: libXtst-devel # Requirement for setting up nss.cfg and nss.fips.cfg BuildRequires: nss-devel # Requirement for system security property test -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -BuildRequires: crypto-policies -%endif +# N/A for portable. RHEL7 doesn't provide them +# and policy support is turned off +#BuildRequires: crypto-policies BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip # to pack portable tarballs BuildRequires: tar BuildRequires: unzip -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) # No javapackages-filesystem on el7,nor is needed for portables -%else -BuildRequires: javapackages-filesystem +# BuildRequires: javapackages-filesystem BuildRequires: java-%{buildjdkver}-openjdk-devel -%endif # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel %endif # 2023c required as of JDK-8305113 BuildRequires: tzdata-java >= 2023c - # cacerts build requirement in portable mode BuildRequires: ca-certificates # Earlier versions have a bug in tree vectorization on PPC @@ -789,18 +810,18 @@ BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else -# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h -Provides: bundled(freetype) = 2.12.1 +# Version in src/java.desktop/share/legal/freetype.md +Provides: bundled(freetype) = 2.13.0 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 4.4.1 +Provides: bundled(harfbuzz) = 7.2.0 # Version in src/java.desktop/share/native/liblcms/lcms2.h -Provides: bundled(lcms2) = 2.12.0 +Provides: bundled(lcms2) = 2.15.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.37 +Provides: bundled(libpng) = 1.6.39 # We link statically against libstdc++ to increase portability BuildRequires: libstdc++-static %endif @@ -875,7 +896,7 @@ Group: Development/Tools %{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
%description devel-fastdebug -The %{origin_nice} %{featurever} development tools - portable edition. +The %{origin_nice} %{featurever} runtime environment and development tools - portable edition %{fastdebug_warning} %endif
@@ -883,7 +904,7 @@ The %{origin_nice} %{featurever} development tools - portable edition.
%if %{include_normal_build} %package static-libs -Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition. +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition
%{java_static_libs_rpo %{nil}}
@@ -898,7 +919,7 @@ Summary: %{origin_nice} %{featurever} libraries for static linking - portable ed %{java_static_libs_rpo -- %{debug_suffix_unquoted}}
%description static-libs-slowdebug -The %{origin_nice} %{featurever} libraries for static linking - portable edition. +The %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_warning} %endif
@@ -909,13 +930,42 @@ Summary: %{origin_nice} %{featurever} libraries for static linking - portable ed %{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
%description static-libs-fastdebug -The %{origin_nice} %{featurever} libraries for static linking - portable edition. +The %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_warning} %endif
# staticlibs %endif
+%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{featurever} runtime environment. + +%{java_unstripped_rpo %{nil}} + +%description unstripped +The %{origin_nice} %{featurever} runtime environment. + +%endif + +%if %{include_normal_build} +%package docs +Summary: %{origin_nice} %{featurever} API documentation + +%{java_docs_rpo %{nil}} + +%description docs +The %{origin_nice} %{featurever} API documentation. + +%package misc +Summary: %{origin_nice} %{featurever} miscellany + +%{java_misc_rpo %{nil}} + +%description misc +The %{origin_nice} %{featurever} miscellany. +%endif + %package sources Summary: %{origin_nice} %{featurever} full patched sources of portable JDK
@@ -927,10 +977,10 @@ The %{origin_nice} %{featurever} full patched sources of portable JDK to build, echo "Preparing %{oj_vendor_version}"
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( -%if 0%{?stapinstall:1} - echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%if 0%{?_build_cpu:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{_build_cpu}" %else - %{error:Unrecognised architecture %{_target_cpu}} + %{error:Unrecognised architecture %{_build_cpu}} %endif
if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then @@ -951,7 +1001,6 @@ else echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" exit 13 fi - if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 @@ -971,7 +1020,6 @@ if [ $prioritylength -ne 8 ] ; then fi
# OpenJDK patches - %if %{system_libs} # Remove libraries that are linked by both static and dynamic builds sh %{SOURCE12} %{top_level_dir_name} @@ -980,49 +1028,23 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} %patch1 -p1 -%patch2 -p1 %patch3 -p1 # Add crypto policy and FIPS support %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# JDK-8312489 backport, coming in 11.0.22 +%patch2000 -p1 # PKCS11 SHA3 backport -%patch2001 -p1 -# debuginfo fix -%patch7777 -p1 +%patch2002 -p1 +# alt-java +%patch600 -p1 +# RSA default +%patch1003 -p1 popd # openjdk
-%patch600 -%patch1003
-# Extract systemtap tapsets -%if %{with_systemtap} -tar --strip-components=1 -x -I xz -f %{SOURCE8} -%if %{include_debug_build} -cp -r tapset tapset%{debug_suffix} -%endif -%if %{include_fastdebug_build} -cp -r tapset tapset%{fastdebug_suffix} -%endif - -for suffix in %{build_loop} ; do - for file in "tapset"$suffix/*.in; do - OUTPUT_FILE=`echo $file | sed -e "s:.stp.in$:-%{version}-%{release}.%{_arch}.stp:g"` - sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 - sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 -# TODO find out which architectures other than i686 have a client vm -%ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE -%else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE -%endif - sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE - sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE - sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE - done -done -# systemtap tapsets ends -%endif +# Systemtap is processed in rpms
# Prepare desktop files # Portables do not have desktop integration @@ -1034,27 +1056,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -mkdir bootjdk -pushd bootjdk -%ifarch %{aarch64} -tar --strip-components=1 -xf %{SOURCE1001} -%endif -%ifarch %{ppc64le} -tar --strip-components=1 -xf %{SOURCE1002} -%endif -%ifarch x86_64 -tar --strip-components=1 -xf %{SOURCE1003} -%endif -%ifarch s390x -tar --strip-components=1 -xf %{SOURCE1004} -%endif -BOOT_JDK=$PWD -popd -%else -BOOT_JDK=%{bootjdk} -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1136,7 +1137,7 @@ function buildjdk() { %endif --with-version-build=%{buildver} \ --with-version-pre="%{ea_designator}" \ - --with-version-opt=%{lts_designator} \ + --with-version-opt="%{lts_designator}" \ --with-vendor-version-string="%{oj_vendor_version}" \ --with-vendor-name="%{oj_vendor}" \ --with-vendor-url="%{oj_vendor_url}" \ @@ -1144,7 +1145,7 @@ function buildjdk() { --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ - --with-native-debug-symbols="%{debug_symbols}" \ + --with-native-debug-symbols="${debug_symbols}" \ --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=%{link_type} \ @@ -1165,330 +1166,309 @@ function buildjdk() { --disable-warnings-as-errors
cat spec.gmk + make \ + JAVAC_FLAGS=-g \ LOG=trace \ WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) - popd }
