import java-1.8.0-openjdk-1.8.0.362.b08-3.el8

This commit is contained in:
CentOS Sources 2023-03-28 11:06:10 +00:00 committed by Stepan Oksanichenko
parent 30e53b70b2
commit 1f775fe62e
10 changed files with 791 additions and 317 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz

View File

@ -1,2 +1,2 @@
d02d3af23d61532c9695fb83f73126ab0b82f5d1 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u345-b01-4curve.tar.xz 71e5a111b66d7a8e4234d35117e0fd663d39f9ce SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

View File

@ -3,6 +3,359 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 8u362 (2023-01-17):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u362
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u362.html
* CVEs
- CVE-2023-21830
- CVE-2023-21843
* Security fixes
- JDK-8285021: Improve CORBA communication
- JDK-8286496: Improve Thread labels
- JDK-8288516: Enhance font creation
- JDK-8289350: Better media supports
- JDK-8293554: Enhanced DH Key Exchanges
- JDK-8293598: Enhance InetAddress address handling
- JDK-8293717: Objective view of ObjectView
- JDK-8293734: Improve BMP image handling
- JDK-8293742: Better Banking of Sounds
- JDK-8295687: Better BMP bounds
* Other changes
- JDK-6885993: Named Thread: introduce print() and print_on(outputStream* st) methods
- JDK-7124218: [TEST_BUG] [macosx] Space should select cell in the JTable
- JDK-8054066: com/sun/jdi/DoubleAgentTest.java fails with timeout
- JDK-8067941: [TESTBUG] Fix tests for OS with 64K page size.
- JDK-8071530: Update OS detection code to reflect Windows 10 version change
- JDK-8073464: GC workers do not have thread names
- JDK-8079255: [TEST_BUG] [macosx] Test closed/java/awt/Robot/RobotWheelTest/RobotWheelTest fails for Mac only
- JDK-8129827: [TEST_BUG] Test java/awt/Robot/RobotWheelTest/RobotWheelTest.java fails
- JDK-8148005: One byte may be corrupted by get_datetime_string()
- JDK-8159599: [TEST_BUG] java/awt/Modal/ModalInternalFrameTest/ModalInternalFrameTest.java
- JDK-8159720: Failure of C2 compilation with tiered prevents some C1 compilations
- JDK-8195607: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
- JDK-8197859: VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp
- JDK-8206456: [TESTBUG] docker jtreg tests fail on systems without cpuset.effective_cpus / cpuset.effective_mems
- JDK-8221529: [TESTBUG] Docker tests use old/deprecated image on AArch64
- JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137
- JDK-8233551: [TESTBUG] SelectEditTableCell.java fails on MacOS
- JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows
- JDK-8253702: BigSur version number reported as 10.16, should be 11.nn
- JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
- JDK-8265527: tools/javac/diags/CheckExamples.java fails after JDK-8078024 8u backport
- JDK-8269039: Disable SHA-1 Signed JARs
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
- JDK-8270344: Session resumption errors
- JDK-8271459: C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
- JDK-8273176: handle latest VS2019 in abstract_vm_version
- JDK-8274563: jfr/event/oldobject/TestClassLoaderLeak.java fails when GC cycles are not happening
- JDK-8274840: Update OS detection code to recognize Windows 11
- JDK-8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
- JDK-8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR
- JDK-8283277: ISO 4217 Amendment 171 Update
- JDK-8283903: GetContainerCpuLoad does not return the correct result in share mode
- JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer
- JDK-8284622: Update versions of some Github Actions used in JDK workflow
- JDK-8286582: Build fails on macos aarch64 when using --with-zlib=bundled
- JDK-8288928: Incorrect GPL header in pnglibconf.h (backport of JDK-8185041)
- JDK-8289549: ISO 4217 Amendment 172 Update
- JDK-8292762: Remove .jcheck directories from jdk8u subcomponents
- JDK-8293181: Bump update version of OpenJDK: 8u362
- JDK-8293461: Add a test for JDK-8290832
- JDK-8293828: JFR: jfr/event/oldobject/TestClassLoaderLeak.java still fails when GC cycles are not happening
- JDK-8294307: ISO 4217 Amendment 173 Update
- JDK-8294357: (tz) Update Timezone Data to 2022d
- JDK-8294863: Enable partial tier1 testing in GHA for JDK8
- JDK-8295164: JDK 8 jdi tests should not use tasklist command on Windows
- JDK-8295173: (tz) Update Timezone Data to 2022e
- JDK-8295288: Some vm_flags tests associate with a wrong BugID
- JDK-8295714: GHA ::set-output is deprecated and will be removed
- JDK-8295723: security/infra/wycheproof/RunWycheproof.java fails with Assertion Error
- JDK-8295915: Problemlist compiler/rtm failures specific to 8u
- JDK-8295950: Enable langtools/tier1 in GHA for 8u
- JDK-8296108: (tz) Update Timezone Data to 2022f
- JDK-8296239: ISO 4217 Amendment 174 Update
- JDK-8296555: Enable hotspot/tier1 for 64-bit builds in GHA for 8u
- JDK-8296715: CLDR v42 update for tzdata 2022f
- JDK-8296959: Fix hotspot shell tests of 8u on multilib systems
- JDK-8297141: Fix hotspot/test/runtime/SharedArchiveFile/DefaultUseWithClient.java for 8u
- JDK-8297804: (tz) Update Timezone Data to 2022g
- JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
- JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
Notes on individual issues:
===========================
client-libs/javax.imageio:
JDK-8295687: Better BMP bounds
==============================
Loading a linked ICC profile within a BMP image is now disabled by
default. To re-enable it, set the new system property
`sun.imageio.bmp.enabledLinkedProfiles` to `true`. This new property
replaces the old property,
`sun.imageio.plugins.bmp.disableLinkedProfiles`.
client-libs/javax.sound:
JDK-8293742: Better Banking of Sounds
=====================================
Previously, the SoundbankReader implementation,
`com.sun.media.sound.JARSoundbankReader`, would download a JAR
soundbank from a URL. This behaviour is now disabled by default. To
re-enable it, set the new system property `jdk.sound.jarsoundbank` to
`true`.
hotspot/runtime:
JDK-8274840: Release Now Recognises Windows 11
==============================================
This release now correctly sets the `os.name` property to `Windows
11`, as would be expected.
other-libs/corba:idl:
JDK-8285021: Improve CORBA communication
========================================
The JDK's CORBA implementation now refuses by default to deserialize
objects, unless they have the "IOR:" prefix. The previous behaviour
can be re-enabled by setting the new property
`com.sun.CORBA.ORBAllowDeserializeObject` to `true`.
security-libs/java.security:
JDK-8269039: Disabled SHA-1 Signed JARs
=======================================
JARs signed with SHA-1 algorithms are now restricted by default and
treated as if they were unsigned. This applies to the algorithms used
to digest, sign, and optionally timestamp the JAR. It also applies to
the signature and digest algorithms of the certificates in the
certificate chain of the code signer and the Timestamp Authority, and
any CRLs or OCSP responses that are used to verify if those
certificates have been revoked. These restrictions also apply to
signed JCE providers.
To reduce the compatibility risk for JARs that have been previously
timestamped, there is one exception to this policy:
- Any JAR signed with SHA-1 algorithms and timestamped prior to
January 01, 2019 will not be restricted.
This exception may be removed in a future JDK release. To determine if
your signed JARs are affected by this change, run:
$ jarsigner -verify -verbose -certs`
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and
"disabled" and a warning that the JAR will be treated as unsigned in
the output.
For example:
Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or
re-signed with stronger algorithms.
Users can, *at their own risk*, remove these restrictions by modifying
the `java.security` configuration file (or override it by using the
`java.security.properties` system property) and removing "SHA1 usage
SignedJAR & denyAfter 2019-01-01" from the
`jdk.certpath.disabledAlgorithms` security property and "SHA1
denyAfter 2019-01-01" from the `jdk.jar.disabledAlgorithms` security
property.
New in release OpenJDK 8u352 (2022-10-18):
===========================================
Live versions of these release notes can be found at:
* https://bit.ly/openjdk8u352
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u352.txt
* Security fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526, CVE-2022-21619: Improve NTLM support
- JDK-8286533, CVE-2022-21626: Key X509 usages
- JDK-8286910, CVE-2022-21624: Improve JNDI lookups
- JDK-8286918, CVE-2022-21628: Better HttpServer service
- JDK-8288508: Enhance ECDSA usage
* Other changes
- JDK-7131823: bug in GIFImageReader
- JDK-7186258: InetAddress$Cache should replace currentTimeMillis with nanoTime for more precise and accurate
- JDK-8028265: Add legacy tz tests to OpenJDK
