Update to shenandoah-jdk8u372-b07 (GA)

Update release notes for shenandoah-8u372-b07.
Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07
Update generate_tarball.sh to add support for passing a boot JDK to the configure run
Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
Drop JDK-8275535/RH2053256 patch which is now upstream
Include JDK-8271199 backport early ahead of 8u382 (RH2175317)
Drop hack for difference in local and portable build version
Replace local copies of JDK portable binaries with build dependencies
Include the java-1.8.0-openjdk-portable.spec file with instructions on how to rebuild.
Remove duplicate use of README.md inside the *-src package (it is no longer about sources)
Use portable build on x86_32 now one is available

** This tarball is embargoed until 2023-04-18 @ 1pm PT. **

Resolves: rhbz#2185182
Resolves: rhbz#2189329
Resolves: rhbz#2188023

.gitignore

@@ -282,3 +282,4 @@
 /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.ppc64le.tar.xz
 /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.s390x.tar.xz
 /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.x86_64.tar.xz
+/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz

NEWS

@@ -3,6 +3,210 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 8u372 (2023-04-18):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u372
+
+* CVEs
+  - CVE-2023-21930
+  - CVE-2023-21937
+  - CVE-2023-21938
+  - CVE-2023-21939
+  - CVE-2023-21954
+  - CVE-2023-21967
+  - CVE-2023-21968
+* Security fixes
+  - JDK-8287404: Improve ping times
+  - JDK-8288436: Improve Xalan supports
+  - JDK-8294474: Better AES support
+  - JDK-8295304: Runtime support improvements
+  - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation
+  - JDK-8296676, JDK-8296622: Improve String platform support
+  - JDK-8296684: Improve String platform support
+  - JDK-8296692: Improve String platform support
+  - JDK-8296700: Improve String platform support
+  - JDK-8296832: Improve Swing platform support
+  - JDK-8297371: Improve UTF8 representation redux
+  - JDK-8298191: Enhance object reclamation process
+  - JDK-8298310: Enhance TLS session negotiation
+  - JDK-8298667: Improved path handling
+  - JDK-8299129: Enhance NameService lookups
+* New features
+  - JDK-8230305: Cgroups v2: Container awareness
+* Other changes
+  - JDK-6734341: REGTEST fails: SelectionAutoscrollTest.html
+  - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows
+  - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails
+  - JDK-7124238: [macosx] Font in BasicHTML document is bigger than it should be
+  - JDK-7124381: DragSourceListener.dragDropEnd() never been called on completion of dnd operation
+  - JDK-8039888: [TEST_BUG] keyboard garbage after javax/swing/plaf/windows/WindowsRootPaneUI/WrongAltProcessing/WrongAltProcessing.java
+  - JDK-8042098: [TESTBUG] Test sun/java2d/AcceleratedXORModeTest.java fails on Windows
+  - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled
+  - JDK-8072770: [TESTBUG] Some Introspector tests fail with a Java heap bigger than 4GB
+  - JDK-8075964: Test java/awt/Mouse/TitleBarDoubleClick/TitleBarDoubleClick.html fails intermittently with timeout error
+  - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing
+  - JDK-8142540: [TEST_BUG] Test sun/awt/dnd/8024061/bug8024061.java fails on ubuntu
+  - JDK-8156579: Two JavaBeans tests failed
+  - JDK-8156581: Cleanup of ProblemList.txt
+  - JDK-8159135: [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail
+  - JDK-8177560: @headful key can be removed from the tests for JavaSound
+  - JDK-8196196: Headful tests should not be run in headless mode
+  - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails
+  - JDK-8197408: Bad pointer comparison and small cleanup in os_linux.cpp
+  - JDK-8203485: [freetype] text rotated on 180 degrees is too narrow
+  - JDK-8205959: Do not restart close if errno is EINTR
+  - JDK-8216366: Add rationale to PER_CPU_SHARES define
+  - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails
+  - JDK-8228585: jdk/internal/platform/cgroup/TestCgroupMetrics.java - NumberFormatException because of large long values (memory limit_in_bytes)
+  - JDK-8229182: [TESTBUG] runtime/containers/docker/TestMemoryAwareness.java test fails on SLES12
+  - JDK-8229202: Docker reporting causes secondary crashes in error handling
+  - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy
+  - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation
+  - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos
+  - JDK-8234484: Add ability to configure third port for remote JMX
+  - JDK-8237479: 8230305 causes slowdebug build failure
+  - JDK-8239559: Cgroups: Incorrect detection logic on some systems
+  - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot
+  - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual
+  - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111
+  - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
+  - JDK-8242468: VS2019 build missing vcruntime140_1.dll
+  - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
+  - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java
+  - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible)
+  - JDK-8245654: Add Certigna Root CA
+  - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows
+  - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
+  - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+  - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota
+  - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
+  - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+  - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+  - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems
+  - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code
+  - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection
+  - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
+  - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes
+  - JDK-8257620: Do not use objc_msgSend_stret to get macOS version
+  - JDK-8262379: Add regression test for JDK-8257746
+  - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
+  - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics
+  - JDK-8270317: Large Allocation in CipherSuite
+  - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+  - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