+function stripjdk() { + local outputdir=${1} + local jdkimagepath=${outputdir}/images/%{jdkimage} + local jreimagepath=${outputdir}/images/%{jreimage} + local jmodimagepath=${outputdir}/images/jmods + local supportdir=${outputdir}/support + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + cp -a ${jdkimagepath}{,.unstripped} + + # Strip the files + for file in $(find ${jdkimagepath} ${jreimagepath} ${supportdir} -type f) ; do + if file ${file} | grep -q 'ELF'; then + noextfile=${file/.so/}; + objcopy --only-keep-debug ${file} ${noextfile}.debuginfo; + objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}; + strip -g ${file}; + fi + done + + # Rebuild jmod files against the stripped binaries + if [ ! -d ${supportdir} ] ; then + echo "Support directory missing."; + exit 15 + fi + for cmd in $(find ${supportdir} -name '*.jmod.cmdline') ; do + jmod=$(cat ${cmd} | sed -r 's|.*support/(.*$)|\1|'); + echo "Rebuilding ${jmod} against stripped binaries..."; + echo "Removing old jmod ${jmod}..."; + rm -vf ${jmod} + rm -vf ${jdkimagepath}/jmods/$(basename ${jmod}); + echo "Executing $(cat ${cmd})..."; + cat ${cmd} | sh -s ; + echo "Moving jmod to image..."; + mv -v ${supportdir}/${jmod} ${jdkimagepath}/jmods; + done + fi +} + function installjdk() { - local imagepath=${1} + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + local unstripped=${jdkimagepath}.unstripped + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif
- if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} ; + for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
- # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} ; - find ${imagepath}/bin/ -exec chmod +x {} ; + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} ;
- # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} ; + find ${imagepath}/bin/ -exec chmod +x {} ;
- # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE10} ${imagepath} + install -m 644 nss.cfg ${imagepath}/conf/security/ + install -m 644 nss.fips.cfg ${imagepath}/conf/security/
- # Create fake alt-java as a placeholder for future alt-java - if [ -d man/man1 ] ; then - pushd ${imagepath} + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} # add alt-java man page echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd - fi - fi + popd + + # Print release information + cat ${imagepath}/release + fi + done }
-# Checks on debuginfo must be performed before the files are stripped -# by the RPM installation stage -function debugcheckjdk() { - local imagepath=${1} - - if [ -d ${imagepath} ] ; then - - so_suffix="so" - # Check debug symbols are present and can identify code - find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib - do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. - - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "]\ .debug_(info|abbrev)" | wc --lines) == 2 - - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp and .S files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+.(c|cc|cpp|cxx|o|S|oS))?$" - done - IFS="$old_IFS" - - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi - - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep "] .gnu_debuglink" | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi - fi - done +function genchecksum() { + local checkedfile=${1}
- # Make sure gdb can do a backtrace based on line numbers on libjvm.so - # javaCalls.cpp:58 should map to: - # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/v... - # Using line number 1 might cause build problems. See: - # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 - # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 - gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out -handle SIGSEGV pass nostop noprint -handle SIGILL pass nostop noprint -set breakpoint pending on -break javaCalls.cpp:58 -commands 1 -backtrace -quit -end -run -version -EOF -%ifarch %{gdb_arches} - grep 'JavaCallWrapper::JavaCallWrapper' gdb.out -%endif + checkdir=$(dirname ${1}) + checkfile=$(basename ${1})
- fi + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd }
-pwd -ls -l -tar -cJf ../%{jdkportablesourcesarchive -- ""} --transform "s|^|%{jdkportablesourcesname -- ""}/|" openjdk nss* -sha256sum ../%{jdkportablesourcesarchive -- ""} > ../%{jdkportablesourcesarchive -- ""}.sha256sum +function packFullPatchedSources() { + srcpackagesdir=`pwd` + tar -cJf ${srcpackagesdir}/%{jdkportablesourcesarchive -- ""} --transform "s|^|%{jdkportablesourcesname -- ""}/|" %{top_level_dir_name} nss* + genchecksum ${srcpackagesdir}/%{jdkportablesourcesarchive -- ""} +}
-%if %{build_hotspot_first} - # Build a fresh libjvm.so first and use it to bootstrap - cp -LR --preserve=mode,timestamps $BOOT_JDK newboot - systemjdk=$(pwd)/newboot - buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" - mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server -%else - systemjdk=$BOOT_JDK -%endif +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/images/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset
-for suffix in %{build_loop} ; do - if [ "x$suffix" = "x" ] ; then - debugbuild=release - debug_symbols=external # portables specific - else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` - debug_symbols=internal - fi - -builddir=%{buildoutputdir -- ${suffix}} -bootbuilddir=boot${builddir} -installdir=%{installoutputdir -- ${suffix}} -bootinstalldir=boot${installdir} + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir}
-link_opt="bundled" + echo "Packaging build from ${imagesdir} to ${packagesdir}..."
- for loop in %{main_suffix} %{staticlibs_loop} ; do - builddir=%{buildoutputdir -- ${suffix}${loop}} - bootbuilddir=boot${builddir} - if test "x${loop}" = "x%{main_suffix}" ; then - link_opt="%{link_type}" -%if %{system_libs} - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full -%endif - # Debug builds don't need same targets as release for - # build speed-up. We also avoid bootstrapping these - # slower builds. - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - run_bootstrap=false - else - maketargets="%{release_targets}" - run_bootstrap=%{bootstrap_build} - fi - if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - rm -rf ${bootbuilddir} - else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi -%if %{system_libs} - # Restore original source tree we modified by removing full in-tree sources - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -%endif + if [ "x$suffix" = "x" ] ; then + nameSuffix="" else - # Use bundled libraries for building statically - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" - # Always just do the one build for the static libraries - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + nameSuffix=`echo "$suffix"| sed s/-/./` fi