- JDK-8039955: [TESTBUG] jdk/lambda/LambdaTranslationTest1 - java.lang.AssertionError: expected [d:1234.000000] but found [d:1234,000000]
- JDK-8049228: Improve multithreaded scalability of InetAddress cache
- JDK-8071507: (ref) Clear phantom reference as soft and weak references do
- JDK-8087283: Add support for the XML Signature here() function to the JDK XPath implementation
- JDK-8130895: Test javax/swing/system/6799345/TestShutdown.java fails on Solaris11 Sparcv9
- JDK-8136354: [TEST_BUG] Test java/awt/image/RescaleOp/RescaleAlphaTest.java with Bad action for script
- JDK-8139668: Generate README-build.html from markdown
- JDK-8143847: Remove REF_CLEANER reference category
- JDK-8147862: Null check too late in sun.net.httpserver.ServerImpl
- JDK-8150669: C1 intrinsic for Class.isPrimitive
- JDK-8155742: [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
- JDK-8173339: AArch64: Fix minimum stack size computations
- JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
- JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
- JDK-8178832: (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
- JDK-8183107: PKCS11 regression regarding checkKeySize
- JDK-8193780: (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
- JDK-8194873: right ALT key hotkeys no longer work in Swing components
- JDK-8201793: (ref) Reference object should not support cloning
- JDK-8214427: probable bug in logic of ConcurrentHashMap.addCount()
- JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
- JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
- JDK-8235218: Minimal VM is broken after JDK-8173361
- JDK-8235385: Crash on aarch64 JDK due to long offset
- JDK-8245263: Enable TLSv1.3 by default on JDK 8u for Client roles
- JDK-8254178: Remove .hgignore
- JDK-8254318: Remove .hgtags
- JDK-8256722: handle VC++:1927 VS2019 in abstract_vm_version
- JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
- JDK-8280963: Incorrect PrintFlags formatting on Windows
- JDK-8282538: PKCS11 tests fail on CentOS Stream 9
- JDK-8283849: AsyncGetCallTrace may crash JVM on guarantee
- JDK-8285400: Add '@apiNote' to the APIs defined in Java SE 8 MR 3
- JDK-8285497: Add system property for Java SE specification maintenance version
- JDK-8287132: Retire Runtime.runFinalizersOnExit so that it always throws UOE
- JDK-8287508: The tests added to jdk-8 by 8235385 are to be ported to jdk-11
- JDK-8287521: Bump update version of OpenJDK: 8u352
- JDK-8288763: Pack200 extraction failure with invalid size
- JDK-8288865: [aarch64] LDR instructions must use legitimized addresses
- JDK-8290000: Bump macOS GitHub actions to macOS 11
- JDK-8292579: (tz) Update Timezone Data to 2022c
- JDK-8292688: Support Security properties in security.testlibrary.Proc
Notes on individual issues:
===========================
core-libs/java.lang:
JDK-8201793: (ref) Reference object should not support cloning
==============================================================
`java.lang.ref.Reference::clone` method always throws
`CloneNotSupportedException`. `Reference` objects cannot be
meaningfully cloned. To create a new Reference object, call the
constructor to create a `Reference` object with the same referent and
reference queue instead.
JDK-8175797: (ref) Reference::enqueue method should clear the reference object before enqueuing
===============================================================================================
`java.lang.ref.Reference.enqueue` method clears the reference object
before it is added to the registered queue. When the `enqueue` method
is called, the reference object is cleared and `get()` method will
return null in OpenJDK 8u352.
Typically when a reference object is enqueued, it is expected that the
reference object is cleared explicitly via the `clear` method to avoid
memory leak because its referent is no longer referenced. In other
words the `get` method is expected not to be called in common cases
once the `enqueue`method is called. In the case when the `get` method
from an enqueued reference object and existing code attempts to access
members of the referent, `NullPointerException` may be thrown. Such
code will need to be updated.
JDK-8071507: (ref) Clear phantom reference as soft and weak references do
=========================================================================
This enhancement changes phantom references to be automatically
cleared by the garbage collector as soft and weak references.
An object becomes phantom reachable after it has been finalized. This
change may cause the phantom reachable objects to be GC'ed earlier -
previously the referent is kept alive until PhantomReference objects
are GC'ed or cleared by the application. This potential behavioral
change might only impact existing code that would depend on
PhantomReference being enqueued rather than when the referent be freed
from the heap.
core-libs/java.net:
JDK-8286918: Better HttpServer service
======================================
The HttpServer can be optionally configured with a maximum connection
limit by setting the jdk.httpserver.maxConnections system property. A
value of 0 or a negative integer is ignored and considered to
represent no connection limit. In the case of a positive integer
value, any newly accepted connections will be first checked against
the current count of established connections and, if the configured
limit has been reached, then the newly accepted connection will be
closed immediately.
core-libs/java.net:
JDK-8286918: Better HttpServer service
======================================
The HttpServer can be optionally configured with a maximum connection
limit by setting the jdk.httpserver.maxConnections system property. A
value of 0 or a negative integer is ignored and considered to
represent no connection limit. In the case of a positive integer
value, any newly accepted connections will be first checked against
the current count of established connections and, if the configured
limit has been reached, then the newly accepted connection will be
closed immediately.
security-libs/javax.net.ssl:
JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
================================================================
The TLSv1.3 implementation is now enabled by default for client roles
in 8u352. It has been enabled by default for server roles since 8u272.
Note that TLS 1.3 is not directly compatible with previous
versions. Enabling it on the client may introduce compatibility issues
on either the server or the client side. Here are some more details on
potential compatibility issues that you should be aware of:
* TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions
use a duplex-close policy. For applications that depend on the
duplex-close policy, there may be compatibility issues when
upgrading to TLS 1.3.
* The signature_algorithms_cert extension requires that pre-defined
signature algorithms are used for certificate authentication. In
practice, however, an application may use non-supported signature
algorithms.
* The DSA signature algorithm is not supported in TLS 1.3. If a server
is configured to only use DSA certificates, it cannot upgrade to TLS
1.3.
* The supported cipher suites for TLS 1.3 are not the same as TLS 1.2
and prior versions. If an application hard-codes cipher suites which
are no longer supported, it may not be able to use TLS 1.3 without
modifying the application code.
* The TLS 1.3 session resumption and key update behaviors are
different from TLS 1.2 and prior versions. The compatibility should
be minimal, but it could be a risk if an application depends on the
handshake details of the TLS protocols.
The TLS 1.3 protocol can be disabled by using the jdk.tls.client.protocols
system property:
java -Djdk.tls.client.protocols="TLSv1.2" ...
Alternatively, an application can explicitly set the enabled protocols
with the javax.net.ssl APIs e.g.
sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
or:
SSLParameters params = sslSocket.getSSLParameters();
params.setProtocols(new String[] {"TLSv1.2"});
sslSocket.setSSLParameters(params);
New in release OpenJDK 8u345 (2022-08-01): New in release OpenJDK 8u345 (2022-08-01):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:
@ -32,7 +385,7 @@ versions of OpenJDK 8. As a result, we have reverted this change in
New in release OpenJDK 8u342 (2022-07-19): New in release OpenJDK 8u342 (2022-07-19):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:
* https://bitly.com/openjdk8u342 * https://bit.ly/openjdk8u342
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u342.txt
* Security fixes * Security fixes
@ -212,7 +565,7 @@ Live versions of these release notes can be found at:
New in release OpenJDK 8u322 (2022-01-18): New in release OpenJDK 8u322 (2022-01-18):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:
* https://bitly.com/openjdk8u322 * https://bit.ly/openjdk8u322
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u322.txt
* Security fixes * Security fixes