+  - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
+  - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
+  - JDK-8280048: Missing comma in copyright header
+  - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired
+  - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template
+  - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions
+  - JDK-8283277: ISO 4217 Amendment 171 Update
+  - JDK-8283606: Tests may fail with zh locale on MacOS
+  - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124
+  - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
+  - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
+  - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist
+  - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3
+  - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
+  - JDK-8287109: Distrust.java failed with CertificateExpiredException
+  - JDK-8287463: JFR: Disable TestDevNull.java on Windows
+  - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
+  - JDK-8289549: ISO 4217 Amendment 172 Update
+  - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun
+  - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u
+  - JDK-8292083: Detected container memory limit may exceed physical machine memory
+  - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory
+  - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present
+  - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
+  - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings
+  - JDK-8294307: ISO 4217 Amendment 173 Update
+  - JDK-8294767: 8u contains two copies of test/../FileUtils.java, one uses JDK9+ features
+  - JDK-8295322: Tests for JDK-8271459 were not backported to 11u
+  - JDK-8295952: Problemlist existing compiler/rtm tests also on x86
+  - JDK-8295982: Failure in sun/security/tools/keytool/WeakAlg.java - ks: The process cannot access the file because it is being used by another process
+  - JDK-8296239: ISO 4217 Amendment 174 Update
+  - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing
+  - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException
+  - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent
+  - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2
+  - JDK-8297329: [8u] hotspot needs to recognise VS2019
+  - JDK-8297739: Bump update version of OpenJDK: 8u372
+  - JDK-8297996: [8u] generated images are broken due to renaming of MSVC runtime DLL's
+  - JDK-8298027: Remove SCCS id's from awt jtreg tests
+  - JDK-8298307: Enable hotspot/tier1 for 32-bit builds in GHA for 8u
+  - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
+  - JDK-8299445: EndingDotHostname.java fails because of compilation errors
+  - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java
+  - JDK-8299548: Fix hotspot/test/runtime/Metaspace/MaxMetaspaceSizeTest.java in 8u
+  - JDK-8299804: Fix non-portable code in hotspot shell tests in 8u
+  - JDK-8300014: Some backports placed the tests in the wrong location
+  - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems
+  - JDK-8301122: [8u] Fix unreliable vs2010 download link
+  - JDK-8301143: [TESTBUG] jfr/event/sampling/TestNative was backported to JDK8u without proper native wrapper
+  - JDK-8301246: NPE in FcFontManager.getDefaultPlatformFont() on Linux without installed fontconfig
+  - JDK-8301332: [8u] Fix writing of test files after the cgroups v2 backport
+  - JDK-8301550: [8u] Enable additional linux build testing in GitHub
+  - JDK-8301620: [8u] some shell tests are passed but have unexpected operator errors
+  - JDK-8301760: Fix possible leak in SpNegoContext dispose
+  - JDK-8303408: [AIX] Broken jdk8u build after JDK-8266391
+  - JDK-8303828: [Solaris] Broken jdk8u build after JDK-8266391
+  - JDK-8304053: Revert os specific stubs for SystemMetrics
+  - JDK-8305113: (tz) Update Timezone Data to 2023c
+
+Notes on individual issues:
+===========================
+
+hotspot:
+core-libs:
+
+JDK-8305562: Cgroups v2: Container awareness
+============================================
+The HotSpot runtime code as well as the core libraries code in the JDK
+has been updated in order to detect a cgroup v2 host system when
+running OpenJDK within a Linux container.
+
+Since the 8u202 release of OpenJDK, the container detection code
+recognized cgroup v1 (legacy) host Linux systems. With 8u372 and later
+releases, both versions of the underlying cgroups pseudo filesystem
+will be detected and corresponding container limits applied to the
+OpenJDK runtime.
+
+Without this enhancement, OpenJDK would not apply container resource
+limits when running on a cgroup v2 Linux host system, but would use
+the underlying hosts' resource limits instead.
+
+client-libs/javax.swing:
+
+JDK-8296832: Improve Swing platform support
+===========================================
+Earlier OpenJDK releases would always render HTML object tags embedded in
+Swing HTML components. With this release, rendering only occurs when the
+new system property "swing.html.object" is set to true. By default, it
+is set to false.
+
+core-svc/javax.management:
+
+JDK-8234484: Added Ability to Configure Third Port for Remote JMX
+=================================================================
+A local access port can now be configured for JMX connections by
+setting the property `com.sun.management.jmxremote.local.port`. This
+local port was previously selected at random, which could lead to port
+collisions. The property works in the same way as the existing
+properties for configuring the remote access port
+(`com.sun.management.jmxremote.port`) and the RMI port
+(`com.sun.management.jmxremote.rmi.port`)
+
+security-libs/java.security:
+
+JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate
+==========================================================
+The following root certificate has been added to the cacerts truststore:
+
+Name: Certigna (Dhimyotis)
+Alias Name: certignarootca
+Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR
+
 New in release OpenJDK 8u362 (2023-01-17):
 ===========================================
 Live versions of these release notes can be found at:

README.md

@@ -1,8 +1,34 @@
-Package of LTS OpenJDK 8
-OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages. 
+OpenJDK 8 is a Long-Term Support (LTS) release of the Java platform.
 