- done # end of main / staticlibs loop + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticname=%{staticlibsportablename -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + if [ "x$suffix" = "x" ] ; then + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + fi + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + mv %{jdkimage}.unstripped ${jdkname} + tar -cJf ${unstrippedarchive} ${jdkname} + genchecksum ${unstrippedarchive} + mv ${jdkname} %{jdkimage}.unstripped + fi
- # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} - for image in %{jdkimage} %{jreimage} ; do - imagePath=${top_dir_abs_main_build_path}/images/${image} - installjdk ${imagePath} - done - # Check debug symbols were built into the dynamic libraries; todo, why it passes in JDK only? - debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename}
- # Print release information - cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + tar -cJf ${debugarchive} $(find ${jdkname} -name *.debuginfo) + genchecksum ${debugarchive}
-################################################################################ - pushd ${top_dir_abs_main_build_path}/images - if [ "x$suffix" == "x" ] ; then - nameSuffix="" - else - nameSuffix=`echo "$suffix"| sed s/-/./` - fi - # additional steps needed for fluent repack; most of them done twice, as images are already populated - # maybe most of them should be done in upstream build? - for imagedir in %{jdkimage} %{jreimage} ; do - pushd $imagedir - # Convert man pages to UTF8 encoding - if [ -d man/man1 ] ; then # jre do not have man pages... - for manpage in man/man1/* ; do - iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp - mv -f $manpage.tmp $manpage - done - fi - # Install release notes - cp -a %{SOURCE10} `pwd` - cp -a %{SOURCE10} `pwd`/legal - # stabilize permissions; aprtially duplicated in instalojdk - find `pwd` -name "*.so" -exec chmod 755 {} ; -exec echo "set 755 to so {}" ; ; - find `pwd` -type d -exec chmod 755 {} ; -exec echo "set 755 to dir {}" ; ; - find `pwd`/legal -type f -exec chmod 644 {} ; -exec echo "set 644 to licences {}" ; ; - popd # jdkimage/jreimage - done # jre/sdk work in loop - # javadoc is done only for release sdkimage - if ! echo $suffix | grep -q "debug" ; then - # Install Javadoc documentation - #cp -a docs %{jdkimage} # not sure if the plaintext javadoc is for some use - built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a `pwd`/../bundles/${built_doc_archive} `pwd`/%{jdkimage}/javadocs.zip || ls -l `pwd`/../bundles + mkdir ${docname} + mv ${docdir} ${docname} + mv ${bundledir}/${built_doc_archive} ${docname} + tar -cJf ${docarchive} ${docname} + genchecksum ${docarchive} + + mkdir ${miscname} + for s in 16 24 32 48 ; do + cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} + done + cp -a ${srcdir}/src/sample ${miscname} +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif + tar -cJf ${miscarchive} ${miscname} + genchecksum ${miscarchive} fi - # end of additional steps - - mv %{jdkimage} %{jdkportablename -- "$nameSuffix"} - mv %{jreimage} %{jreportablename -- "$nameSuffix"} - tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"} - sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum - tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"} - sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum - # copy licenses so they are avialable out of tarball - cp -rf %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal - mv %{jdkportablename -- "$nameSuffix"} %{jdkimage} - mv %{jreportablename -- "$nameSuffix"} %{jreimage} - popd #images + + tar -cJf ${jdkarchive} --exclude='**.debuginfo' ${jdkname} + genchecksum ${jdkarchive} + + tar -cJf ${jrearchive} --exclude='**.debuginfo' ${jrename} + genchecksum ${jrearchive} + %if %{include_staticlibs} - top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}} - pushd ${top_dir_abs_staticlibs_build_path}/images # Static libraries (needed for building graal vm with native image) # Tar as overlay. Transform to the JDK name, since we just want to "add" # static libraries to that folder - portableJDKname=%{staticlibsportablename -- "$nameSuffix"} - tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" - sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum - popd #staticlibs-images + tar -cJf ${staticarchive} \ + --transform "s|^%{static_libs_image}/lib/*|${staticname}/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" + genchecksum ${staticarchive} %endif -################################################################################ -# note, currently no debuginfo, consult portbale spec for external (zipped) debuginfo, being tarred alone -################################################################################
-# build cycles -done # end of release / debug cycle loop + # Revert directory renaming so testing will run + # TODO: testing should run on the packaged JDK + mv ${jdkname} %{jdkimage} + mv ${jrename} %{jreimage}
-%install -STRIP_KEEP_SYMTAB=libjvm* + popd #images
-mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -mv ../%{jdkportablesourcesarchive -- ""} $RPM_BUILD_ROOT%{_jvmdir}/ -mv ../%{jdkportablesourcesarchive -- ""}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ +}
-for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +packFullPatchedSources
-################################################################################ - if [ "x$suffix" == "x" ] ; then - nameSuffix="" +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" + mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false else - nameSuffix=`echo "$suffix"| sed s/-/./` + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} fi - mv ../%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ -%if %{include_staticlibs} - mv ../%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ -%endif - if [ "x$suffix" == "x" ] ; then - dnameSuffix="$nameSuffix".debuginfo -# todo handle debuginfo, see note at build (we will need to pack one stripped and one unstripped release build) -# mv ../%{jdkportablearchive -- "$dnameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ -# mv ../%{jdkportablearchive -- "$dnameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + stripjdk ${builddir} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + stripjdk ${builddir} + installjdk ${builddir} ${installdir} fi -################################################################################ -# end, dual install -done -################################################################################ -# the licenses are packed onloy once and shared -mkdir -p $RPM_BUILD_ROOT%{unpacked_licenses} -mv ../%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablesourcesarchive -- "%{normal_suffix}"} -# To show sha in the build log -for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do ls -l $file ; cat $file ; done -################################################################################ + packagejdk ${installdir} ${packagesdir} + +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + +# build cycles +done # end of release / debug cycle loop