View File

@ -1,3 +1,20 @@
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.security.Security; import java.security.Security;

View File

@ -0,0 +1,160 @@
/* TestTranslations -- Ensure translations are available for new timezones
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.text.DateFormatSymbols;
import java.time.ZoneId;
import java.time.format.TextStyle;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Locale;
import java.util.Objects;
import java.util.TimeZone;
public class TestTranslations {
private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
static {
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Eastern European Time", "GMT+02:00", "EET",
"Eastern European Summer Time", "GMT+03:00", "EEST",
"Eastern European Time", "GMT+02:00", "EET"});
map.put(Locale.FRANCE, new String[] { "Heure d'Europe de l'Est", "UTC+02:00", "EET",
"Heure d'\u00e9t\u00e9 d'Europe de l'Est", "UTC+03:00", "EEST",
"Heure d'Europe de l'Est", "UTC+02:00", "EET"});
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Zeit", "OEZ", "OEZ",
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
KYIV = Collections.unmodifiableMap(map);
map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
"Mountain Daylight Time", "MDT", "MDT",
"Mountain Time", "MT", "MT"});
map.put(Locale.FRANCE, new String[] { "Heure normale des Rocheuses", "UTC\u221207:00", "MST",
"Heure avanc\u00e9e des Rocheuses", "UTC\u221206:00", "MDT",
"Rocheuses", "UTC\u221207:00", "MT"});
map.put(Locale.GERMANY, new String[] { "Rocky Mountains Normalzeit", "GMT-07:00", "MST",
"Rocky Mountains Sommerzeit", "GMT-06:00", "MDT",
"Zeitzone Mountain", "GMT-07:00", "MT"});
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
}
public static void main(String[] args) {
if (args.length < 1) {
System.err.println("Test must be started with the name of the locale provider.");
System.exit(1);
}
System.out.println("Checking sanity of full zone string set...");
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
.peek(l -> System.out.println("Locale: " + l))
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
.flatMap(zs -> Arrays.stream(zs))
.flatMap(names -> Arrays.stream(names))
.filter(name -> Objects.isNull(name) || name.isEmpty())
.findAny()
.isPresent();
if (invalid) {
System.err.println("Zone string for a locale returned null or empty string");
System.exit(2);
}
String localeProvider = args[0];
testZone(localeProvider, KYIV,
new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
testZone(localeProvider, CIUDAD_JUAREZ,
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
}
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
for (Locale l : exp.keySet()) {
String[] expected = exp.get(l);
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
for (String id : ids) {
String expectedShortStd = null;
String expectedShortDST = null;
String expectedShortGen = null;
System.out.printf("Checking locale %s for %s...\n", l, id);
if ("JRE".equals(localeProvider)) {
expectedShortStd = expected[2];
expectedShortDST = expected[5];
expectedShortGen = expected[8];
} else if ("CLDR".equals(localeProvider)) {
expectedShortStd = expected[1];
expectedShortDST = expected[4];
expectedShortGen = expected[7];
} else {
System.err.printf("Invalid locale provider %s\n", localeProvider);
System.exit(3);
}
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
if (!expected[0].equals(longStd)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
id, l, longStd, expected[0]);
System.exit(4);
}
if (!expectedShortStd.equals(shortStd)) {
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
id, l, shortStd, expectedShortStd);
System.exit(5);
}
if (!expected[3].equals(longDST)) {
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
id, l, longDST, expected[3]);
System.exit(6);
}
if (!expectedShortDST.equals(shortDST)) {
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
id, l, shortDST, expectedShortDST);
System.exit(7);
}
if (!expected[6].equals(longGen)) {
System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
id, l, longGen, expected[6]);
System.exit(8);
}
if (!expectedShortGen.equals(shortGen)) {
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
id, l, shortGen, expectedShortGen);
System.exit(9);
}
}
}
}
}