-JDK8 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/8/ and is landing to your RHEL. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. 
+For a list of major changes in OpenJDK 8 (java-1.8.0-openjdk), see the
+upstream release page: https://openjdk.org/projects/jdk8/features
 
-See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
-See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
+# Rebuilding the OpenJDK package
 
+The OpenJDK packages are now created from a single build which is then
+packaged for different major versions of Red Hat Enterprise Linux
+(RHEL). This allows the OpenJDK team to focus their efforts on the
+development and testing of this single build, rather than having
+multiple builds which only differ by the platform they were built on.
+
+This does make rebuilding the package slightly more complicated than a
+normal package. Modifications should be made to the
+`java-1.8.0-openjdk-portable.specfile` file, which can be found with
+this README file in the source RPM or installed in the documentation
+tree by the `java-1.8.0-openjdk-headless` RPM.
+
+Once the modified `java-1.8.0-openjdk-portable` RPMs are built, they
+should be installed and will produce a number of tarballs in the
+`/usr/lib/jvm` directory. The `java-1.8.0-openjdk` RPMs can then be
+built, which will use these tarballs to create the usual RPMs found in
+RHEL. The `java-1.8.0-openjdk-portable` RPMs can be uninstalled once
+the desired final RPMs are produced.
+
+Note that the `java-1.8.0-openjdk.spec` file has a hard requirement on
+the exact version of java-1.8.0-openjdk-portable to use, so this will
+need to be modified if the version or rpmrelease values are changed in
+`java-1.8.0-openjdk-portable.specfile`.
+
+To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
+builds may be disabled using `--without fastdebug` and `--without
+slowdebug`.

generate_source_tarball.sh

@@ -10,7 +10,7 @@
 # PROJECT_NAME=openjdk
 # REPO_NAME=shenandoah-jdk8u
 # VERSION=HEAD
-# 
+#
 # They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
 
 # This script creates a single source tarball out of the repository
@@ -31,8 +31,8 @@ fi
 
 if [ "x${JCONSOLE_JS_PATCH}" != "x" ] ; then
     if [ ! -f "${JCONSOLE_JS_PATCH}" ] ; then
-	echo "You have specified the jconsole.js patch as ${JCONSOLE_JS_PATCH} but it does not exist. Exiting.";
-	exit 2;
+        echo "You have specified the jconsole.js patch as ${JCONSOLE_JS_PATCH} but it does not exist. Exiting.";
+        exit 2;
     fi
 else
     JCONSOLE_JS_PATCH=${JCONSOLE_JS_PATCH_DEFAULT}
@@ -53,29 +53,58 @@ if [ "x$1" = "xhelp" ] ; then
     echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
     echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
     echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
-    echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
+    echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
     echo "PR3822 - the path to the PR3822 patch to apply (optional; downloaded if unavailable)"
     echo "JCONSOLE_JS_PATCH - the path to a patch to fix non-availiability of jconsole.js (optional; defaults to ${JCONSOLE_JS_PATCH_DEFAULT})"
+    echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run"
     exit 1;
 fi
 
 
 if [ "x$VERSION" = "x" ] ; then
     echo "No VERSION specified"
-    exit -2
+    exit 2
 fi
 echo "Version: ${VERSION}"
-    
+
+NUM_VER=${VERSION##jdk-}
+RELEASE_VER=${NUM_VER%%+*}
+BUILD_VER=${NUM_VER##*+}
+MAJOR_VER=${RELEASE_VER%%.*}
+echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}"
+
+if [ "x$BOOT_JDK" = "x" ] ; then
+    echo "No boot JDK specified".
+    BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk;
+    echo -n "Checking for ${BOOT_JDK}...";
+    if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
+        echo "Boot JDK found at ${BOOT_JDK}";
+    else
+        echo "Not found";
+        PREV_VER=$((${MAJOR_VER} - 1));
+        BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk;
+        echo -n "Checking for ${BOOT_JDK}...";
+        if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
+            echo "Boot JDK found at ${BOOT_JDK}";
+        else
+            echo "Not found";
+            exit 4;
+        fi
+    fi
+else
+    echo "Boot JDK: ${BOOT_JDK}";
+fi
+
 # REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
 if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
     if [ "x$PROJECT_NAME" = "x" ] ; then
-	echo "No PROJECT_NAME specified"
-	exit -1
+        echo "No PROJECT_NAME specified"
+        exit 1
     fi
     echo "Project name: ${PROJECT_NAME}"
     if [ "x$REPO_NAME" = "x" ] ; then
-	echo "No REPO_NAME specified"
-	exit -3
+        echo "No REPO_NAME specified"
+        exit 3
     fi
     echo "Repository name: ${REPO_NAME}"
 fi
@@ -112,6 +141,7 @@ echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}"
 echo -e "\tREPO_ROOT: ${REPO_ROOT}"
 echo -e "\tPR3822: ${PR3822}"
 echo -e "\tJCONSOLE_JS_PATCH: ${JCONSOLE_JS_PATCH}"
+echo -e "\tBOOT_JDK: ${BOOT_JDK}"
 
 mkdir "${FILE_NAME_ROOT}"
 pushd "${FILE_NAME_ROOT}"
@@ -120,7 +150,7 @@ echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
 git clone -b ${VERSION} ${REPO_ROOT} openjdk
 