%check
# We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do
-# Tests in the check stage are performed on the installed image -# rpmbuild operates as follows: build -> install -> test -# however in portbales, we test built image instead of installed one -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path} +%endif + export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
-#check Shenandoah is enabled +# Check Shenandoah is enabled %if %{use_shenandoah_hotspot} -$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +$JAVA_HOME/bin/java -XX:+UseShenandoahGC -version %endif
# Check unlimited policy has been used @@ -1499,14 +1479,19 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|.java||")
-# Check system crypto (policy) is deactive and can not be enabled +# Check system crypto (policy) is active and can be disabled # Test takes a single argument - true or false - to state whether system # security properties are enabled or not. $JAVA_HOME/bin/javac -d . %{SOURCE15} export PROG=$(echo $(basename %{SOURCE15})|sed "s|.java||") export SEC_DEBUG="-Djava.security.debug=properties" +#Portable specific: set false whereas its true for upstream $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false -$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=false ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
# Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi @@ -1518,24 +1503,89 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif
-# Check correct vendor values have been set -$JAVA_HOME/bin/javac -d . %{SOURCE16} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" - -%if ! 0%{?flatpak} -# Check translations are available for new timezones (during flatpak builds, the -# tzdb.dat used by this test is not where the test expects it, so this is -# disabled for flatpak builds) +# Check translations are available for new timezones $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|.java||") CLDR -%endif
%if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${top_dir_abs_main_build_path}/../../%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}/images/static-libs/lib/ -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c -readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +ls -l $STATIC_LIBS_HOME +ls -l $STATIC_LIBS_HOME/lib +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +%endif + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp and .S files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/v... +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out +handle SIGSEGV pass nostop noprint +handle SIGILL pass nostop noprint +set breakpoint pending on +break javaCalls.cpp:58 +commands 1 +backtrace +quit +end +run -version +EOF +%ifarch %{gdb_arches} +grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif
# Check src.zip has all sources. See RHBZ#1130490 @@ -1554,12 +1604,69 @@ $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable # build cycles check done
+%install + + mkdir -p $RPM_BUILD_ROOT%{_jvmdir} + mv %{jdkportablesourcesarchive -- ""} $RPM_BUILD_ROOT%{_jvmdir}/ + mv %{jdkportablesourcesarchive -- ""}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + +for suffix in %{build_loop} ; do + + packagesdir=%{packageoutputdir -- ${suffix}} + + if [ "x$suffix" == "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + # These definitions should match those in installjdk + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + + mv ${jdkarchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${jdkarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${jrearchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${jrearchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + +%if %{include_staticlibs} + mv ${staticarchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${staticarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ +%endif + + if [ "x$suffix" = "x" ] ; then + mv ${debugarchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${debugarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${unstrippedarchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${unstrippedarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + fi +done + + if [ "x$suffix" = "x" ] ; then + # These definitions should match those in installjdk + # Install outside the loop as there are no debug variants + docarchive=${packagesdir}/%{docportablearchive} + miscarchive=${packagesdir}/%{miscportablearchive} + mv ${docarchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${docarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${miscarchive} $RPM_BUILD_ROOT%{_jvmdir}/ + mv ${miscarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ + fi + +# To show sha in the build log +for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do + ls -l $file ; + cat $file ; +done + %if %{include_normal_build} %files # main package builds always %{_jvmdir}/%{jreportablearchiveForFiles} %{_jvmdir}/%{jreportablearchiveForFiles}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles} %else %files # placeholder @@ -1568,10 +1675,9 @@ done %if %{include_normal_build} %files devel %{_jvmdir}/%{jdkportablearchiveForFiles} -#%{_jvmdir}/%{jdkportablearchive -- .debuginfo} +%{_jvmdir}/%{jdkportablearchive -- .debuginfo} %{_jvmdir}/%{jdkportablearchiveForFiles}.sha256sum -#%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles} +%{_jvmdir}/%{jdkportablearchive -- .debuginfo}.sha256sum %endif
%if %{include_normal_build} @@ -1579,26 +1685,26 @@ done %files static-libs %{_jvmdir}/%{staticlibsportablearchiveForFiles} %{_jvmdir}/%{staticlibsportablearchiveForFiles}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles} %endif + +%files unstripped +%{_jvmdir}/%{jdkportablearchive -- .unstripped} +%{_jvmdir}/%{jdkportablearchive -- .unstripped}.sha256sum %endif
%if %{include_debug_build} %files slowdebug %{_jvmdir}/%{jreportablearchive -- .slowdebug} %{_jvmdir}/%{jreportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles}
%files devel-slowdebug %{_jvmdir}/%{jdkportablearchive -- .slowdebug} %{_jvmdir}/%{jdkportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles}
%if %{include_staticlibs} %files static-libs-slowdebug %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug} %{_jvmdir}/%{staticlibsportablearchive -- .slowdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles} %endif %endif
@@ -1606,27 +1712,46 @@ done %files fastdebug %{_jvmdir}/%{jreportablearchive -- .fastdebug} %{_jvmdir}/%{jreportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles}
%files devel-fastdebug %{_jvmdir}/%{jdkportablearchive -- .fastdebug} %{_jvmdir}/%{jdkportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles}
%if %{include_staticlibs} %files static-libs-fastdebug %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug} %{_jvmdir}/%{staticlibsportablearchive -- .fastdebug}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles} %endif %endif