View File

@ -11,7 +11,7 @@ index 151e5a109f8..a8761b500e0 100644
LIB_SETUP_ON_WINDOWS LIB_SETUP_ON_WINDOWS
diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
index e77ce854dc5..ec6e9b27ca5 100644 index 71fabf4dbb3..17f4f50673d 100644
--- a/common/autoconf/generated-configure.sh --- a/common/autoconf/generated-configure.sh
+++ b/common/autoconf/generated-configure.sh +++ b/common/autoconf/generated-configure.sh
@@ -651,6 +651,9 @@ LLVM_CONFIG @@ -651,6 +651,9 @@ LLVM_CONFIG
@ -124,7 +124,7 @@ index e77ce854dc5..ec6e9b27ca5 100644
# #
# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
@@ -49290,6 +49351,157 @@ fi @@ -49304,6 +49365,157 @@ fi
LIBS="$save_LIBS" LIBS="$save_LIBS"
@ -1532,7 +1532,7 @@ index ffee2c1603b..98119479823 100644
"FIPS mode: KeyStore must be " + "FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName()); "from provider " + SunJSSE.cryptoProvider.getName());
diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
index cd0e9e98df9..fba760187c0 100644 index 820e10164fc..6fe2c29389f 100644
--- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java --- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@ import java.security.*; @@ -31,6 +31,7 @@ import java.security.*;
@ -1627,8 +1627,8 @@ index cd0e9e98df9..fba760187c0 100644
+ }; + };
+ } + }
return new ProtocolVersion[]{ return new ProtocolVersion[]{
ProtocolVersion.TLS13,
ProtocolVersion.TLS12, ProtocolVersion.TLS12,
ProtocolVersion.TLS11,
diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
index 2845dc37938..52337a7b6cf 100644 index 2845dc37938..52337a7b6cf 100644
--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java --- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@ -1659,7 +1659,7 @@ index 2845dc37938..52337a7b6cf 100644
"sun.security.ssl.SSLContextImpl$TLSContext"); "sun.security.ssl.SSLContextImpl$TLSContext");
if (isfips == false) { if (isfips == false) {
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index d3d64b3facd..bfe0c593adb 100644 index 7a93d4e6b59..681a24b905d 100644
--- a/jdk/src/share/lib/security/java.security-aix --- a/jdk/src/share/lib/security/java.security-aix
+++ b/jdk/src/share/lib/security/java.security-aix +++ b/jdk/src/share/lib/security/java.security-aix
@@ -287,6 +287,13 @@ package.definition=sun.,\ @@ -287,6 +287,13 @@ package.definition=sun.,\
@ -1677,7 +1677,7 @@ index d3d64b3facd..bfe0c593adb 100644
# Determines the default key and trust manager factory algorithms for # Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package. # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
index db610d4bfbb..9d1c8fe8a8e 100644 index 145a84f94cf..789c19a8cba 100644
--- a/jdk/src/share/lib/security/java.security-linux --- a/jdk/src/share/lib/security/java.security-linux
+++ b/jdk/src/share/lib/security/java.security-linux +++ b/jdk/src/share/lib/security/java.security-linux
@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider @@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
@ -1722,7 +1722,7 @@ index db610d4bfbb..9d1c8fe8a8e 100644
# Determines the default key and trust manager factory algorithms for # Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package. # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
index a919ba3d5cd..19047c61097 100644 index 35fa140d7a5..d4da666af3b 100644
--- a/jdk/src/share/lib/security/java.security-macosx --- a/jdk/src/share/lib/security/java.security-macosx
+++ b/jdk/src/share/lib/security/java.security-macosx +++ b/jdk/src/share/lib/security/java.security-macosx
@@ -290,6 +290,13 @@ package.definition=sun.,\ @@ -290,6 +290,13 @@ package.definition=sun.,\
@ -1740,7 +1740,7 @@ index a919ba3d5cd..19047c61097 100644
# Determines the default key and trust manager factory algorithms for # Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package. # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
index 86265ba5fb6..7eda556ae13 100644 index f79ba37ddb9..300132384a1 100644
--- a/jdk/src/share/lib/security/java.security-solaris --- a/jdk/src/share/lib/security/java.security-solaris
+++ b/jdk/src/share/lib/security/java.security-solaris +++ b/jdk/src/share/lib/security/java.security-solaris
@@ -288,6 +288,13 @@ package.definition=sun.,\ @@ -288,6 +288,13 @@ package.definition=sun.,\
@ -1758,7 +1758,7 @@ index 86265ba5fb6..7eda556ae13 100644
# Determines the default key and trust manager factory algorithms for # Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package. # the javax.net.ssl package.
diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
index 9b4bda23cbe..dfa1a669aa9 100644 index d70503ce95f..64db5a5cd1e 100644
--- a/jdk/src/share/lib/security/java.security-windows --- a/jdk/src/share/lib/security/java.security-windows
+++ b/jdk/src/share/lib/security/java.security-windows +++ b/jdk/src/share/lib/security/java.security-windows
@@ -290,6 +290,13 @@ package.definition=sun.,\ @@ -290,6 +290,13 @@ package.definition=sun.,\