 pushd openjdk
-	
+
 # UnderlineTaglet.java has a BSD license with a field-of-use restriction, making it non-Free
 if [ -d langtools ] ; then
     echo "Removing langtools test case with non-Free license"
@@ -144,15 +174,15 @@ if [ -d jdk ]; then
 
     echo "Syncing EC list with NSS"
     if [ "x$PR3822" = "x" ] ; then
-	# get pr3822.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
-	# Do not push it or publish it
-	wget -O pr3822.patch https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3822-4curve.patch
-	echo "Applying ${PWD}/pr3822.patch"
-	git apply --stat --apply -v -p1 pr3822.patch
-	rm pr3822.patch
+        # get pr3822.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch
+        # Do not push it or publish it
+        wget -O pr3822.patch https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3822-4curve.patch
+        echo "Applying ${PWD}/pr3822.patch"
+        git apply --stat --apply -v -p1 pr3822.patch
+        rm pr3822.patch
     else
-	echo "Applying ${PR3822}"
-	git apply --stat --apply -v -p1 $PR3822
+        echo "Applying ${PR3822}"
+        git apply --stat --apply -v -p1 $PR3822
     fi;
 fi
 
@@ -166,11 +196,29 @@ popd
 # Generate .src-rev so build has knowledge of the revision the tarball was created from
 mkdir build
 pushd build
-sh ${PWD}/../openjdk/configure
+sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK}
 make store-source-revision
 popd
 rm -rf build
 
+# Remove commit checks
+echo "Removing $(find openjdk -name '.jcheck' -print)"
+find openjdk -name '.jcheck' -print0 | xargs -0 rm -r
+
+# Remove history and GHA
+echo "find openjdk -name '.hgtags'"
+find openjdk -name '.hgtags' -exec rm -v '{}' '+'
+echo "find openjdk -name '.hgignore'"
+find openjdk -name '.hgignore' -exec rm -v '{}' '+'
+echo "find openjdk -name '.gitattributes'"
+find openjdk -name '.gitattributes' -exec rm -v '{}' '+'
+echo "find openjdk -name '.gitignore'"
+find openjdk -name '.gitignore' -exec rm -v '{}' '+'
+echo "find openjdk -name '.git'"
+find openjdk -name '.git' -exec rm -rv '{}' '+'
+echo "find openjdk -name '.github'"
+find openjdk -name '.github' -exec rm -rv '{}' '+'
+
 echo "Compressing remaining forest"
 if [ "X$COMPRESSION" = "Xxz" ] ; then
     SWITCH=cJf

java-1.8.0-openjdk.spec

@@ -132,7 +132,7 @@
 # Set of architectures where we verify backtraces with gdb
 %global gdb_arches %{jit_arches} %{zero_arches}
 # Set of architectures for which we have a portable build
-%global portable_build_arches %{aarch64} %{power64} x86_64
+%global portable_build_arches %{aarch64} %{ix86} %{power64} x86_64
 
 # By default, we build a debug build during main build on JIT architectures
 %if %{with slowdebug}
@@ -338,7 +338,7 @@
 # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
 %global shenandoah_project      openjdk
 %global shenandoah_repo         shenandoah-jdk8u
-%global openjdk_revision        jdk8u362-b09
+%global openjdk_revision        jdk8u372-b07
 %global shenandoah_revision     shenandoah-%{openjdk_revision}
 # Define old aarch64/jdk8u tree variables for compatibility
 %global project         %{shenandoah_project}
@@ -354,15 +354,11 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      4
+%global rpmrelease      2
 # Settings used by the portable build
-%global portablerelease 4
-%global portablesuffix el7openjdkportable
+%global portablerelease 2
+%global portablesuffix el8
 %global portablebuilddir /builddir/build/BUILD
-# Temporary override until we have the portable version in sync
-# b09 only contains some build fixes for RHEL 6 & Windows
-%global portablebuildver b08
-%global portableversion %{javaver}.%{updatever}.%{portablebuildver}
 
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
@@ -845,6 +841,8 @@ exit 0
 %license %{_jvmdir}/%{jredir -- %{?1}}/LICENSE
 %license %{_jvmdir}/%{jredir -- %{?1}}/THIRD_PARTY_README
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-1.%{majorver}.0-openjdk-portable.specfile
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}
 %{_jvmdir}/%{jrelnk -- %{?1}}
 %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security
@@ -1190,7 +1188,6 @@ exit 0
 
 %define files_src() %{expand:
 %defattr(-,root,root,-)
-%doc README.md
 %{_jvmdir}/%{sdkdir -- %{?1}}/src.zip
 }
 
@@ -1404,9 +1401,6 @@ URL:      http://openjdk.java.net/
 # where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo}
 Source0: %{shenandoah_project}-%{shenandoah_repo}-%{shenandoah_revision}-4curve.tar.xz
 
-# Custom README for -src subpackage
-Source2:  README.md
-
 # Release notes
 Source7: NEWS
 
@@ -1443,70 +1437,22 @@ Source17: nss.fips.cfg.in
 # Ensure translations are available for new timezones
 Source18: TestTranslations.java
 