%files sources %{_jvmdir}/%{jdkportablesourcesarchiveForFiles} %{_jvmdir}/%{jdkportablesourcesarchiveForFiles}.sha256sum -%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles} + +%if %{include_normal_build} +%files docs +%{_jvmdir}/%{docportablearchive} +%{_jvmdir}/%{docportablearchive}.sha256sum + +%files misc +%{_jvmdir}/%{miscportablearchive} +%{_jvmdir}/%{miscportablearchive}.sha256sum +%endif
%changelog +* Wed Nov 22 2023 Jiri Vanek jvanek@redhat.com - 1:11.0.21.0.9-1 +- Updated to OpenJDK 11.0.21+9 (GA) +- adjsuted generate_source_tarball +- removed icedtea_sync +- dropped standalone licenses +- added usntripped subpkg +- added docs subpkg +- adjsuted versions of bundled libraries +- build refactored to several solid methods following gnu_andrew +- Drop local backport of JDK-8243210 which is upstream from 11.0.21+2 +- Bump freetype version to 2.13.0 following JDK-8306881 +- fixed '--without release' build-ability by moving docs and misc to if-release only + * Thu Aug 03 2023 Jiri Vanek jvanek@redhat.com - 1:11.0.20.0.8-1 - Update to jdk-11.0.20.0+8 - Update release notes to 11.0.20.0+8 diff --git a/jconsole.desktop.in b/jconsole.desktop.in index 8a3b04d..c1b8f6a 100644 --- a/jconsole.desktop.in +++ b/jconsole.desktop.in @@ -1,10 +1 @@ -[Desktop Entry] -Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) -Comment=Monitor and manage OpenJDK applications -Exec=_SDKBINDIR_/jconsole -Icon=java-@JAVA_VER@-@JAVA_VENDOR@ -Terminal=false -Type=Application -StartupWMClass=sun-tools-jconsole-JConsole -Categories=Development;Profiling;Java; -Version=1.0 +# this file is intentionally not here, as portable builds do not have desktop integration diff --git a/jdk8242332-rh2108712-sha3-sunpkcs11.patch b/jdk8242332-rh2108712-sha3-sunpkcs11.patch index a6192a4..cc28540 100644 --- a/jdk8242332-rh2108712-sha3-sunpkcs11.patch +++ b/jdk8242332-rh2108712-sha3-sunpkcs11.patch @@ -1,11 +1,11 @@ -commit 81c2107a9188680f7c35ebc7697b292d5972436e +commit b8711800e3cd9132ad2b195c82cf816210feb77d Author: Andrew Hughes gnu.andrew@redhat.com -Date: Mon Feb 27 13:22:43 2023 +0000 +Date: Thu Oct 5 03:13:01 2023 +0100
Backport 78be334c3817a1b5840922a9bf1339a40dcc5185
diff --git a/src/java.base/share/classes/sun/security/util/KnownOIDs.java b/src/java.base/share/classes/sun/security/util/KnownOIDs.java -index 92ecb9adc0c..a5848c96aad 100644 +index b5cc3b05f1..7e235c90dd 100644 --- a/src/java.base/share/classes/sun/security/util/KnownOIDs.java +++ b/src/java.base/share/classes/sun/security/util/KnownOIDs.java @@ -155,6 +155,14 @@ public enum KnownOIDs { @@ -24,7 +24,7 @@ index 92ecb9adc0c..a5848c96aad 100644 SHA3_256withRSA("2.16.840.1.101.3.4.3.14", "SHA3-256withRSA"), SHA3_384withRSA("2.16.840.1.101.3.4.3.15", "SHA3-384withRSA"), diff --git a/src/java.base/share/classes/sun/security/util/SignatureUtil.java b/src/java.base/share/classes/sun/security/util/SignatureUtil.java -index 32c089fd96d..7d5c0c7e299 100644 +index 32c089fd96..7d5c0c7e29 100644 --- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java +++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java @@ -168,4 +168,22 @@ public class SignatureUtil { @@ -51,7 +51,7 @@ index 32c089fd96d..7d5c0c7e299 100644 + } } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java -index 41fe61b8a16..daf0bc9f69c 100644 +index 41fe61b8a1..daf0bc9f69 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java @@ -1,5 +1,5 @@ @@ -93,7 +93,7 @@ index 41fe61b8a16..daf0bc9f69c 100644 break; default: diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java -index 926414608cb..f343e6025e1 100644 +index 926414608c..f343e6025e 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java @@ -36,7 +36,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; @@ -428,7 +428,7 @@ index 926414608cb..f343e6025e1 100644 - } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -index c88e4a6ace5..29b26651c39 100644 +index c88e4a6ace..29b26651c3 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java @@ -39,8 +39,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; @@ -465,7 +465,7 @@ index c88e4a6ace5..29b26651c39 100644 break; case (int)CKM_SSL3_MD5_MAC: diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java -index 26eaa4735f1..905b6ea9562 100644 +index 1419be3754..18e00a544b 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java @@ -38,6 +38,7 @@ import java.security.spec.MGF1ParameterSpec; @@ -738,7 +738,7 @@ index 26eaa4735f1..905b6ea9562 100644
// see JCA spec diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java -index e3af106d05a..e49edf32c29 100644 +index e3af106d05..e49edf32c2 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java @@ -51,8 +51,15 @@ import sun.security.util.KeyUtil; @@ -970,111 +970,88 @@ index e3af106d05a..e49edf32c29 100644 // return RSASignature.decodeSignature(digestOID, signature); // } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index cf7cd19b689..7a8bcffb92c 100644 +index ffbd671246..d191831dab 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -550,6 +550,18 @@ public final class SunPKCS11 extends AuthProvider { - d(MD, "SHA-512/256", P11Digest, - s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"), +@@ -546,6 +546,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA512_224)); + dA(MD, "SHA-512/256", P11Digest, m(CKM_SHA512_256)); -+ d(MD, "SHA3-224", P11Digest, -+ s("2.16.840.1.101.3.4.2.7", "OID.2.16.840.1.101.3.4.2.7"), ++ dA(MD, "SHA3-224", P11Digest, + m(CKM_SHA3_224)); -+ d(MD, "SHA3-256", P11Digest, -+ s("2.16.840.1.101.3.4.2.8", "OID.2.16.840.1.101.3.4.2.8"), ++ dA(MD, "SHA3-256", P11Digest, + m(CKM_SHA3_256)); -+ d(MD, "SHA3-384", P11Digest, -+ s("2.16.840.1.101.3.4.2.9", "OID.2.16.840.1.101.3.4.2.9"), ++ dA(MD, "SHA3-384", P11Digest, + m(CKM_SHA3_384)); -+ d(MD, "SHA3-512", P11Digest, -+ s("2.16.840.1.101.3.4.2.10", "OID.2.16.840.1.101.3.4.2.10"), ++ dA(MD, "SHA3-512", P11Digest, + m(CKM_SHA3_512));
d(MAC, "HmacMD5", P11MAC, m(CKM_MD5_HMAC)); -@@ -574,7 +586,18 @@ public final class SunPKCS11 extends AuthProvider { - d(MAC, "HmacSHA512/256", P11MAC, - s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"), +@@ -563,7 +571,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA512_224_HMAC)); + dA(MAC, "HmacSHA512/256", P11MAC, m(CKM_SHA512_256_HMAC)); - -+ d(MAC, "HmacSHA3-224", P11MAC, -+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"), ++ dA(MAC, "HmacSHA3-224", P11MAC, + m(CKM_SHA3_224_HMAC)); -+ d(MAC, "HmacSHA3-256", P11MAC, -+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"), ++ dA(MAC, "HmacSHA3-256", P11MAC, + m(CKM_SHA3_256_HMAC)); -+ d(MAC, "HmacSHA3-384", P11MAC, -+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"), ++ dA(MAC, "HmacSHA3-384", P11MAC, + m(CKM_SHA3_384_HMAC)); -+ d(MAC, "HmacSHA3-512", P11MAC, -+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"), ++ dA(MAC, "HmacSHA3-512", P11MAC, + m(CKM_SHA3_512_HMAC)); d(MAC, "SslMacMD5", P11MAC, m(CKM_SSL3_MD5_MAC)); d(MAC, "SslMacSHA1", P11MAC, -@@ -604,6 +627,41 @@ public final class SunPKCS11 extends AuthProvider { +@@ -595,6 +610,30 @@ public final class SunPKCS11 extends AuthProvider { m(CKM_BLOWFISH_KEY_GEN)); d(KG, "ChaCha20", P11KeyGenerator, m(CKM_CHACHA20_KEY_GEN)); + d(KG, "HmacMD5", P11KeyGenerator, // 