View File

@ -1,125 +0,0 @@
# HG changeset patch
# User mbalao
# Date 1529971845 -28800
# Tue Jun 26 08:10:45 2018 +0800
# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc
# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff
8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
Reviewed-by: valeriep, weijun
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java
@@ -197,7 +197,7 @@
if (configDir != null) {
String configDirPath = null;
- String sqlPrefix = "sql:/";
+ String sqlPrefix = "sql:";
if (!configDir.startsWith(sqlPrefix)) {
configDirPath = configDir;
} else {
diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
+++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c
@@ -69,9 +69,14 @@
int res = 0;
FPTR_Initialize initialize =
(FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize");
+ #ifdef SECMOD_DEBUG
+ FPTR_GetError getError =
+ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError");
+ #endif // SECMOD_DEBUG
unsigned int flags = 0x00;
const char *configDir = NULL;
const char *functionName = NULL;
+ const char *configFile = NULL;
/* If we cannot initialize, exit now */
if (initialize == NULL) {
@@ -97,13 +102,18 @@
flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag
}
+ configFile = "secmod.db";
+ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) {
+ configFile = "pkcs11.txt";
+ }
+
/*
* If the NSS_Init function is requested then call NSS_Initialize to
* open the Cert, Key and Security Module databases, read only.
*/
if (strcmp("NSS_Init", functionName) == 0) {
flags = flags | 0x01; // NSS_INIT_READONLY flag
- res = initialize(configDir, "", "", "secmod.db", flags);
+ res = initialize(configDir, "", "", configFile, flags);
/*
* If the NSS_InitReadWrite function is requested then call
@@ -111,7 +121,7 @@
* read/write.
*/
} else if (strcmp("NSS_InitReadWrite", functionName) == 0) {
- res = initialize(configDir, "", "", "secmod.db", flags);
+ res = initialize(configDir, "", "", configFile, flags);
/*
* If the NSS_NoDB_Init function is requested then call
@@ -137,6 +147,13 @@
(*env)->ReleaseStringUTFChars(env, jConfigDir, configDir);
}
dprintf1("-res: %d\n", res);
+ #ifdef SECMOD_DEBUG
+ if (res == -1) {
+ if (getError != NULL) {
+ dprintf1("-NSS error: %d\n", getError());
+ }
+ }
+ #endif // SECMOD_DEBUG
return (res == 0) ? JNI_TRUE : JNI_FALSE;
}
diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
+++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
@@ -34,6 +34,10 @@
const char *certPrefix, const char *keyPrefix,
const char *secmodName, unsigned int flags);
+#ifdef SECMOD_DEBUG
+typedef int (*FPTR_GetError)(void);
+#endif //SECMOD_DEBUG
+
// in secmod.h
//extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
// PRBool recurse);
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
new file mode 100644
--- /dev/null
+++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt
@@ -0,0 +1,4 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java
+++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java
@@ -55,7 +55,7 @@
DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb";
if (useSqlite) {
- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR);
+ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR);
} else {
System.setProperty("pkcs11test.nss.db", DBDIR);
}
@@ -67,6 +67,7 @@
if (useSqlite) {
copyFile("key4.db", BASE, DBDIR);
copyFile("cert9.db", BASE, DBDIR);
+ copyFile("pkcs11.txt", BASE, DBDIR);
} else {
copyFile("secmod.db", BASE, DBDIR);
copyFile("key3.db", BASE, DBDIR);