-Source20: repackReproduciblePolycies.sh
+Source21: repackReproduciblePolycies.sh
 
 # New versions of config files with aarch64 support. This is not upstream yet.
 Source100: config.guess
 Source101: config.sub
 
-# TODO: Portable packages are not yet available in buildroot
-# Temporarily add them as sources
-
-# aarch64
-Source1000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.aarch64.tar.xz
-Source1002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.aarch64.tar.xz
-Source1003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.aarch64.tar.xz
-Source1004: %{name}-portable-%{portableversion}-%{portablerelease}.portable.slowdebug.jdk.el.aarch64.tar.xz
-Source1006: %{name}-portable-%{portableversion}-%{portablerelease}.portable.fastdebug.jdk.el.aarch64.tar.xz
-
-# ppc64le
-Source2000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.ppc64le.tar.xz
-Source2002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.ppc64le.tar.xz
-Source2003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.ppc64le.tar.xz
-Source2004: %{name}-portable-%{portableversion}-%{portablerelease}.portable.slowdebug.jdk.el.ppc64le.tar.xz
-Source2006: %{name}-portable-%{portableversion}-%{portablerelease}.portable.fastdebug.jdk.el.ppc64le.tar.xz
-
-# s390x
-Source3000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.s390x.tar.xz
-Source3002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.s390x.tar.xz
-Source3003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.s390x.tar.xz
-
-# x86_64
-Source4000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.x86_64.tar.xz
-Source4002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.x86_64.tar.xz
-Source4003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.x86_64.tar.xz
-Source4004: %{name}-portable-%{portableversion}-%{portablerelease}.portable.slowdebug.jdk.el.x86_64.tar.xz
-Source4006: %{name}-portable-%{portableversion}-%{portablerelease}.portable.fastdebug.jdk.el.x86_64.tar.xz
+# Include portable spec and instructions on how to rebuild
+Source19: README.md
+Source20: java-1.%{majorver}.0-openjdk-portable.specfile
 
 # Setup variables to reference correct sources
-%ifarch %{aarch64}
-%global releasezip %{SOURCE1000}
-%global docszip %{SOURCE1002}
-%global misczip %{SOURCE1003}
-%global slowdebugzip %{SOURCE1004}
-%global fastdebugzip %{SOURCE1006}
-%endif
-%ifarch %{ppc64le}
-%global releasezip %{SOURCE2000}
-%global docszip %{SOURCE2002}
-%global misczip %{SOURCE2003}
-%global slowdebugzip %{SOURCE2004}
-%global fastdebugzip %{SOURCE2006}
-%endif
-%ifarch s390x
-%global releasezip %{SOURCE3000}
-%global docszip %{SOURCE3002}
-%global misczip %{SOURCE3003}
-%global slowdebugzip %{nil}
-%global fastdebugzip %{nil}
-%endif
-%ifarch x86_64
-%global releasezip %{SOURCE4000}
-%global docszip %{SOURCE4002}
-%global misczip %{SOURCE4003}
-%global slowdebugzip %{SOURCE4004}
-%global fastdebugzip %{SOURCE4006}
-%endif
+%global releasezip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.unstripped.jdk.%{_arch}.tar.xz
+%global docszip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.docs.%{_arch}.tar.xz
+%global misczip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.misc.%{_arch}.tar.xz
+%global slowdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.slowdebug.jdk.%{_arch}.tar.xz
+%global fastdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.fastdebug.jdk.%{_arch}.tar.xz
 
 ############################################
 #
@@ -1575,8 +1521,6 @@ Patch600: rh1750419-redhat_alt_java.patch
 Patch111: jdk8218811-perfMemory_linux.patch
 # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
 Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
-# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
-Patch113: jdk8275535-rh2053256-ldap_auth.patch
 
 #############################################
 #
@@ -1624,13 +1568,15 @@ Patch581: jdk8257794-remove_broken_assert.patch
 
 #############################################
 #
-# Patches appearing in 8u362
+# Patches appearing in 8u382
 #
 # This section includes patches which are present
 # in the listed OpenJDK 8u release and should be
 # able to be removed once that release is out
 # and used by this RPM.
 #############################################
+# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
 
 #############################################
 #
@@ -1697,12 +1643,17 @@ BuildRequires: unzip
 # For definitions and macros like jvmdir
 BuildRequires: javapackages-filesystem
 %ifarch %{portable_build_arches}
-# TODO: Portable packages are not yet available in buildroot
-#BuildRequires: %{name}-portable-unstripped = %{VERSION}
-#BuildRequires: %{name}-portable-docs = %{VERSION}
-#BuildRequires: %{name}-portable-misc = %{VERSION}
-#BuildRequires: %{name}-portable-devel-fastdebug = %{VERSION}
-#BuildRequires: %{name}-portable-devel-slowdebug = %{VERSION}
+%if %{include_normal_build}
+BuildRequires: java-1.%{majorver}.0-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+%endif
+%if %{include_fastdebug_build}
+BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+%endif
+%if %{include_debug_build}
+BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+%endif
+BuildRequires: java-1.%{majorver}.0-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
+BuildRequires: java-1.%{majorver}.0-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix}
 %else
 # Require a boot JDK which doesn't fail due to RH1482244
 BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
@@ -1712,8 +1663,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
 BuildRequires: libffi
 BuildRequires: libffi-devel
 %endif
-# 2022g required as of JDK-8297804
-BuildRequires: tzdata-java >= 2022g
+# 2023c required as of JDK-8305113
+BuildRequires: tzdata-java >= 2023c
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1982,8 +1933,6 @@ fi
 # For old patches
 ln -s %{top_level_dir_name} jdk8
 