1.3.6.1.5.5.8.1.1 + m(CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA1", P11KeyGenerator, -+ s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"), ++ dA(KG, "HmacSHA1", P11KeyGenerator, + m(CKM_SHA_1_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA224", P11KeyGenerator, -+ s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), ++ dA(KG, "HmacSHA224", P11KeyGenerator, + m(CKM_SHA224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA256", P11KeyGenerator, -+ s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"), ++ dA(KG, "HmacSHA256", P11KeyGenerator, + m(CKM_SHA256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA384", P11KeyGenerator, -+ s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"), ++ dA(KG, "HmacSHA384", P11KeyGenerator, + m(CKM_SHA384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA512", P11KeyGenerator, -+ s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"), ++ dA(KG, "HmacSHA512", P11KeyGenerator, + m(CKM_SHA512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA512/224", P11KeyGenerator, -+ s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"), ++ dA(KG, "HmacSHA512/224", P11KeyGenerator, + m(CKM_SHA512_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA512/256", P11KeyGenerator, -+ s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"), ++ dA(KG, "HmacSHA512/256", P11KeyGenerator, + m(CKM_SHA512_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-224", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.13", "OID.2.16.840.1.101.3.4.2.13"), ++ dA(KG, "HmacSHA3-224", P11KeyGenerator, + m(CKM_SHA3_224_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-256", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.14", "OID.2.16.840.1.101.3.4.2.14"), ++ dA(KG, "HmacSHA3-256", P11KeyGenerator, + m(CKM_SHA3_256_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-384", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.15", "OID.2.16.840.1.101.3.4.2.15"), ++ dA(KG, "HmacSHA3-384", P11KeyGenerator, + m(CKM_SHA3_384_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN)); -+ d(KG, "HmacSHA3-512", P11KeyGenerator, -+ s("2.16.840.1.101.3.4.2.16", "OID.2.16.840.1.101.3.4.2.16"), ++ dA(KG, "HmacSHA3-512", P11KeyGenerator, + m(CKM_SHA3_512_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN));
// register (Secret)KeyFactories if there are any mechanisms // for a particular algorithm that we support -@@ -747,13 +805,40 @@ public final class SunPKCS11 extends AuthProvider { - d(SIG, "SHA512withDSA", P11Signature, - s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"), +@@ -725,37 +764,77 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_DSA_SHA384)); + dA(SIG, "SHA512withDSA", P11Signature, m(CKM_DSA_SHA512)); -+ d(SIG, "SHA3-224withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.5", "OID.2.16.840.1.101.3.4.3.5"), ++ dA(SIG, "SHA3-224withDSA", P11Signature, + m(CKM_DSA_SHA3_224)); -+ d(SIG, "SHA3-256withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.6", "OID.2.16.840.1.101.3.4.3.6"), ++ dA(SIG, "SHA3-256withDSA", P11Signature, + m(CKM_DSA_SHA3_256)); -+ d(SIG, "SHA3-384withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.7", "OID.2.16.840.1.101.3.4.3.7"), ++ dA(SIG, "SHA3-384withDSA", P11Signature, + m(CKM_DSA_SHA3_384)); -+ d(SIG, "SHA3-512withDSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.8", "OID.2.16.840.1.101.3.4.3.8"), ++ dA(SIG, "SHA3-512withDSA", P11Signature, + m(CKM_DSA_SHA3_512)); d(SIG, "RawDSAinP1363Format", P11Signature, - s("NONEwithDSAinP1363Format"), + List.of("NONEwithDSAinP1363Format"), m(CKM_DSA)); d(SIG, "DSAinP1363Format", P11Signature, - s("SHA1withDSAinP1363Format"), + List.of("SHA1withDSAinP1363Format"), m(CKM_DSA_SHA1, CKM_DSA)); - + d(SIG, "SHA224withDSAinP1363Format", P11Signature, @@ -1095,36 +1072,27 @@ index cf7cd19b689..7a8bcffb92c 100644 + m(CKM_DSA_SHA3_512)); d(SIG, "NONEwithECDSA", P11Signature, m(CKM_ECDSA)); - d(SIG, "SHA1withECDSA", P11Signature, -@@ -761,28 +846,49 @@ public final class SunPKCS11 extends AuthProvider { + dA(SIG, "SHA1withECDSA", P11Signature, m(CKM_ECDSA_SHA1, CKM_ECDSA)); - d(SIG, "SHA224withECDSA", P11Signature, - s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), + dA(SIG, "SHA224withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA224, CKM_ECDSA)); - d(SIG, "SHA256withECDSA", P11Signature, - s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"), + dA(SIG, "SHA256withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA256, CKM_ECDSA)); - d(SIG, "SHA384withECDSA", P11Signature, - s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"), + dA(SIG, "SHA384withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA384, CKM_ECDSA)); - d(SIG, "SHA512withECDSA", P11Signature, - s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), + dA(SIG, "SHA512withECDSA", P11Signature, - m(CKM_ECDSA)); + m(CKM_ECDSA_SHA512, CKM_ECDSA)); -+ d(SIG, "SHA3-224withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.9", "OID.1.2.840.10045.4.3.9"), ++ dA(SIG, "SHA3-224withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_224, CKM_ECDSA)); -+ d(SIG, "SHA3-256withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.10", "OID.1.2.840.10045.4.3.10"), ++ dA(SIG, "SHA3-256withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_256, CKM_ECDSA)); -+ d(SIG, "SHA3-384withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.11", "OID.1.2.840.10045.4.3.11"), ++ dA(SIG, "SHA3-384withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_384, CKM_ECDSA)); -+ d(SIG, "SHA3-512withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.12", "OID.1.2.840.10045.4.3.12"), ++ dA(SIG, "SHA3-512withECDSA", P11Signature, + m(CKM_ECDSA_SHA3_512, CKM_ECDSA)); d(SIG, "NONEwithECDSAinP1363Format", P11Signature, m(CKM_ECDSA)); @@ -1151,29 +1119,25 @@ index cf7cd19b689..7a8bcffb92c 100644 + d(SIG, "SHA3-512withECDSAinP1363Format", P11Signature, + m(CKM_ECDSA_SHA3_512, CKM_ECDSA)); + - d(SIG, "MD2withRSA", P11Signature, - s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"), + dA(SIG, "MD2withRSA", P11Signature, m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -@@ -805,6 +911,18 @@ public final class SunPKCS11 extends AuthProvider { - d(SIG, "SHA512withRSA", P11Signature, - s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), + dA(SIG, "MD5withRSA", P11Signature, +@@ -770,6 +849,14 @@ public final class SunPKCS11 extends AuthProvider { + m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); + dA(SIG, "SHA512withRSA", P11Signature, m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-224withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.13", "OID.2.16.840.1.101.3.4.3.13"), ++ dA(SIG, "SHA3-224withRSA", P11Signature, + m(CKM_SHA3_224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-256withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.14", "OID.2.16.840.1.101.3.4.3.14"), ++ dA(SIG, "SHA3-256withRSA", P11Signature, + m(CKM_SHA3_256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-384withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.15", "OID.2.16.840.1.101.3.4.3.15"), ++ dA(SIG, "SHA3-384withRSA", P11Signature, + m(CKM_SHA3_384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA3-512withRSA", P11Signature, -+ s("2.16.840.1.101.3.4.3.16", "OID.2.16.840.1.101.3.4.3.16"), ++ dA(SIG, "SHA3-512withRSA", P11Signature, + m(CKM_SHA3_512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "RSASSA-PSS", P11PSSSignature, - s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"), + dA(SIG, "RSASSA-PSS", P11PSSSignature, m(CKM_RSA_PKCS_PSS)); -@@ -818,6 +936,14 @@ public final class SunPKCS11 extends AuthProvider { + d(SIG, "SHA1withRSASSA-PSS", P11PSSSignature, +@@ -782,6 +869,14 @@ public final class SunPKCS11 extends AuthProvider { m(CKM_SHA384_RSA_PKCS_PSS)); d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature, m(CKM_SHA512_RSA_PKCS_PSS)); @@ -1189,7 +1153,7 @@ index cf7cd19b689..7a8bcffb92c 100644 d(KG, "SunTlsRsaPremasterSecret", "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java -index e077943bbc2..cb04b95304d 100644 +index e077943bbc..cb04b95304 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java @@ -1,5 +1,5 @@ @@ -1215,7 +1179,7 @@ index e077943bbc2..cb04b95304d 100644
diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java new file mode 100644 -index 00000000000..d6707028d96 +index 0000000000..d6707028d9 --- /dev/null +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/HmacDefKeySizeTest.java @@ -0,0 +1,84 @@ @@ -1304,7 +1268,7 @@ index 00000000000..d6707028d96 + } +} diff --git a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java -index b61d10beece..78b7d857e8e 100644 +index b61d10beec..78b7d857e8 100644 --- a/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java +++ b/test/jdk/sun/security/pkcs11/KeyGenerator/TestKeyGenerator.java @@ -23,7 +23,7 @@ @@ -1336,7 +1300,7 @@ index b61d10beece..78b7d857e8e 100644 test("ARCFOUR", 1024, p, TestResult.TBD); } else if (p.getName().equals("SunPKCS11-NSS")) { diff --git a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java -index 59af327c1f2..64c42a6dd06 100644 +index 59af327c1f..64c42a6dd0 100644 --- a/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java +++ b/test/jdk/sun/security/pkcs11/Mac/MacSameTest.java @@ -23,7 +23,7 @@ @@ -1421,7 +1385,7 @@ index 59af327c1f2..64c42a6dd06 100644
mac.reset(); diff --git a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java -index 5cad8859840..7e045232e3a 100644 +index 5cad885984..7e045232e3 100644 --- a/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java +++ b/test/jdk/sun/security/pkcs11/Mac/ReinitMac.java @@ -1,5 +1,5 @@ @@ -1514,7 +1478,7 @@ index 5cad8859840..7e045232e3a 100644 } } diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java -index 7ced00630cc..a7a72e8ea3d 100644 +index 7ced00630c..a7a72e8ea3 100644 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java @@ -1,5 +1,5 @@ @@ -1574,7 +1538,7 @@ index 7ced00630cc..a7a72e8ea3d 100644 byte[] d1 = md.digest(data);
diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java -index ea7909bc397..268f698276b 100644 +index ea7909bc39..268f698276 100644 --- a/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java +++ b/test/jdk/sun/security/pkcs11/MessageDigest/ReinitDigest.java @@ -1,5 +1,5 @@ @@ -1655,7 +1619,7 @@ index ea7909bc397..268f698276b 100644
private static void check(byte[] d1, byte[] d2) throws Exception { diff --git a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java -index b931c8564b2..ace601c7233 100644 +index b931c8564b..ace601c723 100644 --- a/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java +++ b/test/jdk/sun/security/pkcs11/MessageDigest/TestCloning.java @@ -1,5 +1,5 @@ @@ -1744,7 +1708,7 @@ index b931c8564b2..ace601c7233 100644 MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
diff --git a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java -index 26eeacffed9..f5de994779c 100644 +index 26eeacffed..f5de994779 100644 --- a/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java +++ b/test/jdk/sun/security/pkcs11/Signature/ByteBuffers.java @@ -23,7 +23,7 @@ @@ -1770,7 +1734,7 @@ index 26eeacffed9..f5de994779c 100644 sig.update(t); byte[] signature = sig.sign(); diff --git a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java -index ccd66599fb0..a2fa7294977 100644 +index ccd66599fb..a2fa729497 100644 --- a/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java @@ -1,5 +1,5 @@ @@ -1816,7 +1780,7 @@ index ccd66599fb0..a2fa7294977 100644 PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, diff --git a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java -index 2e4fedbf1d5..f1c0492b5fc 100644 +index 2e4fedbf1d..f1c0492b5f 100644 --- a/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java @@ -1,5 +1,5 @@ @@ -1910,7 +1874,7 @@ index 2e4fedbf1d5..f1c0492b5fc 100644 System.out.println("test#4: pass"); } diff --git a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java -index 42ca7fa203d..8c132ca7e4f 100644 +index 42ca7fa203..8c132ca7e4 100644 --- a/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java +++ b/test/jdk/sun/security/pkcs11/Signature/ReinitSignature.java @@ -23,312 +23,13 @@ @@ -2242,7 +2206,7 @@ index 42ca7fa203d..8c132ca7e4f 100644 new Random().nextBytes(data); sig.initSign(privateKey); diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java -index 3c3edb5aa6a..11147022771 100644 +index 3c3edb5aa6..1114702277 100644 --- a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java @@ -1,5 +1,5 @@ @@ -2263,7 +2227,7 @@ index 3c3edb5aa6a..11147022771 100644 * @library /test/lib .. diff --git a/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java new file mode 100644 -index 00000000000..b8ea9863327 +index 0000000000..b8ea986332 --- /dev/null +++ b/test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java @@ -0,0 +1,98 @@ @@ -2366,7 +2330,7 @@ index 00000000000..b8ea9863327 + } +} diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java -index 3a6dbe345e9..4c1f7284bbc 100644 +index 3a6dbe345e..4c1f7284bb 100644 --- a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java @@ -1,5 +1,5 @@ @@ -2424,7 +2388,7 @@ index 3a6dbe345e9..4c1f7284bbc 100644 hash, "MGF1", new MGF1ParameterSpec(mgfHash), 0, 1); diff --git a/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java new file mode 100644 -index 00000000000..516b17972e5 +index 0000000000..516b17972e --- /dev/null +++ b/test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS2.java @@ -0,0 +1,140 @@ @@ -2569,7 +2533,7 @@ index 00000000000..516b17972e5 + } +} diff --git a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java -index 222f8a2a5ed..3161de6fc50 100644 +index 222f8a2a5e..3161de6fc5 100644 --- a/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java +++ b/test/jdk/sun/security/pkcs11/Signature/TestDSA2.java @@ -1,5 +1,5 @@ @@ -2664,7 +2628,7 @@ index 222f8a2a5ed..3161de6fc50 100644 } } diff --git a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java -index f469ca17b65..7e5a012a5ec 100644 +index f469ca17b6..7e5a012a5e 100644 --- a/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java +++ b/test/jdk/sun/security/pkcs11/Signature/TestRSAKeyLength.java @@ -22,8 +22,8 @@ @@ -2697,7 +2661,7 @@ index f469ca17b65..7e5a012a5ec 100644 kpg.initialize(512); KeyPair kp = kpg.generateKeyPair(); diff --git a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt -index 49778ea954c..576b1dc4d69 100644 +index 49778ea954..576b1dc4d6 100644 --- a/test/jdk/sun/security/pkcs11/nss/p11-nss.txt +++ b/test/jdk/sun/security/pkcs11/nss/p11-nss.txt @@ -11,12 +11,23 @@ library = ${pkcs11test.nss.lib} diff --git a/jdk8271148-external_doesnt_produce_debuginfo.patch b/jdk8271148-external_doesnt_produce_debuginfo.patch deleted file mode 100644 index 7eed447..0000000 --- a/jdk8271148-external_doesnt_produce_debuginfo.