View File

@ -1,18 +1,16 @@
commit c28417b0f421b80cd7efa339a3cce5609aafc880
Author: Andrew John Hughes <andrew@openjdk.org>
Date: Mon Apr 18 20:04:49 2022 +0100
Support security.systemCACerts security property which can be disabled with -Djava.security.disableSystemCACerts=true
PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)
PR3575: System cacerts database handling should not affect jssecacerts
RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds
diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
index e7b4763db53..4b38d1f9465 100644 index e7b4763db53..e8ec8467e6a 100644
--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java --- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
+++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java
@@ -68,7 +68,7 @@ final class TrustStoreManager { @@ -31,6 +31,7 @@ import java.security.*;
import java.security.cert.*;
import java.util.*;
import sun.security.action.*;
+import sun.security.tools.KeyStoreUtil;
import sun.security.validator.TrustStoreUtil;
/**
@@ -68,7 +69,7 @@ final class TrustStoreManager {
* The preference of the default trusted KeyStore is: * The preference of the default trusted KeyStore is:
* javax.net.ssl.trustStore * javax.net.ssl.trustStore
* jssecacerts * jssecacerts
@ -21,35 +19,29 @@ index e7b4763db53..4b38d1f9465 100644
*/ */
private static final class TrustStoreDescriptor { private static final class TrustStoreDescriptor {
private static final String fileSep = File.separator; private static final String fileSep = File.separator;
@@ -79,6 +79,11 @@ final class TrustStoreManager { @@ -76,7 +77,7 @@ final class TrustStoreManager {
defaultStorePath + fileSep + "cacerts"; GetPropertyAction.privilegedGetProperty("java.home") +
fileSep + "lib" + fileSep + "security";
private static final String defaultStore =
- defaultStorePath + fileSep + "cacerts";
+ KeyStoreUtil.getCacertsKeyStoreFile().getPath();
private static final String jsseDefaultStore = private static final String jsseDefaultStore =
defaultStorePath + fileSep + "jssecacerts"; defaultStorePath + fileSep + "jssecacerts";
+ /* Check system cacerts DB */
+ private static final boolean systemStoreOff =
+ privilegedGetBooleanProperty("java.security.disableSystemCACerts");
+ private static final String systemStore = (systemStoreOff ? defaultStore :
+ privilegedGetSecurityProperty("security.systemCACerts"));
// the trust store name @@ -139,6 +140,10 @@ final class TrustStoreManager {
private final String storeName;
@@ -139,28 +144,35 @@ final class TrustStoreManager {
String storePropPassword = System.getProperty( String storePropPassword = System.getProperty(
"javax.net.ssl.trustStorePassword", ""); "javax.net.ssl.trustStorePassword", "");
+ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { + if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+ SSLLogger.fine("System store disabled: " + systemStoreOff); + SSLLogger.fine("Default store: " + defaultStore);
+ SSLLogger.fine("System store: " + systemStore);
+ } + }
+ +
String temporaryName = ""; String temporaryName = "";
File temporaryFile = null; File temporaryFile = null;
long temporaryTime = 0L; long temporaryTime = 0L;
if (!"NONE".equals(storePropName)) { @@ -146,21 +151,22 @@ final class TrustStoreManager {
String[] fileNames = String[] fileNames =
- new String[] {storePropName, defaultStore}; new String[] {storePropName, defaultStore};
+ new String[] {storePropName,
+ systemStore, defaultStore};
for (String fileName : fileNames) { for (String fileName : fileNames) {
- File f = new File(fileName); - File f = new File(fileName);
- if (f.isFile() && f.canRead()) { - if (f.isFile() && f.canRead()) {
@ -84,62 +76,69 @@ index e7b4763db53..4b38d1f9465 100644
} }
} }
} else { } else {
@@ -390,4 +402,31 @@ final class TrustStoreManager {
return TrustStoreUtil.getTrustedCerts(ks);
}
}
+
+ private static String privilegedGetSecurityProperty(final String prop) {
+ if (System.getSecurityManager() == null) {
+ return Security.getProperty(prop);
+ } else {
+ return AccessController.doPrivileged(new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return Security.getProperty(prop);
+ }
+ });
+ }
+ }
+
+ /**
+ * Returns {@code true} if the {@code System} property is present and set to @{code "true"}.
+ *
+ * @param prop the name of the property to check.
+ * @return true if the property is present and set to {@code "true"}.
+ */
+ private static boolean privilegedGetBooleanProperty(final String prop) {
+ if (System.getSecurityManager() == null) {
+ return Boolean.getBoolean(prop);
+ } else {
+ return AccessController.doPrivileged(new GetBooleanAction(prop));
+ }
+ }
}
diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
index fcc77786da1..639fc220b6b 100644 index fcc77786da1..f554f83a8b4 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java --- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java
@@ -34,6 +34,7 @@ import java.io.InputStreamReader; @@ -33,7 +33,10 @@ import java.io.InputStreamReader;
import java.net.URL; import java.net.URL;
+import java.security.AccessController;
import java.security.KeyStore; import java.security.KeyStore;
+import java.security.PrivilegedAction;
+import java.security.Security; +import java.security.Security;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.text.Collator; import java.text.Collator;
@@ -103,9 +104,18 @@ public class KeyStoreUtil { @@ -54,6 +57,33 @@ public class KeyStoreUtil {
throws Exception
{ private static final String JKS = "jks";
String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep + private static final String PROP_NAME = "security.systemCACerts";
- + "lib" + sep + "security" + sep +
- + "cacerts"); + /**
+ * Returns the value of the security property propName, which can be overridden
+ * by a system property of the same name
+ *
+ * @param propName the name of the system or security property
+ * @return the value of the system or security property
+ */
+ @SuppressWarnings("removal")
+ public static String privilegedGetOverridable(String propName) {
+ if (System.getSecurityManager() == null) {
+ return getOverridableProperty(propName);
+ } else {
+ return AccessController.doPrivileged((PrivilegedAction<String>) () -> getOverridableProperty(propName));
+ }
+ }
+
+ private static String getOverridableProperty(String propName) {
+ String val = System.getProperty(propName);
+ if (val == null) {
+ return Security.getProperty(propName);
+ } else {
+ return val;
+ }
+ }
+
/**
* Returns true if the certificate is self-signed, false otherwise.
*/
@@ -96,20 +126,38 @@ public class KeyStoreUtil {
}
}
+ /**
+ * Returns the path to the cacerts DB
+ */
+ public static File getCacertsKeyStoreFile()
+ {
+ String sep = File.separator;
+ File file = null; + File file = null;
+ /* Check system cacerts DB first */ + /* Check system cacerts DB first, preferring system property over security property */
+ String systemDB = Security.getProperty("security.systemCACerts"); + String systemDB = privilegedGetOverridable(PROP_NAME);
+ boolean systemStoreOff = Boolean.getBoolean("java.security.disableSystemCACerts"); + if (systemDB != null && !"".equals(systemDB)) {
+ if (!systemStoreOff && systemDB != null && !"".equals(systemDB)) {
+ file = new File(systemDB); + file = new File(systemDB);
+ } + }
+ if (file == null || !file.exists()) { + if (file == null || !file.exists()) {
@ -147,9 +146,31 @@ index fcc77786da1..639fc220b6b 100644
+ + "lib" + sep + "security" + sep + + "lib" + sep + "security" + sep
+ + "cacerts"); + + "cacerts");
+ } + }
if (!file.exists()) { + if (file.exists()) {
return null; + return file;
} + }
+ return null;
+ }
+
/**
* Returns the keystore with the configured CA certificates.
*/
public static KeyStore getCacertsKeyStore()
throws Exception
{
- String sep = File.separator;
- File file = new File(System.getProperty("java.home") + sep
- + "lib" + sep + "security" + sep
- + "cacerts");
- if (!file.exists()) {
- return null;
- }
KeyStore caks = null;
+ File file = getCacertsKeyStoreFile();
+ if (file == null) { return null; }
try (FileInputStream fis = new FileInputStream(file)) {
caks = KeyStore.getInstance(JKS);
caks.load(fis, null);
diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
index bfe0c593adb..093bc09bf95 100644 index bfe0c593adb..093bc09bf95 100644
--- a/jdk/src/share/lib/security/java.security-aix --- a/jdk/src/share/lib/security/java.security-aix

View File

@ -1,66 +0,0 @@
diff --git a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
--- openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -61,13 +62,13 @@
private static void checkKeySize(int keysize)
throws InvalidParameterException {
- boolean supported = ((keysize == 2048) || (keysize == 3072) ||
+ boolean supported = ((keysize == 2048) || (keysize == 3072) || (keysize == 4096) ||
((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
if (!supported) {
throw new InvalidParameterException(
"DH key size must be multiple of 64 and range " +
- "from 512 to 1024 (inclusive), or 2048, 3072. " +
+ "from 512 to 1024 (inclusive), or 2048, 3072, 4096. " +
"The specific key size " + keysize + " is not supported");
}
}
diff --git a/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java b/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
--- openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -58,7 +59,7 @@
*/
private enum Sizes {
two56(256), three84(384), five12(512), seven68(768), ten24(1024),
- twenty48(2048);
+ twenty48(2048), forty96(4096);
private final int intSize;
private final BigInteger bigIntValue;
@@ -130,6 +131,19 @@
kp = kpg.generateKeyPair();
checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
+ kpg.initialize(Sizes.forty96.getIntSize());
+ kp = kpg.generateKeyPair();
+ checkKeyPair(kp, Sizes.forty96, Sizes.twenty48);
+
+ publicKey = (DHPublicKey)kp.getPublic();
+ p = publicKey.getParams().getP();
+ g = publicKey.getParams().getG();
+
+ // test w/ all values specified
+ kpg.initialize(new DHParameterSpec(p, g, Sizes.ten24.getIntSize()));
+ kp = kpg.generateKeyPair();
+ checkKeyPair(kp, Sizes.forty96, Sizes.ten24);
+
System.out.println("OK");
}