-cp %{SOURCE2} .
-
 # replace outdated configure guess script
 #
 # the configure macro will do this too, but it also passes a few flags not
@@ -2028,7 +1977,6 @@ sh %{SOURCE12}
 %patch111
 %patch112
 %patch581
-%patch113
 
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
@@ -2037,6 +1985,8 @@ pushd %{top_level_dir_name}
 %patch1000 -p1
 # cacerts patch; must follow FIPS patch as it also alters java.security
 %patch539 -p1
+# 8u382 fix
+%patch2001 -p1
 popd
 
 # RPM-only fixes
@@ -2322,7 +2272,7 @@ for suffix in %{build_loop} ; do
     mkdir -p $(dirname ${installdir})
     mv %{name}* ${installdir}
     # Fix build paths in ELF files so it looks like we built them
-    portablenvr="%{name}-portable-%{portableversion}-%{portablerelease}.%{portablesuffix}.%{_arch}"
+    portablenvr="%{name}-portable-%{version}-%{portablerelease}.%{portablesuffix}.%{_arch}"
     for file in $(find ${installdir} -type f) ; do
         if file ${file} | grep -q 'ELF'; then
             %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
@@ -2534,7 +2484,7 @@ for suffix in %{build_loop} ; do
   miscdir=%{top_level_dir_name}/jdk/src/solaris/classes/sun/awt/X11
 %endif
 
-  # Install release notes
+  # Install release notes and rebuild instructions
   commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
   install -d -m 755 ${commondocdir}
 %ifarch %{portable_build_arches}
@@ -2542,6 +2492,7 @@ for suffix in %{build_loop} ; do
 %else
   cp -a %{SOURCE7} ${commondocdir}
 %endif
+  cp -a %{SOURCE19} %{SOURCE20} ${commondocdir}
 
   # Install the jdk
   pushd ${jdk_image}
@@ -2605,11 +2556,10 @@ if ! echo $suffix | grep -q "debug" ; then
   # Install Javadoc documentation
   install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
   cp -a ${docdir}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+  built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip
 %ifarch %{portable_build_arches}
-  built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{portablebuildver}-docs.zip
   cp -a ${docdir}/$built_doc_archive  $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
 %else
-  built_doc_archive=`echo "jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip" | sed  s/slowdebug/debug/`
   cp -a %{installoutputdir -- $suffix}/bundles/$built_doc_archive  $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
 %endif
 fi
@@ -2658,7 +2608,7 @@ find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/demo \
   | sed 's|^|%dir |' \
   >> %{name}-demo.files"$suffix"
 
-bash %{SOURCE20} $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix} %{javaver}
+bash %{SOURCE21} $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix} %{javaver}
 # https://bugzilla.redhat.com/show_bug.cgi?id=1183793
 touch -t 201401010000 $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/lib/security/java.security
 
@@ -2900,6 +2850,24 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Tue Apr 18 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.372.b07-2
+- Update to shenandoah-jdk8u372-b07 (GA)
+- Update release notes for shenandoah-8u372-b07.
+- Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07
+- Update generate_tarball.sh to add support for passing a boot JDK to the configure run
+- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
+- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
+- Drop JDK-8275535/RH2053256 patch which is now upstream
+- Include JDK-8271199 backport early ahead of 8u382 (RH2175317)
+- Drop hack for difference in local and portable build version
+- Replace local copies of JDK portable binaries with build dependencies
+- Include the java-1.8.0-openjdk-portable.spec file with instructions on how to rebuild.
+- Remove duplicate use of README.md inside the *-src package (it is no longer about sources)
+- Use portable build on x86_32 now one is available
+- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
+- Resolves: rhbz#2185182
+- Resolves: rhbz#2189329
+
 * Tue Feb 28 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.362.b09-4
 - Drop use of portable build on s390x due to libffi compatibility issue (needs libffi.so.6)
 - Related: rhbz#2150202