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e2d6aaa1a809c0d49d599812440777549fc36ea4 Mon Sep 17 00:00:00 2001 -From: Severin Gehwolf sgehwolf@redhat.com -Date: Thu, 22 Jul 2021 18:30:22 +0200 -Subject: [PATCH] Backport JDK-8271148 - ---- - make/common/NativeCompilation.gmk | 9 --------- - 1 file changed, 9 deletions(-) - -diff --git a/make/common/NativeCompilation.gmk b/make/common/NativeCompilation.gmk -index 490a7f4c7fb..2e3b5dd5eca 100644 ---- a/make/common/NativeCompilation.gmk -+++ b/make/common/NativeCompilation.gmk -@@ -544,15 +544,6 @@ define SetupNativeCompilationBody - # jmods. - $1_OBJECT_DIR := $$($1_OBJECT_DIR)/static - $1_OUTPUT_DIR := $$($1_OBJECT_DIR) -- # For release builds where debug symbols are configured to be moved to -- # separate debuginfo files, disable debug symbols for static libs instead. -- # We don't currently support this configuration and we don't want symbol -- # information in release builds unless explicitly asked to provide it. -- ifeq ($(DEBUG_LEVEL), release) -- ifeq ($(COPY_DEBUG_SYMBOLS), true) -- $1_COMPILE_WITH_DEBUG_SYMBOLS := false -- endif -- endif - endif - - ifeq ($$($1_TYPE), EXECUTABLE) --- -2.31.1 - diff --git a/jdk8312489-max_sig_default_increase.patch b/jdk8312489-max_sig_default_increase.patch new file mode 100644 index 0000000..e0c4eeb --- /dev/null +++ b/jdk8312489-max_sig_default_increase.patch @@ -0,0 +1,50 @@ +commit 50074a04e62f91faa080b831d9ce343396ead252 +Author: Andrew John Hughes andrew@openjdk.org +Date: Tue Sep 5 20:48:42 2023 +0000 + + 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar + + Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750 + +diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java +index cb7e308e0d..cce897c0d3 100644 +--- a/src/java.base/share/classes/java/util/jar/JarFile.java ++++ b/src/java.base/share/classes/java/util/jar/JarFile.java +@@ -809,7 +809,9 @@ class JarFile extends ZipFile { + throw new IOException("Unsupported size: " + uncompressedSize + + " for JarEntry " + ze.getName() + + ". Allowed max size: " + +- SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes"); ++ SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " + ++ "You can use the jdk.jar.maxSignatureFileSize " + ++ "system property to increase the default value."); + } + int len = (int)uncompressedSize; + int bytesRead; +diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java +index cb477fc134..a766b8249f 100644 +--- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java ++++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java +@@ -852,16 +852,16 @@ public class SignatureFileVerifier { + * the maximum allowed number of bytes for the signature-related files + * in a JAR file. + */ +- Integer tmp = GetIntegerAction.privilegedGetProperty( +- "jdk.jar.maxSignatureFileSize", 8000000); ++ int tmp = GetIntegerAction.privilegedGetProperty( ++ "jdk.jar.maxSignatureFileSize", 16000000); + if (tmp < 0 || tmp > MAX_ARRAY_SIZE) { + if (debug != null) { +- debug.println("Default signature file size 8000000 bytes " + +- "is used as the specified size for the " + +- "jdk.jar.maxSignatureFileSize system property " + ++ debug.println("The default signature file size of 16000000 bytes " + ++ "will be used for the jdk.jar.maxSignatureFileSize " + ++ "system property since the specified value " + + "is out of range: " + tmp); + } +- tmp = 8000000; ++ tmp = 16000000; + } + return tmp; + } diff --git a/openjdk_news.sh b/openjdk_news.sh index 560b356..386aa53 100755 --- a/openjdk_news.sh +++ b/openjdk_news.sh @@ -18,8 +18,8 @@
OLD_RELEASE=$1 NEW_RELEASE=$2 -SUBDIR=$3 -REPO=$4 +REPO=$3 +SUBDIR=$4 SCRIPT_DIR=$(dirname ${0})
if test "x${SUBDIR}" = "x"; then diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh index ee02f60..25c2fc8 100644 --- a/remove-intree-libraries.sh +++ b/remove-intree-libraries.sh @@ -162,5 +162,3 @@ rm -vf ${LCMS_SRC}/cmsxform.c rm -vf ${LCMS_SRC}/lcms2.h rm -vf ${LCMS_SRC}/lcms2_internal.h rm -vf ${LCMS_SRC}/lcms2_plugin.h - - diff --git a/sources b/sources index b289e5b..7c58d0e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openjdk-jdk11u-jdk-11.0.20+8.tar.xz) = c518d6c58d2644a34406d7867befe05457b81841e1ff376eb5f80e6b92f9799f921668b133c59008cbb6aa47f7ec9618de14f6848f827c3cbe1b630e000f9105 +SHA512 (openjdk-jdk11u-jdk-11.0.21+9.tar.xz) = 7435bd1b6196f965985fee1aed06eebb97e89fe90d3bd846ffe9cf8451e1d0c7bdedcba373e0d128f9c74fcaf111ddab030efcb032e88f9306a81569aba29ace diff --git a/update_package.sh b/update_package.sh index 9831993..09d9504 100644 --- a/update_package.sh +++ b/update_package.sh @@ -1,42 +1 @@ -#!/bin/bash -x -# this file contains defaults for currently generated source tarballs - -set -e - -# OpenJDK from Shenandoah project -export PROJECT_NAME="shenandoah" -export REPO_NAME="jdk11" -# warning, clonning without shenadnaoh prefix, you will clone pure jdk - thus without shenandaoh GC -export VERSION="shenandoah-jdk-11.0.3+7" -export COMPRESSION=xz -# unset tapsets overrides -export OPENJDK_URL="" -export TO_COMPRESS="" -# warning, filename and filenameroot creation is duplicated here from generate_source_tarball.sh -export FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION} -FILENAME=${FILE_NAME_ROOT}.tar.${COMPRESSION} - -if [ ! -f ${FILENAME} ] ; then -echo "Generating ${FILENAME}" - sh ./generate_source_tarball.sh -else - echo "exists exists exists exists exists exists exists " - echo "reusing reusing reusing reusing reusing reusing " - echo ${FILENAME} -fi - -set +e - -major=`echo $REPO_NAME | sed 's/[a-zA-Z]*//g'` -build=`echo $VERSION | sed 's/.*+//g'` -name_helper=`echo $FILENAME | sed s/$major/'%{majorver}'/g ` -name_helper=`echo $name_helper | sed s/$build/'%{buildver}'/g ` -echo "align specfile acordingly:" -echo " sed 's/^Source0:.*/Source0: $name_helper/' -i *.spec" -echo " sed 's/^Source8:.*/Source8: $TAPSET/' -i *.spec" -echo " sed 's/^%global buildver.*/%global buildver $build/' -i *.spec" -echo " sed 's/Release:.*/Release: 1%{?dist}/' -i *.spec" -echo "and maybe others...." -echo "you should fedpkg/rhpkg new-sources $TAPSET $FILENAME" -echo "you should fedpkg/rhpkg prep --arch XXXX on all architectures: x86_64 i386 i586 i686 ppc ppc64 ppc64le s390 s390x aarch64 armv7hl" - +# this file is intentionally not use din portables, use tarball from main rpms
arch-excludes@lists.fedoraproject.org