View File

@ -23,6 +23,8 @@
%bcond_with artifacts %bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm %bcond_without fresh_libjvm
# Build with system libraries
%bcond_with system_libs
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm} %if %{with fresh_libjvm}
@ -31,6 +33,16 @@
%global build_hotspot_first 0 %global build_hotspot_first 0
%endif %endif
%if %{with system_libs}
%global system_libs 1
%global link_type system
%global jpeg_lib |libjavajpeg[.]so.*
%else
%global system_libs 0
%global link_type bundled
%global jpeg_lib |libjpeg[.]so.*
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info. # This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -150,11 +162,15 @@
# Build and test slowdebug first as it provides the best diagnostics # Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches} %ifarch %{bootstrap_arches}
%global bootstrap_build true %global bootstrap_build true
%else %else
%global bootstrap_build false %global bootstrap_build false
%endif %endif
%endif
%global bootstrap_targets images %global bootstrap_targets images
%global release_targets images docs-zip %global release_targets images docs-zip
@ -265,7 +281,7 @@
# New Version-String scheme-style defines # New Version-String scheme-style defines
%global majorver 8 %global majorver 8
# Standard JPackage naming and versioning defines. # Standard JPackage naming and versioning defines
%global origin openjdk %global origin openjdk
%global origin_nice OpenJDK %global origin_nice OpenJDK
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
@ -297,7 +313,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project openjdk %global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u %global shenandoah_repo shenandoah-jdk8u
%global openjdk_revision jdk8u345-b01 %global openjdk_revision jdk8u362-b08
%global shenandoah_revision shenandoah-%{openjdk_revision} %global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility # Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project} %global project %{shenandoah_project}
@ -306,7 +322,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop files # Define IcedTea version used for SystemTap tapsets and desktop files
%global icedteaver 3.15.0 %global icedteaver 3.15.0
# Define current Git revision for the FIPS support patches # Define current Git revision for the FIPS support patches
%global fipsver 8e8bbf0ff74 %global fipsver 6d1aade0648
# e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04
%global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*})
@ -316,7 +332,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27 # eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
%global rpmrelease 2 %global rpmrelease 3
# Define milestone (EA for pre-releases, GA ("fcs") for releases) # Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1): # Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases, # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -356,8 +372,7 @@
# as to why some libraries *cannot* be excluded. In particular, # as to why some libraries *cannot* be excluded. In particular,
# these are: # these are:
# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so # libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* %global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
%global __provides_exclude ^(%{_privatelibs})$ %global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$
@ -781,6 +796,7 @@ exit 0
%{_jvmdir}/%{jrelnk -- %{?1}} %{_jvmdir}/%{jrelnk -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream
%dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}
%dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/bin
%dir %{_jvmdir}/%{jredir -- %{?1}}/lib %dir %{_jvmdir}/%{jredir -- %{?1}}/lib
@ -863,7 +879,11 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjaas_unix.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjava_crw_demo.so
%if %{system_libs}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjavajpeg.so
%else
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjpeg.so
%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjdwp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsdt.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libjsig.so
@ -904,6 +924,7 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat
%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar
%{_jvmdir}/%{jredir -- %{?1}}/lib/management/* %{_jvmdir}/%{jredir -- %{?1}}/lib/management/*
%{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/* %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/*
@ -1104,9 +1125,8 @@ Provides: java%{?1} = %{epoch}:%{javaver}
Requires: ca-certificates Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ # Require javapackages-filesystem for ownership of /usr/lib/jvm/
Requires: javapackages-filesystem Requires: javapackages-filesystem
# Require zoneinfo data provided by tzdata-java subpackage. # 2022g required as of JDK-8297804
# 2022a required as of JDK-8283350 in 8u342 Requires: tzdata-java >= 2022g
Requires: tzdata-java >= 2022a
# for support of kernel stream control # for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand # libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa} Requires: lksctp-tools%{?_isa}
@ -1303,6 +1323,9 @@ Source16: CheckVendor.java
# nss fips configuration file # nss fips configuration file
Source17: nss.fips.cfg.in Source17: nss.fips.cfg.in
# Ensure translations are available for new timezones
Source18: TestTranslations.java
Source20: repackReproduciblePolycies.sh Source20: repackReproduciblePolycies.sh
# New versions of config files with aarch64 support. This is not upstream yet. # New versions of config files with aarch64 support. This is not upstream yet.
@ -1361,8 +1384,6 @@ Patch1001: fips-8u-%{fipsver}.patch
############################################# #############################################
# PR2737: Allow multiple initialization of PKCS11 libraries # PR2737: Allow multiple initialization of PKCS11 libraries
Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch
# PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure (sync with IcedTea 2.x)
Patch504: rh1163501-increase_2048_bit_dh_upper_bound_fedora_infrastructure_in_dhparametergenerator.patch
# Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions # Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions
Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch
# RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings # RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings
@ -1422,14 +1443,12 @@ Patch202: jdk8035341-allow_using_system_installed_libpng.patch
# 8042159: Allow using a system-installed lcms2 # 8042159: Allow using a system-installed lcms2
Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 # JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
Patch581: jdk8257794-remove_broken_assert.patch Patch581: jdk8257794-remove_broken_assert.patch
############################################# #############################################
# #
# Patches appearing in 8u332 # Patches appearing in 8u362
# #
# This section includes patches which are present # This section includes patches which are present
# in the listed OpenJDK 8u release and should be # in the listed OpenJDK 8u release and should be
@ -1480,12 +1499,8 @@ BuildRequires: desktop-file-utils
BuildRequires: elfutils-devel BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel BuildRequires: fontconfig-devel
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gdb BuildRequires: gdb
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: libX11-devel BuildRequires: libX11-devel
BuildRequires: libXext-devel BuildRequires: libXext-devel
@ -1508,8 +1523,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
%ifarch %{zero_arches} %ifarch %{zero_arches}
BuildRequires: libffi-devel BuildRequires: libffi-devel
%endif %endif
# 2022a required as of JDK-8283350 in 8u342 # 2022g required as of JDK-8297804
BuildRequires: tzdata-java >= 2022a BuildRequires: tzdata-java >= 2022g