jdk8271199-rh2175317-custom_pkcs11_provider_support.patch

@@ -0,0 +1,167 @@
+commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
+Author: Alexey Bakhtin <abakhtin@openjdk.org>
+Date:   Tue Apr 4 10:29:11 2023 +0000
+
+    8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
+    
+    Reviewed-by: andrew, mbalao
+    Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
+
+diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
+index a79e97d7c74..5378446b97b 100644
+--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
++++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
+@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
+     @Override
+     protected void engineInitVerify(PublicKey publicKey)
+             throws InvalidKeyException {
+-        if (!(publicKey instanceof RSAPublicKey)) {
++        if (publicKey instanceof RSAPublicKey) {
++            RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
++            isPublicKeyValid(rsaPubKey);
++            this.pubKey = rsaPubKey;
++            this.privKey = null;
++            resetDigest();
++        } else {
+             throw new InvalidKeyException("key must be RSAPublicKey");
+         }
+-        this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
+-        this.privKey = null;
+-        resetDigest();
+     }
+ 
+     // initialize for signing. See JCA doc
+@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
+     @Override
+     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
+             throws InvalidKeyException {
+-        if (!(privateKey instanceof RSAPrivateKey)) {
++        if (privateKey instanceof RSAPrivateKey) {
++            RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
++            isPrivateKeyValid(rsaPrivateKey);
++            this.privKey = rsaPrivateKey;
++            this.pubKey = null;
++            this.random =
++                    (random == null ? JCAUtil.getSecureRandom() : random);
++            resetDigest();
++        } else {
+             throw new InvalidKeyException("key must be RSAPrivateKey");
+         }
+-        this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
+-        this.pubKey = null;
+-        this.random =
+-            (random == null? JCAUtil.getSecureRandom() : random);
+-        resetDigest();
+     }
+ 
+     /**
+@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
+         }
+     }
+ 
++    /**
++     * Validate the specified RSAPrivateKey
++     */
++    private void isPrivateKeyValid(RSAPrivateKey prKey)  throws InvalidKeyException {
++        try {
++            if (prKey instanceof RSAPrivateCrtKey) {
++                RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
++                if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
++                    RSAKeyFactory.checkRSAProviderKeyLengths(
++                            crtKey.getModulus().bitLength(),
++                            crtKey.getPublicExponent());
++                } else {
++                    throw new InvalidKeyException(
++                            "Some of the CRT-specific components are not available");
++                }
++            } else {
++                RSAKeyFactory.checkRSAProviderKeyLengths(
++                        prKey.getModulus().bitLength(),
++                        null);
++            }
++        } catch (InvalidKeyException ikEx) {
++            throw ikEx;
++        } catch (Exception e) {
++            throw new InvalidKeyException(
++                    "Can not access private key components", e);
++        }
++        isValid(prKey);
++    }
++
++    /**
++     * Validate the specified RSAPublicKey
++     */
++    private void isPublicKeyValid(RSAPublicKey pKey)  throws InvalidKeyException {
++        try {
++            RSAKeyFactory.checkRSAProviderKeyLengths(
++                    pKey.getModulus().bitLength(),
++                    pKey.getPublicExponent());
++        } catch (InvalidKeyException ikEx) {
++            throw ikEx;
++        } catch (Exception e) {
++            throw new InvalidKeyException(
++                    "Can not access public key components", e);
++        }
++        isValid(pKey);
++    }
++
+     /**
+      * Validate the specified RSAKey and its associated parameters against
+      * internal signature parameters.
+      */
+-    private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
++    private void isValid(RSAKey rsaKey) throws InvalidKeyException {
+         try {
+             AlgorithmParameterSpec keyParams = rsaKey.getParams();
+             // validate key parameters
+@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
+                 }
+                 checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
+             }
+-            return rsaKey;
+         } catch (SignatureException e) {
+             throw new InvalidKeyException(e);
+         }
+diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+index 6b219937981..b3c1fae9672 100644
+--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
++++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
+         RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
+         // check all CRT-specific components are available, if any one
+         // missing, return a non-CRT key instead
+-        if ((key.getPublicExponent().signum() == 0) ||
+-            (key.getPrimeExponentP().signum() == 0) ||
+-            (key.getPrimeExponentQ().signum() == 0) ||
+-            (key.getPrimeP().signum() == 0) ||
+-            (key.getPrimeQ().signum() == 0) ||
+-            (key.getCrtCoefficient().signum() == 0)) {
++        if (checkComponents(key)) {
++            return key;
++        } else {
+             return new RSAPrivateKeyImpl(
+                 key.algid,
+                 key.getModulus(),
+-                key.getPrivateExponent()
+-            );
+-        } else {
+-            return key;
++                key.getPrivateExponent());
+         }
+     }
+ 
++    /**
++     * Validate if all CRT-specific components are available.
++     */
++    static boolean checkComponents(RSAPrivateCrtKey key) {
++        return !((key.getPublicExponent().signum() == 0) ||
++            (key.getPrimeExponentP().signum() == 0) ||
++            (key.getPrimeExponentQ().signum() == 0) ||
++            (key.getPrimeP().signum() == 0) ||
++            (key.getPrimeQ().signum() == 0) ||
++            (key.getCrtCoefficient().signum() == 0));
++    }
++
+     /**
+      * Generate a new key from the specified type and components.
+      * Returns a CRT key if possible and a non-CRT key otherwise.

jdk8275535-rh2053256-ldap_auth.patch

@@ -1,26 +0,0 @@
-diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-index cf4becb7db..4ab2ac0a31 100644
---- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
-@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-                     ctx = getLdapCtxFromUrl(
-                             r.getDomainName(), url, new LdapURL(u), env);
-                     return ctx;
-+                } catch (AuthenticationException e) {
-+                    // do not retry on a different endpoint to avoid blocking
-+                    // the user if authentication credentials are wrong.
-+                    throw e;
-                 } catch (NamingException e) {
-                     // try the next element
-                     lastException = e;
-@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
-         for (String u : urls) {
-             try {
-                 return getUsingURL(u, env);
-+            } catch (AuthenticationException e) {
-+                // do not retry on a different URL to avoid blocking
-+                // the user if authentication credentials are wrong.
-+                throw e;
-             } catch (NamingException e) {
-                 ex = e;
-             }

sources

@@ -1,20 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz) = 2ed16c616189e7872ecf36c82e86b551b1e6efc4d11a93264db856f01191875a82ddaec3363b5f8296ea225a9a8edf4c0e1504ff27d8474088ba0b2f6fc061d5
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.aarch64.tar.xz) = 7fce6dc8ebceb8e0806da8539f06d126fa4b688c5c9522aa93e9493103fa1bff0608de0edb264ce4a86b25fc9f89973f6a054d72e98529f68c49150395c72b98
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.ppc64le.tar.xz) = 2bac5b118490e76efb843dd4f0a9c96e478c85d46cd765becc7e2525cb39b9e6fde1c58a416cd3ddbc7df078e31ba037e742af6821f8a03bc207f5d4d4e66612
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.s390x.tar.xz) = 9158b158a189f36c9b58a3e24c7e3e24feeaa7e15d3dbca085b4f20689ec2874be5d8b9bebf2b76320f5e934bf16b42daaa743f5b27a7b3bf9ec39f156245b09
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.x86_64.tar.xz) = 7189898f419e83a83e242ed45b2bda70b5c1e69f0fcdfd8bf721f1e99a7cc24220912aa110385466da294bd15c294fc923ce6baf57c84ed2b021e8d56f5c503c
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.fastdebug.jdk.el.aarch64.tar.xz) = 949110664035f93eccd6f47b2d5df7e43bb26ce120c97ec8a56fffd2f6e68d7b6fe368e4661d6bb7669726c24a47ed21985865a2eafc911ddd27def7bd1ae955
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.fastdebug.jdk.el.ppc64le.tar.xz) = 13f5982dd99e99fc88e22cd604575ae7e4430caaee9c86ae7f8ab332d2bbfe4cd97a343da4a9ffe5eb685b00ccdb9cb03d38e2779d279717a3ba32b81608bc54
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.fastdebug.jdk.el.x86_64.tar.xz) = b0ee5f1ab913655860005c0aeac36afcf47811eb1c026b05ef2927695829d4fe6f99f1b038107c99b8d12039122a48d08a5ae1f291804f4b4b5dc19529c8f903
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.aarch64.tar.xz) = 5cfe934f17949d7c4dfbd0f825957039c85d544bd09004e1825f7cca0c5ce34a6dbccc34150bc7d87cee055d538a5ffb435a9accc335000fac7193696d4fe40b
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.ppc64le.tar.xz) = fd5511e78fabb85a1a73a3d8e7dfca50f36852d45e0f598bc9d9813056ea509e539dad0d10546291a7bfadae4ae2b1897cdb635949fb41a195649db757619644
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.s390x.tar.xz) = 41488ef06b28013c96a04ec5c932b2e37ce3580f2beddec70760216e84e6de69206f8ba370788f8e382af2e42380d13c8f598cbc0ef6148bebeb6caed15e6358
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.x86_64.tar.xz) = 7805e8c6647250198e7c41cfa8ef1aec8ed6f6cbf62d816e9bf161b5177fd1f3007bf247205dc2360e5026060eb44921f17111694dc93cafa1ebf4fdde697086
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.slowdebug.jdk.el.aarch64.tar.xz) = f79d6086eec6c751aca4a2ba22ca03a30a24dc8d10a0115fbc5a901e1a9c4fdfb7fc463ff0cdaddba0b9285ef25aa9ab7b1c8c0e772c06e53617741484e010c7
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.slowdebug.jdk.el.ppc64le.tar.xz) = 870a2de374d90d53e2078a930b6df3800001489b1bcd01a8014c227a9dd8be86ae1038a92ae65730ffeba08df88a085ab9b00c337f95e7577593ace3e67ca128
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.slowdebug.jdk.el.x86_64.tar.xz) = 35cef5ec1fdf04e6095c4cc018948e07616102d9f82db11e5ad0c3e0ddd0fbc83d4b2c134d47e6311650a91ee7301c5606b7657486c6a71c4c7982aac103f048
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.aarch64.tar.xz) = 0b83725711408fedf3bae3cfeb4a670312085982699da6510652d2f516729082dae3733e1736815a035a355d55af8c70407196fc8377b0fd8dccc062711d2d0d
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.ppc64le.tar.xz) = d8267a6f30a379181f461ce030a0b325e69dde89cbab7eba82ec8431227f2d982350b60ecf3380cafc1943696a8d17f477baab87b4c9a38a454543f5091841af
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.s390x.tar.xz) = bc80c58e6010f9722c932c4231e90c79b3285c6dc47fcffaeaf76839cd08e7602314d3648568354858c99f4b8163dc1cf3d4bf5e651dea8d715dde286a836c00
-SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.x86_64.tar.xz) = 0e4eed7f8d21473c07c4edd2cd764b659527676d5e8547403db60d2ca52a81567084f444b479bf1fa4f5cb3f863fce811d2be04d6608399f8fd5ab26b5720d00
+SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz) = afc1324463883404f22cea3c37177d7b6164fc4cf285d958e7ec21aba976dc306045296eadaa296a31795be6b543ca0b742e0ba074689c3e5a50b9956383934b