# Earlier versions have a bug in tree vectorization on PPC # Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8 BuildRequires: gcc >= 4.8.3-8
@ -1517,6 +1532,24 @@ BuildRequires: gcc >= 4.8.3-8
BuildRequires: systemtap-sdt-devel BuildRequires: systemtap-sdt-devel
%endif %endif
%if %{system_libs}
BuildRequires: giflib-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
Provides: bundled(lcms2) = 2.10.0
# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in jdk/src/share/native/sun/awt/libpng/png.h
Provides: bundled(libpng) = 1.6.37
# We link statically against libstdc++ to increase portability
BuildRequires: libstdc++-static
%endif
# this is always built, also during debug-only build # this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder # when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}} %{java_rpo %{nil}}
@ -1805,14 +1838,18 @@ cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/
# OpenJDK patches # OpenJDK patches
%if %{system_libs}
# Remove libraries that are linked # Remove libraries that are linked
sh %{SOURCE12} sh %{SOURCE12}
%endif
# System library fixes # System library fixes
%if %{system_libs}
%patch201 %patch201
%patch202 %patch202
%patch203 %patch203
%patch204 %patch204
%endif
%patch1 %patch1
%patch3 %patch3
@ -1830,14 +1867,12 @@ sh %{SOURCE12}
# Upstreamable fixes # Upstreamable fixes
%patch502 %patch502
%patch504
%patch512 %patch512
%patch523 %patch523
%patch528 %patch528
%patch571 %patch571
%patch574 %patch574
%patch112 %patch112
%patch580
%patch581 %patch581
%patch113 %patch113
@ -1918,6 +1953,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file}
%build %build
# How many CPU's do we have? # How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1} export NUM_PROC=${NUM_PROC:-1}
@ -1954,12 +1990,20 @@ function buildjdk() {
local buildjdk=${2} local buildjdk=${2}
local maketargets="${3}" local maketargets="${3}"
local debuglevel=${4} local debuglevel=${4}
local link_opt=${5}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures # Variable used in hs_err hook on build failures
local top_builddir_abs_path=$(pwd)/${outputdir} local top_builddir_abs_path=$(pwd)/${outputdir}
echo "Using output directory: ${outputdir}"; echo "Using output directory: ${outputdir}";
if [ "x${link_opt}" = "xbundled" ] ; then
libc_link_opt="static";
else
libc_link_opt="dynamic";
fi
echo "Checking build JDK ${buildjdk} is operational..." echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version ${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}" echo "Using make targets: ${maketargets}"
@ -1990,12 +2034,14 @@ function buildjdk() {
--with-debug-level=${debuglevel} \ --with-debug-level=${debuglevel} \
--disable-sysconf-nss \ --disable-sysconf-nss \
--enable-unlimited-crypto \ --enable-unlimited-crypto \
--with-zlib=system \ --with-zlib=${link_opt} \
--with-libjpeg=system \ --with-giflib=${link_opt} \
--with-giflib=system \ %if %{with system_libs}
--with-libpng=system \ --with-libjpeg=${link_opt} \
--with-lcms=system \ --with-libpng=${link_opt} \
--with-stdc++lib=dynamic \ --with-lcms=${link_opt} \
%endif
--with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-asflags="$EXTRA_ASFLAGS" \ --with-extra-asflags="$EXTRA_ASFLAGS" \
@ -2064,8 +2110,13 @@ function installjdk() {
${imagepath}/jre/lib/security/java.security ${imagepath}/jre/lib/security/java.security
# Use system-wide tzdata # Use system-wide tzdata
rm ${imagepath}/jre/lib/tzdb.dat mv ${imagepath}/jre/lib/tzdb.dat{,.upstream}
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat
# Rename OpenJDK cacerts database
mv ${imagepath}/jre/lib/security/cacerts{,.upstream}
# Install cacerts symlink needed by some apps which hard-code the path
ln -sv %{cacerts_file} ${imagepath}/jre/lib/security
# add alt-java man page # add alt-java man page
pushd ${imagepath} pushd ${imagepath}
@ -2101,6 +2152,7 @@ builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir} bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix} installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir} bootinstalldir=boot${installdir}
link_opt="%{link_type}"
# Debug builds don't need same targets as release for # Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these # build speed-up. We also avoid bootstrapping these
@ -2114,13 +2166,13 @@ else
fi fi
if ${run_bootstrap} ; then if ${run_bootstrap} ; then
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir} installjdk ${bootbuilddir} ${bootinstalldir}
buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir} installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}} %{!?with_artifacts:rm -rf ${bootinstalldir}}
else else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir} installjdk ${builddir} ${installdir}
fi fi
@ -2151,10 +2203,6 @@ export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
# Check java launcher has no SSB mitigation # Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@ -2165,6 +2213,13 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif %endif
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
# Check translations are available for new timezones
$JAVA_HOME/bin/javac -d . %{SOURCE18}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
# Check debug symbols are present and can identify code # Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
@ -2635,6 +2690,65 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b08-3
- Update to shenandoah-jdk8u352-b08 (GA)
- Update release notes for shenandoah-8u352-b08.
- Fix broken links and missing release notes in older releases.
- Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete
- Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges"
- Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists
- Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys
- Resolves: rhbz#2160111
* Wed Jan 11 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b07-0.3.ea
- Update to shenandoah-jdk8u362-b07 (EA)
- Update release notes for shenandoah-8u362-b07.
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
- Drop tzdata patches for 2022d & 2022e (JDK-8294357 & JDK-8295173) which are now upstream
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
- Drop JDK-8255559/RH2124390 patch which is now upstream
- Resolves: rhbz#2150193
* Tue Jan 10 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b01-0.3.ea
- Update to shenandoah-jdk8u362-b01 (EA)
- Update release notes for shenandoah-8u362-b01.
- Switch to EA mode for 8u362 pre-release builds.
- Drop JDK-8195607/PR3776/RH1760437 now this is upstream
- Related: rhbz#2150193
* Thu Nov 10 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-3
- Add backport of JDK-8255559 to fix file descriptor leak in XML code
- Resolves: rhbz#2124390
* Wed Oct 19 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b08-2
- Update to shenandoah-jdk8u352-b08 (GA)
- Update release notes for shenandoah-8u352-b08.
- Switch to GA mode for final release.
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Add test to ensure timezones can be translated
- Resolves: rhbz#2133695
* Wed Oct 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.352.b07-0.2.ea
- Update to shenandoah-jdk8u352-b07 (EA)
- Update release notes for shenandoah-8u352-b07.
- Switch to EA mode for 8u352 pre-release builds.
- Rebase FIPS patch against 8u352-b07
- Resolves: rhbz#2130612
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-5
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2048542
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-4
- Sync system cacerts support with RHEL 9, disabling using -Dsecurity.systemCACerts=
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Related: rhbz#2055274
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:1.8.0.345.b01-3
- Disable copy-jdk-configs for Flatpak builds
- Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102733
* Wed Aug 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-2 * Wed Aug 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.345.b01-2
- Update to shenandoah-jdk8u345-b01 (GA) - Update to shenandoah-jdk8u345-b01 (GA)
- Update release notes for 8u345-b01. - Update release notes for 8u345-b01.